SCTF2021 pwn Christmas Bash 出题思路+预期解
sctf2021 pwn出题思路
赛题文件+exp: github
文章目录
题目描述
圣诞狂欢!,请尽情享受狂欢吧!现在你可以大声欢呼!但要注意,派对的主人似乎是个很谨慎的家伙~(题目源码包和Christmas Song题目一致,在vm_call_lambda和vm_opcode_call位置细微差别请自行逆向)(运行/home/ctf/getflag可以得到flag)
Christmas party! Enjoy the carnival! Now you can cheer loudly! But be careful, the party host seems to be a very cautious guy ~ (topic source code package and Christmas Song topic consistent, in vm_call_lambda and vm_opcode_call position nuances please reverse yourself)(run /home/ctf/getflag can get flags)
题目分值:769
解题人数:7
题目源码:slang -christmas,
建议先做完
[Christmas Song]
题目
https://github.com/wlingze/Christmas-Bash
这个题目漏洞点很多,师傅们打法也是眼花缭乱, 创建了一个独立仓库收集各种解法,欢迎师傅们来提pr! Christmas-Bash!
Slang-christmas设计思路 2
opcode生成
*.slang
的编译过程分前后端,
// com/com.c
ast_t* front_process(char *slang_file){
yyin = fopen(slang_file, "r");
if (!yyin){
printf("don't open file %s", slang_file);
exit(EXIT_FAILURE);
}
yyout = fopen("/dev/null", "w");
ast_t * m = NULL;
yyparse(&m);
fclose(yyin);
fclose(yyout);
return m;
}
void back_process(ast_t* m, char * scom_file){
FILE * out = fopen(scom_file, "w");
lambda_t *l = lambda_init();
compile_stmts(m, l);
save_scom(l, out);
fclose(out);
}
void compile_file(char *slang_file, char *scom_file){
ast_t * module = front_process(slang_file);
back_process(module, scom_file);
}
前端直接使用 parser.y
和scanner.l
生成对应的ast_t
结构体,
后端从ast_t
生成lambda_t
, 对应结构:
// include/lib/lambda.c
typedef struct lambda{
vector_template(char, code);
vector_template(int, number);
vector_template(char *, string);
vector_template(char *, word);
} lambda_t;
可以看到共分为代码code部分,变量名 word部分,和数据 number string部分,
其中生成对应代码时,这三者会使用索引的方式,
// lib/lambda.c
void emit_insn_load_word(pthis, ast_t *ast){
insn(OP_LOAD_WORD);
insn(lambda_set_word(this, ast->string_value));
}
void emit_insn_load_number(pthis, ast_t *ast){
insn(OP_LOAD_NUMBER);
insn(lambda_set_number(this, ast->int_value));
}
void emit_insn_load_string(pthis, ast_t *ast){