├── .gitignore ├── 13th_cuit_game ├── 13th_cuit_game_官方wp.pdf └── pwn_source_code │ ├── pwn100 │ ├── Makefile │ ├── info.txt │ └── pwn100.c │ ├── pwn200 │ ├── Makefile │ ├── flag.txt │ ├── old_version │ │ ├── Makefile │ │ ├── README.txt │ │ └── TinyShare.c │ └── pwn.c │ ├── pwn300 │ ├── .pwn2.c.un~ │ ├── Makefile │ └── pwn3.c │ ├── pwn400 │ ├── Pwn400_README │ └── pwn400.c │ ├── pwn50 │ └── pwn50.py │ └── pwn500 │ ├── Pwn500_README │ ├── libc.so │ └── pwn500.c └── README.md /.gitignore: -------------------------------------------------------------------------------- 1 | .git/ 2 | .DS_Store 3 | *.log 4 | *.bak 5 | -------------------------------------------------------------------------------- /13th_cuit_game/13th_cuit_game_官方wp.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SycloverSecurity/ctf/dc34cd740b10fa2f4abbe2c9a67a248e82789892/13th_cuit_game/13th_cuit_game_官方wp.pdf -------------------------------------------------------------------------------- /13th_cuit_game/pwn_source_code/pwn100/Makefile: -------------------------------------------------------------------------------- 1 | target: 2 | cc pwn100.c -o pwn100 -g 3 | 4 | clean: 5 | rm pwn100 6 | -------------------------------------------------------------------------------- /13th_cuit_game/pwn_source_code/pwn100/info.txt: -------------------------------------------------------------------------------- 1 | ` `` ` `.,,,,,..```````` 2 | ` `'+@@@@@@@@@+,`` ` 3 | `+@@@@:. `````````:@@@#:`` 4 | `,#@@;.````.`...`.```,.'#@+. 5 | `` ` ```.@#;`````````.````....`...``,+@@ .` `` 6 | ```` ,@@;`.`...........````.`....```+@@, `` 7 | `` `,@+:`..,,,,,,,,,:,,,,....`....``.```'#; ` 8 | ``` @#`.,,,:,,,,,,,,,,,,,:,,,...`.``.`.,`@@..`` 9 | `,'@@,`,::,,,,,,,,,,,,,,,,,,,,,,,..``.``.` ,+@. ` 10 | ``` `.@@@#,,::,,,,,,,,,,,,,,,,,,,,,,,,,,.``...`.``+@. `` ` 11 | `````@#:.,,,:,:,,,,,,,,,,,,,,,,,,,,,,:,,:,,..`.`.`.`;@'`` ` 12 | `````#;,:,,,,,:,,,,,,,,,,,,,,,,,,,,,,:,,,,:,,..`.``.`,@:` ` 13 | ````#;,,,,,,,,:,,,,,,,,,,,,,,,,,,,,,,,,,,,::,,.`.``.``;@:` 14 | ```,@.,,,,,,:,:,,,,,,,,,,,,,,,,,,,,,,,,,,,:,,:,...`.``.;@, 15 | ```:@,,,,,,,,,:,,,,,,,,,,,,,,,,,,,,,,,,,,,,,:::::...`,. '@` 16 | ```:@,,,:,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,:,,,,,:,,.`.``,#;. `` 17 | ```.@,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,:,,,,,:,,::...` ## `` 18 | ``` #,:::,,,,,,,,,,:,,,,,,,,,,,,,:,,,,,,,,:,,,,,::,:,,:,::+@ ``` 19 | ``` :':,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,:,,,,,:,,:,,:,:,,':``` 20 | ``` @:,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,:,,,,,,,,:,,:,::,`@,` 21 | ``` `@',,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,:,:,,,,::,::::,,:,::,.@#` ` 22 | ``` `@;,:,,,,,,,,,,,,,,,,,,,,,,,:,,,,,:,:,:,,::,:,:::::::::.#@``` 23 | ``` `@;,:,,,,,,,,,,,,,,,,,,,,,,,,,,,,,:,:,:,,::,:,:;::::::::'@``` 24 | ``` `@',:,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,:,,,,::,::::::::::::,@ ` 25 | ``` @+::,:,,:,,:,,,,,,,,,,,,,,,,,,,,,,,,,,,,::,,::::::,:,,:.#. ` 26 | ` #@.:,,:,,,,,,,,,,,,,,,,,,,,,,,:,,,,,,,,,,,,::::::,,:::,.';`` ` 27 | '@.:,::,,,,,,,,,,,,,,,,,,,,::::,,,,,,,,,,,,:::::::,:,,,.;; ` ` 28 | `@:::::,,,,,,,,,,,,,,,,,,,,:,,:,,,,,,,,,,,,:::::::,,,,,,.@:` 29 | ;+::::::,,,,,,,,,,,,,,,,,,,,,::,,,,,,,,,,,:::::::,.`...`@@ 30 | @#::::::,,,,,,,,,,,,,,,,,,,,::,,,,,,,,:::::::::,,.`...`+@ ` 31 | ` @@,:::::,,,,,,::::::,,,,,,,,,,,,,,,,,,::::::::,::.`...`+@` 32 | ``,@',::::,:,::,::,:,:,,,,,,,,,,,,,,,::,::,::::::,,:,...`@@` 33 | ```,@'::::,:,:,,:,,:,:,,,,,,,,,,,,,,,::,,:,::::::::::::.`#' 34 | ````+@:::::::,:,::::,:,,,,,,,,,,,,,,,,:,::,:::::::,:,,.+@ ` ` 35 | ``` +@.::::::::,,,:,:,,,,,,,,,,,,,,,::,,:,:,:::::,:,:'@@ ` ` 36 | `` .``+@::::::::::::,:,,,,,,,,,,,,,,,,:::::::::::::;,@#`` ` ` 37 | `+#',;::::::::::::,:,,,,,,,,,::::::::::::::::,:#:``` 38 | ` '@+;,:::::::::::::::::::::::::::::::::::::,@#````` 39 | ```:@@,::::::::::::;::::;:::::::::::::::::::'#' ```` 40 | ``` .:@#:::;:::::::::::::::::::::::::::::.;@#`````` 41 | `` ` `'@#;::::::::::::::::::::::::::::::.;@#` ``` ` 42 | ` ` ````'@@+,:,::::::::::::::::::::::,,+@+, ` `` 43 | ` ` ``````@@#;.,:::;::::::::::::::,:,:+@@``` ` ` 44 | ` ` ````.````'#@##:;:::::::::::::;+@@#: 45 | ` ` ``````````,'#@@#':,.......,;+@@@+. 46 | ` ` ````````` ``,.``,#@#@@@@@@#'. 47 | ` ` ```````.+#@@@+:.` `...``` `` .```, ` 48 | `:'@@;; `````````````````.'@@;`. ` 49 | ``,@@+: ` ``````````````````.'+@@,```` 50 | ` `+#,``````````````````````````````@@;. `` ` ` 51 | ` .;#+` `` ```````````````````.`````.`:@# ` ` 52 | `@#`` ``` ````````````````````````````,;#;` 53 | .@'` `````` ```````````````````````````.@@,``` 54 | .@,..``````` `````````````````````````,``,,#' ` ` 55 | ;@``. `` ` ` ````````````````````````````. ##`` `` 56 | @' ``.,+;.`` ````````````````@@.``````.````.++,``` 57 | `@ ```'##,`. ````````````````@@ ```````````` @+ `` 58 | :@,`````,;;.````` `````````````++``````````````:@ ` ` 59 | `;@`` ```.` ```` ```````````` ````````````````.+'`` 60 | `##````````` ```` ```````````.`````````````````` @'` 61 | `@:```````````` `` `` `````````````````````````.` ## ` 62 | ``@``` ``````` ` `` ```````````````````````````````,'`. 63 | `,@`` `````````` ````` ````````````````````````````.:; 64 | :+ ```` ````````````` ` ``````````````````````` ````@' ` 65 | ` '; ```` ``````````````````````````````````````````` @@` `` 66 | ': ```````````````````````````````````````````````` .#, .` 67 | ':````````````` .,:.`. `````````````````````````````,'``` 68 | ``;,``` ```````````:@@@@@ ``````````````````````````` ``#.`` 69 | ` :; `` ` ``````,'+++:``` ```````````````````````````@+ ` 70 | .+ `` `````````` ` `` `````````````````````````` +@. ` 71 | .#` ` ```````` ``` ` `````````````````````````` ``:#``` 72 | .#` ` `` `` `` ```````````````````````````````` ``` ::`` 73 | @@``````` ``..``` ` ````````````````````````` ``` ``@,` 74 | `;@ ` ` ` `` ` `````` `` ```````````````````. . @+ 75 | ';.`` ````` ` ``` ```` ` `` ```````````````````. . #@ 76 | `,@, ` ``` ..`,,::;`..``.`.` ```` `````````````````````'@ 77 | `'@` ` ;##;;#'';;:::::;'''#+````` .`` ````````````````.@` 78 | ,@;`.:@#`.@;.:#@@@@@#@#@#@@#;,.` ` `````````````````'` 79 | `@#:, ` ;+#+:;:::,.,..:, ` `;+@+:```` ``````````````,; 80 | ,@'``. ```,.:::+#@##;;''` ` ;;@#.` ``` ``````````` @``` 81 | ` #+`.```. ` `` ,'+ ` ` ` #@`` `` ``````````` @; 82 | .:@... `` `` ``.;#@;`` .```. ,#;, `` ````````` @# 83 | :@` ` `. :+,.,,..,...`.``` ````` `` `+@.`` ` `````` @@` 84 | ;# ``` ` `:` . `.`````` `` ;@ ` `````` '@ ` 85 | @'```````` .,';;::;;:::'.``` ` ``` ``` `'` ` `````` `,@` 86 | @,```````.`` `` ``:'',` ``` `` ` ` ` @+` ````````` ```@` 87 | #,``````.. ` ``,;@;` `.;;`` ` ` ` ` +@ ````````` ```+, 88 | `;.``````` ` ` ,@@@.,` `@@### `` ``` .@ `````````````.,' 89 | ..```.```.`:;++;, +@+: ..`###+. ` ```` +``````````````.`#` 90 | ` ,` `` ` ,@#@' `.@@@@@+:;;. ``+##` `` ``.:`` ```````` ``@. 91 | ` '` ```..;@;``.@#@, ` ` ++ `+#;` ``:@#: ` +.` ```````` @. 92 | ``#` ``` ,'. ``,#;, `` ` @'` .;#+, ```.` ` ``@.` ````````` `@, 93 | `.# ``.. :.``+@:.` ` ` #+` ``.`@# `` ` @:` ``````` ```@' 94 | .@ `.``` ``@'`.` ` .` @. ``` ``,@ ` @;` ``````` ` ` @#` 95 | .@ ``.````` #. , ``` ` @````` ;@ ` ` @'` ``````` ` ` @#``` 96 | ;@` `````` `+.`````` ` #`` ```` :@ ``` @+` `````````` #@` 97 | '+` ` ``` .:` ````` ` ;: ` ```` .@ ``` ``##` `````````` '@` 98 | @'```````` ,..```` `` @.``````` `@ `` ```` `## ``````` `` `:@ ` ` 99 | @, ``````` ;..```` ```'+ .` ```` `# ` ```` '@ `````` `` `,@ ` 100 | @` ``````` ;.. ``` ```': `` ```` `# ` ``` ;@ `````` `` `,@ ` 101 | @ ```````` ',` .`` +.`` ` ` ` + ``````` `;@ `````` `` ``#`` 102 | @ ```````` '.` ``` :# . `` `` ` + ``````` :@ `````` `` ``#` 103 | @ ```````` '`` `` ,#, . `` `` + ``````` :@ `````` `` ``#` 104 | # ```````` +`````. :;..````` ` ` ;` ``````.@ `````` ` ;.` ` 105 | `+ ```````` @,```` ;'` ` ```` `:``````````.@ ```````` ` ``, 106 | `' ``````` @,` `` +:`` ``````` ` `,. ``` `` `.@` ```````` ` `;``` 107 | `' ``````` @`` .`:, `` ``````` ` `,. ``` `` `.@ ```````` ` ; `` 108 | `' ``````` .@````.+`` ``` `` ` `,. ` ` `` `.@ ```````` ` ` + `` 109 | `; ````````;@``` #;.` ` ```` ``` `.:```` `` ``# ```````` ` #`` 110 | : ````````;@` `,:.` ` ```` ` ``'``` ` ` @ `````````` ``#. 111 | `:``` ``` `:@ ,+``` ` ```` ` `+ `` ``# ````` ` @. 112 | `: ````````'@` '@` ` `` ` ` .+``` ` .+```` ``````` ` @. 113 | `,``````` `,+``;. `` `` ` ,``` .``, ` ` ``;`` -------------------------------------------------------------------------------- /13th_cuit_game/pwn_source_code/pwn100/pwn100.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | void init_work(void) { 7 | setbuf(stdin, NULL); 8 | setbuf(stdout, NULL); 9 | } 10 | 11 | int welcome(void) { 12 | // welcome info 13 | FILE *fp = fopen("./info.txt", "r"); 14 | if (!fp) { 15 | printf("open error,plz contect us!\n"); 16 | return -1; 17 | } 18 | char *tmp = (char *)malloc(0x100 * sizeof(char)); 19 | while (fgets(tmp, 0x100, fp) != NULL) { 20 | printf("%s", tmp); 21 | } 22 | printf("\n\t\t\t\t\t\t\t\tI Will make Lemon 2 Lemon water for you!\n"); 23 | fclose(fp); 24 | } 25 | 26 | int make_lemon_2_lemonwater(void) { 27 | char buffer[100] = {0}; 28 | write(1, "[*]Give me your lemon:", strlen("[*]Give me your lemon:")); 29 | read(0, buffer, 100); 30 | write(1, "\t\t\tProccessing...\n", strlen("\t\t\tProccessing...\n")); 31 | write(1, "[*]Ok...Here you are : ", strlen("[*]Ok...Here you are : ")); 32 | printf(buffer); 33 | } 34 | 35 | int main(void) { 36 | 37 | init_work(); 38 | welcome(); 39 | while (1) { 40 | make_lemon_2_lemonwater(); 41 | } 42 | return 0; 43 | } -------------------------------------------------------------------------------- /13th_cuit_game/pwn_source_code/pwn200/Makefile: -------------------------------------------------------------------------------- 1 | target: 2 | cc pwn.c -o pwn -fPIC -pie -Wl,-z,relro,-z,now -g 3 | 4 | clean: 5 | rm pwn 6 | -------------------------------------------------------------------------------- /13th_cuit_game/pwn_source_code/pwn200/flag.txt: -------------------------------------------------------------------------------- 1 | test flag here 2 | -------------------------------------------------------------------------------- /13th_cuit_game/pwn_source_code/pwn200/old_version/Makefile: -------------------------------------------------------------------------------- 1 | cc: 2 | cc TinyShare.c -o TinyShare -g 3 | 4 | clean: 5 | rm TinyShare -------------------------------------------------------------------------------- /13th_cuit_game/pwn_source_code/pwn200/old_version/README.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SycloverSecurity/ctf/dc34cd740b10fa2f4abbe2c9a67a248e82789892/13th_cuit_game/pwn_source_code/pwn200/old_version/README.txt -------------------------------------------------------------------------------- /13th_cuit_game/pwn_source_code/pwn200/old_version/TinyShare.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | 12 | #define BUFFER_SIZE 4096 13 | #define SERVER_NAME "EasyShare" 14 | 15 | #define USAGE \ 16 | "Usage:\n" \ 17 | " tinyshare \n" 18 | 19 | 20 | void log_func(int log_count,const char *content){ 21 | printf("[*]Log(%d):\n%s\n",log_count,content); 22 | } 23 | 24 | struct args { 25 | int port; 26 | const char *workdir; 27 | }; 28 | 29 | void errexit(const char *errtext) { 30 | perror(errtext); 31 | exit(0); 32 | } 33 | 34 | int sendf(int csock, const char *filename) { 35 | FILE *fp; 36 | char *sendbuff = (char *)malloc(0x100); 37 | int ret_length = 0; 38 | if ((fp = fopen(filename, "r")) != NULL) { 39 | ret_length = snprintf(sendbuff, 0x100, 40 | "HTTP/1.1 200 OK\r\n" 41 | "Server: tinyfs\r\n" 42 | "Filename: %s\r\n" 43 | "Content-Type: application/octet-stream\r\n\r\n", 44 | filename); 45 | //heap info leak 46 | write(csock, sendbuff, ret_length); 47 | fgets(sendbuff, sizeof(sendbuff), fp); 48 | while (!feof(fp)) { 49 | write(csock, sendbuff, strlen(sendbuff)); 50 | fgets(sendbuff, sizeof(sendbuff), fp); 51 | } 52 | fclose(fp); 53 | return 1; 54 | } else { 55 | ret_length = snprintf(sendbuff, 0x100, 56 | "HTTP/1.1 404 Not Found\r\n" 57 | "Server: tinyshare\r\n" 58 | "Filename: %s\r\n" 59 | "Content-Type: text/html\r\n\r\n" 60 | "

404 Not Found

", 61 | filename); 62 | //heap info leak 63 | write(csock, sendbuff, ret_length); 64 | return -1; 65 | } 66 | } 67 | 68 | int doclient(int csock, const char *workdir) { 69 | char httppath[BUFFER_SIZE]; 70 | char filepath[BUFFER_SIZE]; 71 | char workdirtmp[BUFFER_SIZE]; 72 | char recvbuff[BUFFER_SIZE]; 73 | memset(recvbuff, 0, BUFFER_SIZE); 74 | memset(workdirtmp, 0, BUFFER_SIZE); 75 | strncpy(workdirtmp, workdir, BUFFER_SIZE - 1); 76 | read(csock, recvbuff, BUFFER_SIZE - 1); 77 | //log 1 78 | log_func(1,recvbuff); 79 | if (sscanf(recvbuff, "GET %s HTTP", httppath) != 1) 80 | return -1; 81 | if (workdirtmp[strlen(workdirtmp) - 1] == '/') 82 | workdirtmp[strlen(workdirtmp) - 1] = '\0'; 83 | strcpy(filepath, workdirtmp); 84 | strcat(filepath, httppath); 85 | printf("File:%s\n", filepath); 86 | return sendf(csock, filepath); 87 | } 88 | 89 | void mainloop(int ssock, const char *workdir) { 90 | struct sockaddr_in caddr; 91 | socklen_t addrLen = sizeof(caddr); 92 | int csock; 93 | pid_t pid; 94 | while (1) { 95 | if ((csock = accept(ssock, (struct sockaddr *)&caddr, &addrLen)) == -1) 96 | errexit("accept() error"); 97 | pid = fork(); 98 | if (pid == 0) { 99 | // child 100 | doclient(csock, workdir); 101 | exit(0); 102 | } else if (pid > 0) { 103 | close(csock); 104 | } else { 105 | errexit("fork() error"); 106 | } 107 | } 108 | } 109 | 110 | int initserver(int port) { 111 | int ssock; 112 | struct sockaddr_in saddr; 113 | if ((ssock = socket(AF_INET, SOCK_STREAM, 0)) == -1) 114 | errexit("socket() error"); 115 | int opt = SO_REUSEADDR; 116 | setsockopt(ssock, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt)); 117 | memset(&saddr, 0, sizeof(saddr)); 118 | saddr.sin_family = AF_INET; 119 | saddr.sin_port = htons(port); 120 | saddr.sin_addr.s_addr = htonl(INADDR_ANY); 121 | if (bind(ssock, (struct sockaddr *)&saddr, sizeof(saddr)) == -1) 122 | errexit("bind() error"); 123 | if (listen(ssock, 5) == -1) 124 | errexit("listen() error"); 125 | return ssock; 126 | } 127 | 128 | void parseargs(int argc, char *argv[], struct args *argsptr) { 129 | if (argc != 3) { 130 | fprintf(stderr, USAGE); 131 | exit(0); 132 | } 133 | sscanf(argv[1], "%d", &argsptr->port); 134 | argsptr->workdir = argv[2]; 135 | } 136 | 137 | int main(int argc, char *argv[]) { 138 | struct args args; 139 | parseargs(argc, argv, &args); 140 | mainloop(initserver(args.port), args.workdir); 141 | return 0; 142 | } 143 | -------------------------------------------------------------------------------- /13th_cuit_game/pwn_source_code/pwn200/pwn.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | 15 | #define BUFFER_SIZE 1024 16 | #define MSG_SIZE 128 17 | #define NAME_SIZE 32 18 | #define FILENAME_SIZE 128 19 | 20 | #define CHECK_OK 0x110 21 | #define CHECK_ILLEGAL 0x111 22 | 23 | int leave_msg_flag = 0; 24 | 25 | struct ARG { 26 | const char *workdir; 27 | int port; 28 | }; 29 | 30 | int csock; 31 | char name[NAME_SIZE] = "guest"; 32 | 33 | void init_work(void) { 34 | setbuf(stdin, NULL); 35 | setbuf(stdout, NULL); 36 | // alarm(120); 37 | } 38 | 39 | void sendflag() { 40 | int fd; 41 | char buffer[32]; 42 | fd = open("./flag.txt", O_RDONLY); 43 | read(fd, buffer, 32); 44 | write(csock, buffer, strlen(buffer)); 45 | } 46 | 47 | void errexit(const char *errtext) { 48 | perror(errtext); 49 | exit(0); 50 | } 51 | 52 | void menu(int fd) { 53 | write(fd, "1. Login\n", strlen("1. Login\n")); 54 | write(fd, "2. Get File\n", strlen("2. Get File\n")); 55 | write(fd, "3. Leave a message\n", strlen("3. Leave a message\n")); 56 | } 57 | 58 | void welcome_info(int fd) { 59 | write(fd, "Welcome to my file share server.\n", 60 | strlen("Welcome to my file share server.\n")); 61 | write(fd, "\tI think it is safe.Really?\n", 62 | strlen("\tI think it is safe.Really?\n")); 63 | write(fd, "\tHHHHH...exploit me.\n", strlen("\tHHHHH...exploit me.\n")); 64 | } 65 | 66 | int read_int(int fd) { 67 | char buffer[10] = {0}; 68 | read(fd, buffer, 10); 69 | return atoi(buffer); 70 | } 71 | 72 | int saferead(int fd, char *buffer, int count, char spl) { 73 | int i = 0; 74 | char ch; 75 | while (i < count) { 76 | read(fd, &ch, 1); 77 | if (ch == spl) { 78 | ch = '\0'; 79 | buffer[i] = ch; 80 | break; 81 | } 82 | buffer[i] = ch; 83 | i++; 84 | } 85 | return i; 86 | } 87 | 88 | int login(int fd_in, int fd_out) { 89 | char tmp[NAME_SIZE]; 90 | memset(tmp, 0, NAME_SIZE); 91 | write(fd_out, "Name:", strlen("Name:")); 92 | // bof 93 | // read(fd_in, tmp, 128); 94 | saferead(fd_in, tmp, 128, '\n'); 95 | strncpy(name, tmp, NAME_SIZE); 96 | } 97 | 98 | int check(char *filename, const char *workdir) { 99 | 100 | if (strstr(filename, "flag")) { 101 | return CHECK_ILLEGAL; 102 | } else if (strstr(filename, "..")) { 103 | return CHECK_ILLEGAL; 104 | } 105 | return CHECK_OK; 106 | } 107 | 108 | int read_file(int csock, const char *workdir) { 109 | char *info_ret = (char *)malloc(sizeof(char) * BUFFER_SIZE); 110 | char filename[FILENAME_SIZE] = {0}; 111 | int ret_length; 112 | write(csock, "input the filename:", strlen("input the filename:")); 113 | read(csock, filename, FILENAME_SIZE); 114 | if (CHECK_OK == (check(filename, workdir))) { 115 | // yes 116 | ret_length = snprintf(info_ret, 0x100, "\tFile:%s\n" 117 | "\tSorry,I can't send file to you.\n" 118 | "\tHave fun with my share\n", 119 | filename); 120 | // heap info leak 121 | write(csock, info_ret, ret_length); 122 | } else if (CHECK_ILLEGAL == (check(filename, workdir))) { 123 | // illegal 124 | ret_length = snprintf(info_ret, 0x100, "\tFile:%s\n" 125 | "\tToo young Too simple.\n" 126 | "\tHave fun with my share\n", 127 | filename); 128 | // heap info leak 129 | write(csock, info_ret, ret_length); 130 | } else { 131 | ret_length = snprintf(info_ret, 0x100, "\tFile:%s\n" 132 | "\t:( Server is unhappy\n" 133 | "\tHave fun with my share\n", 134 | filename); 135 | // heap info leak 136 | write(csock, info_ret, ret_length); 137 | } 138 | } 139 | 140 | int leave_message(int csock) { 141 | char info[MSG_SIZE] = {0}; 142 | char *show = (char *)malloc(MSG_SIZE * 4); 143 | if (!leave_msg_flag) { 144 | 145 | write(csock, "Input your msg:", strlen("Input your msg:")); 146 | read(csock, info, MSG_SIZE); 147 | // fmt vuln 148 | sprintf(show, info); 149 | write(csock, "\nOk,I get your msg:", strlen("\nOk,I get your msg:")); 150 | write(csock, show, strlen(show)); 151 | leave_msg_flag = 1; 152 | } else { 153 | write(csock, "Leave msg finished\n", strlen("Leave msg finished\n")); 154 | } 155 | } 156 | 157 | void doclient(int csock, const char *workdir) { 158 | int opt = -1; 159 | char info[NAME_SIZE + 8] = {0}; 160 | while (1) { 161 | menu(csock); 162 | sprintf(info, "--> %s ", name); 163 | write(csock, info, strlen(info)); 164 | opt = read_int(csock); 165 | switch (opt) { 166 | case 1: 167 | login(csock, csock); 168 | break; 169 | case 2: 170 | read_file(csock, workdir); 171 | break; 172 | case 3: 173 | leave_message(csock); 174 | break; 175 | default: 176 | write(csock, "Wrong opt!\n", strlen("Wrong opt!\n")); 177 | break; 178 | } 179 | } 180 | } 181 | 182 | int init_server(int port) { 183 | int ssock; 184 | struct sockaddr_in saddr; 185 | if ((ssock = socket(AF_INET, SOCK_STREAM, 0)) == -1) 186 | errexit("socket() error"); 187 | int opt = SO_REUSEADDR; 188 | setsockopt(ssock, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt)); 189 | memset(&saddr, 0, sizeof(saddr)); 190 | saddr.sin_family = AF_INET; 191 | saddr.sin_port = htons(port); 192 | saddr.sin_addr.s_addr = htonl(INADDR_ANY); 193 | if (bind(ssock, (struct sockaddr *)&saddr, sizeof(saddr)) == -1) 194 | errexit("bind() error"); 195 | if (listen(ssock, 5) == -1) 196 | errexit("listen() error"); 197 | return ssock; 198 | } 199 | 200 | void mainloop(int ssock, const char *workdir) { 201 | 202 | struct sockaddr_in caddr; 203 | socklen_t addrLen = sizeof(caddr); 204 | 205 | pid_t pid; 206 | while (1) { 207 | if ((csock = accept(ssock, (struct sockaddr *)&caddr, &addrLen)) == -1) 208 | errexit("accept() error"); 209 | pid = fork(); 210 | if (pid == 0) { 211 | // child 212 | doclient(csock, workdir); 213 | exit(0); 214 | } else if (pid > 0) { 215 | close(csock); 216 | } else { 217 | errexit("fork() error"); 218 | } 219 | } 220 | } 221 | 222 | int main(int argc, char *argv[]) { 223 | 224 | init_work(); 225 | if (argc != 3) { 226 | printf("Ussage:%s workdir port", argv[0]); 227 | return 1; 228 | } 229 | struct ARG *arg = (struct ARG *)malloc(sizeof(struct ARG)); 230 | arg->workdir = argv[1]; 231 | arg->port = atoi(argv[2]); 232 | 233 | mainloop(init_server(arg->port), arg->workdir); 234 | return 0; 235 | } -------------------------------------------------------------------------------- /13th_cuit_game/pwn_source_code/pwn300/.pwn2.c.un~: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SycloverSecurity/ctf/dc34cd740b10fa2f4abbe2c9a67a248e82789892/13th_cuit_game/pwn_source_code/pwn300/.pwn2.c.un~ -------------------------------------------------------------------------------- /13th_cuit_game/pwn_source_code/pwn300/Makefile: -------------------------------------------------------------------------------- 1 | target: 2 | cc pwn3.c -o pwn3 -fstack-protector -fPIC -pie -Wl,-z,relro,-z,now 3 | clean: 4 | rm pwn3 5 | -------------------------------------------------------------------------------- /13th_cuit_game/pwn_source_code/pwn300/pwn3.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | #define CMD_NEW 0x100 7 | #define CMD_EDIT 0x101 8 | #define CMD_DELETE 0x102 9 | #define CMD_SHOW 0x103 10 | #define CMD_EXIT 0x104 11 | #define CMD_MARK 0x105 12 | #define CMD_SHOW_MARK 0x106 13 | #define CMD_DEL_MARK 0x107 14 | #define CMD_EDIT_MARK 0x108 15 | 16 | #define CMD_LEN 0x10 17 | #define CONTENT_LEN 0x100 18 | 19 | void init_work(void) { 20 | setbuf(stdin, NULL); 21 | setbuf(stdout, NULL); 22 | alarm(60); 23 | } 24 | 25 | // 48bytes 26 | struct NOTE { 27 | int index; 28 | int size; 29 | char name[32]; 30 | char *content; 31 | }; 32 | 33 | // 24bytes 34 | struct MARK { 35 | int index; // index of markdown_list 36 | int id; // note id 37 | char *info; 38 | // func ptrs; 39 | int (*show_info)(char *); 40 | }; 41 | 42 | int note_count = 0; 43 | int mark_count = 0; 44 | int flag = 2; 45 | struct NOTE *note_list[10]; // 10 notes max. 46 | struct MARK *mark_list[10]; // 10 markdown max 47 | 48 | int show_info(char *content) { 49 | // show 50 | puts(content); 51 | } 52 | 53 | void welcome(void) { 54 | printf("\t=== Welcome to My NOTEPAD ===\n"); 55 | printf("\t\t>It's not a safe NOTEPAD...Is't it?\n"); 56 | printf("\t\t>Try to exploit it!\n"); 57 | } 58 | int saferead(char *buffer, int count, char spl) { 59 | int i = 0; 60 | char ch; 61 | while (i < count) { 62 | ch = getchar(); 63 | if (ch == spl) { 64 | ch = '\0'; 65 | buffer[i] = ch; 66 | break; 67 | } 68 | buffer[i] = ch; 69 | i++; 70 | } 71 | return i; 72 | } 73 | void mysplit(char *str) { 74 | int i; 75 | for (i = 0; i < strlen(str); i++) { 76 | if (str[i] == ' ' || str[i] == '\n') { 77 | str[i] = '\0'; 78 | break; 79 | } 80 | } 81 | } 82 | 83 | int getcmd(char *cmd) { 84 | int index = 0; 85 | char cmdlist[9][16] = {"new", "edit", "delete", "show", "exit", 86 | "mark", "show_mark", "delete_mark", "edit_mark"}; 87 | for (index = 0; index < 9; index++) { 88 | if (!strcmp(cmd, cmdlist[index])) { 89 | return index + 0x100; 90 | } 91 | } 92 | return -1; 93 | } 94 | 95 | int readint() { 96 | char buf[32] = {0}; 97 | read(0, buf, 32); 98 | return atoi(buf); 99 | } 100 | int new (void) { 101 | int i; 102 | int size; 103 | char *ptr; 104 | if (note_count < 10) { 105 | struct NOTE *note = (struct NOTE *)malloc(sizeof(struct NOTE)); 106 | write(1, "$ note size:", strlen("$ note size:")); 107 | size = readint(); 108 | if (size > 4096) 109 | size = 4096; 110 | note->size = size; 111 | ptr = (char *)malloc(size); 112 | note->content = ptr; 113 | note->index = note_count; 114 | write(1, "$ note name:", strlen("$ note name:")); 115 | saferead(note->name, 32, '\n'); 116 | write(1, "$ note content:", strlen("$ note content:")); 117 | saferead(note->content, note->size, '\n'); 118 | for (i = 0; i < 10; i++) { 119 | if (note_list[i] == NULL) { 120 | note_list[i] = note; 121 | break; 122 | } 123 | } 124 | note_count++; 125 | } else { 126 | write(1, ":( too much note...\n", strlen(":( too much note...\n")); 127 | return 0; 128 | } 129 | } 130 | int edit(void) { 131 | int index; 132 | write(1, "$ note index:", strlen("$ note index:")); 133 | index = readint(); 134 | while (index < 0 || index > 10) { 135 | write(1, "Error index!\n", strlen("Error index!\n")); 136 | index = readint(); 137 | } 138 | // edit name && content 139 | write(1, "$ note name:", strlen("$ note name:")); 140 | saferead(((struct NOTE *)(note_list[index]))->name, 32, '\n'); 141 | write(1, "$ note content:", strlen("$ note content:")); 142 | saferead(((struct NOTE *)(note_list[index]))->content, 143 | ((struct NOTE *)(note_list[index]))->size, '\n'); 144 | } 145 | int delete (void) { 146 | int index; 147 | write(1, "$ note index:", strlen("$ note index:")); 148 | index = readint(); 149 | while (index < 0 || index > 10) { 150 | write(1, "Error index!\n", strlen("Error index!\n")); 151 | index = readint(); 152 | } 153 | if (note_list[index] != NULL) { 154 | // free note 155 | free(note_list[index]); 156 | note_list[index] = NULL; 157 | note_count--; 158 | } 159 | } 160 | int show(void) { 161 | int index; 162 | write(1, "$ note index:", strlen("$ note index:")); 163 | index = readint(); 164 | while (index < 0 || index > 10) { 165 | write(1, "Error index!\n", strlen("Error index!\n")); 166 | index = readint(); 167 | } 168 | if (note_list[index] != NULL) { 169 | printf("\tid:%d\n", ((struct NOTE *)(note_list[index]))->index); 170 | printf("\tsize:%d\n", ((struct NOTE *)(note_list[index]))->size); 171 | printf("\tname:%s\n", ((struct NOTE *)(note_list[index]))->name); 172 | // for info leak 173 | printf("\tcontent:"); 174 | write(1, ((struct NOTE *)(note_list[index]))->content, 175 | ((struct NOTE *)(note_list[index]))->size); 176 | write(1, "\n", 1); 177 | // printf("\tcontent:%s\n", ((struct NOTE *)(note_list[index]))->content); 178 | } else { 179 | write(1, "Emmu...empty note.\n", strlen("Emmu...empty note.\n")); 180 | } 181 | } 182 | 183 | int mark(void) { 184 | int id; 185 | char *ptr; 186 | if (mark_count < 10) { 187 | struct MARK *mark = (struct MARK *)malloc(sizeof(struct MARK)); 188 | write(1, "$ index of note you want to mark:", 189 | strlen("$ index of note you want to mark:")); 190 | id = readint(); 191 | while (id < 0 || id > 10) { 192 | write(1, "Error index!\n", strlen("Error index!\n")); 193 | write(1, "$ index of note you want to mark:", 194 | strlen("$ index of note you want to mark:")); 195 | id = readint(); 196 | } 197 | if (note_list[id] == NULL) { 198 | write(1, "Emmu...empty note.\n", strlen("Emmu...empty note.\n")); 199 | return; 200 | } 201 | mark->id = id; 202 | mark->index = mark_count; 203 | write(1, "$ mark info:", strlen("$ mark info:")); 204 | ptr = (char *)malloc(32); 205 | saferead(ptr, 32, '\n'); 206 | mark->info = ptr; 207 | mark->show_info = show_info; 208 | mark_list[mark_count] = mark; 209 | mark_count++; 210 | } else { 211 | write(1, "Emmu...too much mark!\n", strlen("Emmu...too much mark!\n")); 212 | } 213 | } 214 | 215 | int show_mark(void) { 216 | int index; 217 | write(1, "$ mark index:", strlen("$ mark index:")); 218 | index = readint(); 219 | while (index < 0 || index > 10) { 220 | write(1, "Error index!\n", strlen("Error index!\n")); 221 | index = readint(); 222 | } 223 | // call func without check 224 | mark_list[index]->show_info(mark_list[index]->info); 225 | /* 226 | if (mark_list[index] != NULL) { 227 | mark_list[index]->show_info(mark_list[index]->info); 228 | } else { 229 | write(1, "Emmu...Empty\n", strlen("Emmu...Empty\n")); 230 | return; 231 | } 232 | */ 233 | } 234 | int delete_mark(void) { 235 | int index; 236 | if (flag > 0) { 237 | write(1, "$ mark index:", strlen("$ mark index:")); 238 | index = readint(); 239 | while (index < 0 || index > 10) { 240 | write(1, "Error index!\n", strlen("Error index!\n")); 241 | index = readint(); 242 | } 243 | if (mark_list[index] != NULL) { 244 | // free note 245 | free(mark_list[index]); 246 | mark_count--; 247 | flag--; 248 | } else { 249 | write(1, "exo me?\n", strlen("exo me?\n")); 250 | } 251 | } else { 252 | write(1, "just 2 times!\n", strlen("just 2 times!\n")); 253 | return; 254 | } 255 | } 256 | 257 | // heap overflow 258 | int edit_mark(void) { 259 | int index; 260 | write(1, "$ mark index:", strlen("$ mark index:")); 261 | index = readint(); 262 | while (index < 0 || index > 10) { 263 | write(1, "Error index!\n", strlen("Error index!\n")); 264 | index = readint(); 265 | } 266 | if (note_list[index] == NULL) { 267 | write(1, "exo me?\n", strlen("exo me?\n")); 268 | return; 269 | } 270 | write(1, "$ mark content:", strlen("$ mark content:")); 271 | // overflow 272 | saferead(mark_list[index]->info, 64, '\n'); 273 | } 274 | 275 | int help(void) { 276 | write(1, "CMD List:\n", strlen("CMD List:\n")); 277 | write(1, "\tadd(add your note)\n", strlen("\tadd(add your note)\n")); 278 | write(1, "\tedit(edit your note)\n", strlen("\tedit(edit your note)\n")); 279 | write(1, "\tdelete(delete your note)\n", 280 | strlen("\tdelete(delete your note)\n")); 281 | write(1, "\tshow(print your note)\n", strlen("\tshow(print your note)\n")); 282 | write(1, "\tmark(mark your note)\n", strlen("\tmark(mark your note)\n")); 283 | write(1, "\tshow_mark(show your mark info)\n", 284 | strlen("\tshow_mark(show your mark info)\n")); 285 | write(1, "\tdelete_mark(delete your mark)\n", 286 | strlen("\tdelete_mark(delete your mark)\n")); 287 | write(1, "\tedit_mark(edit your mark)\n", 288 | strlen("\tedit_mark(edit your mark)\n")); 289 | } 290 | 291 | int main(int argc, char *argv[]) { 292 | init_work(); 293 | welcome(); 294 | /* 295 | printf("%d\n",sizeof(struct NOTE)); 296 | printf("%d\n",sizeof(struct MARK)); 297 | */ 298 | char cmd[CMD_LEN] = {0}; 299 | while (1) { 300 | write(1, "$ ", strlen("$ ")); 301 | saferead(cmd, CMD_LEN, '\n'); 302 | mysplit(cmd); 303 | switch (getcmd(cmd)) { 304 | case CMD_NEW: 305 | new (); 306 | break; 307 | case CMD_EDIT: 308 | edit(); 309 | break; 310 | case CMD_DELETE: 311 | delete (); 312 | break; 313 | case CMD_SHOW: 314 | show(); 315 | break; 316 | case CMD_MARK: 317 | mark(); 318 | break; 319 | case CMD_SHOW_MARK: 320 | show_mark(); 321 | break; 322 | case CMD_DEL_MARK: 323 | delete_mark(); 324 | break; 325 | case CMD_EDIT_MARK: 326 | edit_mark(); 327 | break; 328 | case CMD_EXIT: 329 | exit(1); 330 | default: 331 | help(); 332 | break; 333 | } 334 | memset(cmd, 0, CMD_LEN); 335 | } 336 | return 0; 337 | } 338 | -------------------------------------------------------------------------------- /13th_cuit_game/pwn_source_code/pwn400/Pwn400_README: -------------------------------------------------------------------------------- 1 | 400分,漏洞:UAF、HOS、IO_FILE_Plus劫持 2 | 保护为NX、CANARY 由于题目限制不能开启PIE和RELRO 3 | 4 | Life Crowdfunding 5 | 2017.4.30 by:Ox9A82 6 | 7 | Use-After-Free ——> Fastbin Attack 8 | Allocate Fastbin on the bss_name 9 | overwrite bss_name_ptr 10 | leak _IO_FILE get libc_base 11 | leak heap base 12 | 600 bytes chunk UAF 13 | fopen alloc _IO_FILE_plus in the UAF chunk 14 | overwrite _IO_FILE_plus IO_jump_t 15 | 16 | -------------------------------------------------------------------------------- /13th_cuit_game/pwn_source_code/pwn400/pwn400.c: -------------------------------------------------------------------------------- 1 | #include "stdio.h" 2 | #include "stdlib.h" 3 | #include "string.h" 4 | 5 | /* 6 | Life Crowdfunding 7 | 2017.4.30 by:Ox9A82 8 | 9 | Use-After-Free ——> Fastbin Attack 10 | Allocate Fastbin on the bss_name 11 | overwrite bss_name_ptr 12 | leak _IO_FILE get libc_base 13 | 14 | leak heap base 15 | 16 | 600 bytes chunk UAF 17 | fopen alloc _IO_FILE_plus in the UAF chunk 18 | overwrite _IO_FILE_plus IO_jump_t 19 | struct 20 | { 21 | int number; 22 | char* Static_str; 23 | int junk; 24 | } 25 | 24 byte 26 | 27 | */ 28 | 29 | 30 | char bss_name[24]="1"; 31 | 32 | void *bss_name_ptr=1; 33 | 34 | char static_string[]="If a man is willing to sacrifice his life for the interests of his country, he will never mind things concerning his personal fortunes and misfortunes.\nMan I'm gonna donate all my seconds to our Holy Toad Empyre!"; 35 | 36 | int bss_count=1; 37 | 38 | void *bss_chunk_ptr=1; 39 | 40 | FILE *file_handle=1; 41 | 42 | bss_advise_count=1; 43 | 44 | void clean(void) 45 | { 46 | bss_name[0]=0; 47 | bss_name_ptr=0; 48 | bss_count=0; 49 | bss_chunk_ptr=0; 50 | file_handle=0; 51 | bss_advise_count=0; 52 | return; 53 | } 54 | 55 | void init(void) 56 | { 57 | alarm(120); 58 | setbuf(stdin,0); 59 | setbuf(stdout,0); 60 | clean(); 61 | puts("Welcome to life Crowdfunding~~"); 62 | } 63 | 64 | 65 | void welcome(void) 66 | { 67 | puts("\n\n=============================="); 68 | puts("1.Create a Crowdfunding");//choice 1 69 | puts("2.Edit my Crowdfunding");//choice 2 70 | puts("3.Delete my Crowdfunding");//choice 3 71 | puts("4.Show my Crowdfunding");//choice 4 72 | puts("5.Submit");//choice 5 73 | puts("=============================="); 74 | puts("6.SaveAdvise");//choice 6 75 | puts("7.exit");//choice 7 76 | puts("=============================="); 77 | } 78 | 79 | int GetContent(char *ptr,int number) 80 | { 81 | char temp=0; 82 | int i=0; 83 | for(i=0;i=0) 107 | { 108 | return number; 109 | } 110 | else 111 | { 112 | return 0; 113 | } 114 | 115 | } 116 | 117 | 118 | void Create(void) 119 | { 120 | char stack_buf[210]; 121 | int length=0; 122 | void *ptr=0; 123 | void *ptr2=0; 124 | 125 | if(!bss_count) 126 | { 127 | bss_count=1; 128 | ptr=calloc(24,1); 129 | if(!ptr) 130 | { 131 | exit(0); 132 | } 133 | if(!bss_name_ptr) 134 | { 135 | puts("well,give me your name pls."); 136 | GetContent(stack_buf,200); 137 | length=strlen(stack_buf); 138 | if(length<=24) 139 | { 140 | memcpy(bss_name,stack_buf,20); 141 | bss_name_ptr=&bss_name; 142 | } 143 | else 144 | { 145 | bss_name_ptr=strdup(stack_buf); 146 | } 147 | if(!bss_name_ptr) 148 | { 149 | exit(0); 150 | } 151 | } 152 | puts("How many seconds would you want to Crowdfund?"); 153 | *(int *)ptr=GetNumber(); 154 | printf("+%ds!\n",*(int *)ptr); 155 | ptr2=(int *)((long long int)ptr+8); 156 | *(int *)ptr2=(long long int)&static_string; 157 | ptr2=(int *)((long long int)ptr+16); 158 | *(int *)ptr2=0x0; 159 | bss_chunk_ptr=ptr; 160 | } 161 | else 162 | { 163 | puts("You can only post one Crowdfunding"); 164 | } 165 | 166 | } 167 | 168 | void Edit(void) 169 | { 170 | int number=0; 171 | 172 | if(!bss_chunk_ptr) 173 | { 174 | puts("No Crowdfunding to edit!"); 175 | return; 176 | } 177 | 178 | if(!bss_count) 179 | { 180 | puts("No Crowdfunding to edit!"); 181 | return; 182 | } 183 | puts("inputs seconds:"); 184 | number=GetNumber(); 185 | *(int *)bss_chunk_ptr=number; 186 | printf("Ok,the Crowdfunding is +%ds now!",number); 187 | return; 188 | } 189 | 190 | void Delete(void) 191 | { 192 | if(!bss_chunk_ptr) 193 | { 194 | puts("No Crowdfunding to delete!"); 195 | return; 196 | } 197 | 198 | if(!bss_count) 199 | { 200 | puts("No Crowdfunding to delete!"); 201 | return; 202 | } 203 | 204 | 205 | free(bss_chunk_ptr); 206 | puts("OK,the Crowdfunding is deleted!"); 207 | return; 208 | } 209 | 210 | void Show(void) 211 | { 212 | bss_name_ptr=0; 213 | printf("Aha We have already have +%d seconds",bss_count); 214 | } 215 | 216 | 217 | void Submit(void) 218 | { 219 | char buf[40]=""; 220 | char *email_ptr=0; 221 | char *message_ptr=0; 222 | char flag; 223 | if(!bss_count) 224 | { 225 | puts("No frame to submit!"); 226 | return; 227 | } 228 | puts("Are you sure submit this post?(Y/N)"); 229 | read(0,&flag,1); 230 | if(flag!='Y') 231 | { 232 | return; 233 | } 234 | 235 | puts("Pls give me your e-mail address"); 236 | GetContent(buf,40); 237 | email_ptr=strdup(buf); 238 | if(!email_ptr) 239 | { 240 | exit(0); 241 | } 242 | puts("OK,e-mail has already posted\nThe last step is do you want to leave some message?"); 243 | GetContent(buf,40); 244 | message_ptr=strdup(buf); 245 | return; 246 | } 247 | 248 | 249 | void SaveAdvise(void) 250 | { 251 | if(bss_count) 252 | { 253 | if(bss_advise_count<2) 254 | { 255 | bss_advise_count++; 256 | void *advise_ptr=0; 257 | void *title_ptr=0; 258 | int size=0; 259 | puts("Pls input advise size:"); 260 | size=GetNumber(); 261 | if(size>32&&size<1024) 262 | { 263 | 264 | } 265 | else 266 | { 267 | return; 268 | } 269 | puts("Pls input tiltle"); 270 | title_ptr=malloc(40); 271 | advise_ptr=malloc(size); 272 | if(!file_handle) 273 | { 274 | file_handle=fopen("./database","a+"); 275 | } 276 | GetContent(title_ptr,48); 277 | puts("Pls input your advise"); 278 | GetContent(advise_ptr,size-0x10); 279 | printf("OK!(Advise allocate on 0x%x)",advise_ptr); 280 | fwrite(advise_ptr,1,size-0x10,file_handle); 281 | free(advise_ptr); 282 | return; 283 | } 284 | else 285 | { 286 | puts("Sorry,You have already leave advise!"); 287 | return; 288 | } 289 | } 290 | else 291 | { 292 | puts("If you want to leave advise,Pls create Crowdfunding first"); 293 | return; 294 | } 295 | 296 | } 297 | 298 | 299 | void JumpTo(int choice) 300 | { 301 | void *ptr=0; 302 | switch (choice) 303 | { 304 | case 1: 305 | Create(); 306 | break; 307 | case 2: 308 | Edit(); 309 | break; 310 | case 3: 311 | Delete(); 312 | break; 313 | case 4: 314 | Show(); 315 | break; 316 | case 5: 317 | Submit(); 318 | break; 319 | case 6: 320 | SaveAdvise(); 321 | break; 322 | case 7: 323 | exit(0); 324 | break; 325 | default: 326 | if(bss_name_ptr==0) 327 | { 328 | puts("Your inputs is wrong~"); 329 | } 330 | else 331 | { 332 | printf("Dear %s,Your inputs is wrong~\n",(char *)bss_name_ptr); 333 | } 334 | 335 | } 336 | return; 337 | 338 | } 339 | 340 | int main(void) 341 | { 342 | int choice=0; 343 | init(); 344 | while(1) 345 | { 346 | welcome(); 347 | choice=GetNumber(); 348 | JumpTo(choice); 349 | } 350 | return 0; 351 | } 352 | -------------------------------------------------------------------------------- /13th_cuit_game/pwn_source_code/pwn50/pwn50.py: -------------------------------------------------------------------------------- 1 | # -*-coding:utf-8-*- 2 | 3 | 4 | #!/usr/bin/python3 5 | import sys, cmd, os 6 | 7 | del __builtins__.__dict__['__import__'] 8 | del __builtins__.__dict__['eval'] 9 | 10 | intro = """ 11 | Welcome to SCTF Python Interpreter 12 | =================================================================================== 13 | 14 | ____ _ _ ____ _ _ ___ _____ 15 | | _ \__ ___ __ | |__ _ _| |__ / ___| | | |_ _|_ _| 16 | | |_) \ \ /\ / / '_ \| '_ \| | | | '_ \ | | | | | || | | | 17 | | __/ \ V V /| | | | | | | |_| | |_) | | |___| |_| || | | | 18 | |_| \_/\_/ |_| |_|_| |_|\__,_|_.__/ \____|\___/|___| |_| 19 | 20 | 21 | 22 | _ ____ ___ __ _____ _____ _ __ _ _| |_| |__ (_)_ __ __ _ 23 | | '_ \ \ /\ / / '_ \ / _ \ \ / / _ \ '__| | | | __| '_ \| | '_ \ / _` | 24 | | |_) \ V V /| | | | | __/\ V / __/ | | |_| | |_| | | | | | | | (_| | 25 | | .__/ \_/\_/ |_| |_| \___| \_/ \___|_| \__, |\__|_| |_|_|_| |_|\__, | 26 | |_| |___/ |___/ 27 | 28 | =================================================================================== 29 | Rules: 30 | -No import 31 | -No ... 32 | -No flag 33 | 34 | """ 35 | 36 | 37 | def execute(command): 38 | exec(command, globals()) 39 | 40 | class Jail(cmd.Cmd): 41 | 42 | prompt = '>>> ' 43 | filtered = '\'|.|input|if|else|eval|exit|import|quit|exec|code|const|vars|str|chr|ord|local|global|join|format|replace|translate|try|except|with|content|frame|back'.split('|') 44 | 45 | def do_EOF(self, line): 46 | sys.exit() 47 | 48 | def emptyline(self): 49 | return cmd.Cmd.emptyline(self) 50 | 51 | def default(self, line): 52 | sys.stdout.write('\x00') 53 | 54 | def postcmd(self, stop, line): 55 | if any(f in line for f in self.filtered): 56 | print("You are a big hacker !!!") 57 | print("Go away") 58 | else: 59 | try: 60 | execute(line) 61 | except NameError: 62 | print("NameError: name '%s' is not defined" % line) 63 | except Exception: 64 | print("Error: %s" % line) 65 | return cmd.Cmd.postcmd(self, stop, line) 66 | 67 | if __name__ == "__main__": 68 | try: 69 | Jail().cmdloop(intro) 70 | except KeyboardInterrupt: 71 | print("\rSee you next time !") 72 | 73 | ''' 74 | $python3 pwn50_jail.py 75 | 76 | $ cat exp.md 77 | print(getattr(os, "system")("/bin/bash")) 78 | ''' 79 | -------------------------------------------------------------------------------- /13th_cuit_game/pwn_source_code/pwn500/Pwn500_README: -------------------------------------------------------------------------------- 1 | 务必使用目录下的libc.so启动程序,否则系统的libc无法实现利用 2 | 3 | 500分,漏洞:内存未初始化、custom unlink、main_arena overflow、fake vtable 4 | 保护为NX、CANARY、PIE、RELRO全部开启 且题目利用不受任何保护的影响,全保护与无保护的利用代码完全相同 5 | 6 | House of lemon 7 | 2017.5.13 by:Ox9A82 8 | 9 | 1.stack leak--->leak libc 10 | 2.unlink write-anything-anywhere 11 | 3.alloc big--->arena overflow 12 | 4.fake vtable 13 | -------------------------------------------------------------------------------- /13th_cuit_game/pwn_source_code/pwn500/libc.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SycloverSecurity/ctf/dc34cd740b10fa2f4abbe2c9a67a248e82789892/13th_cuit_game/pwn_source_code/pwn500/libc.so -------------------------------------------------------------------------------- /13th_cuit_game/pwn_source_code/pwn500/pwn500.c: -------------------------------------------------------------------------------- 1 | /* 2 | 2017.5.13 by:Ox9A82 3 | House of lemon 4 | 5 | 1.stack leak--->leak libc 6 | 2.unlink write-anything-anywhere 7 | 3.alloc big--->arena overflow 8 | 4.fake vtable 9 | */ 10 | 11 | #include 12 | #include 13 | 14 | typedef struct _LEMON 15 | { 16 | char text[16]; 17 | struct _LEMON *fd; 18 | struct _LEMON *bk; 19 | } LEMON; 20 | 21 | 22 | int data_money=10; 23 | int junk1=0x1; 24 | LEMON data_start={1}; 25 | int junk2=0x1; 26 | int data_advise_size=1; 27 | int junk3=0x1; 28 | void *data_advise_ptr=1; 29 | int junk4=0x1; 30 | int leave_flag=1; 31 | int junk5=0x1; 32 | int delete_flag=1; 33 | int junk6=0x1; 34 | int edit_flag=1; 35 | int junk7=0x1; 36 | int sub_flag=1; 37 | 38 | void init(void) 39 | { 40 | alarm(100); 41 | setbuf(stdin,0); 42 | setbuf(stdout,0); 43 | CleanZero(); 44 | } 45 | 46 | void CleanZero(void) 47 | { 48 | data_start.fd=&data_start; 49 | data_start.bk=&data_start; 50 | data_advise_size=200; 51 | data_advise_ptr=0; 52 | leave_flag=0; 53 | delete_flag=0; 54 | edit_flag=0; 55 | sub_flag=0; 56 | } 57 | 58 | 59 | int GetContent(char *buf,int number) 60 | { 61 | char temp=0; 62 | int i=0; 63 | 64 | for(;i10) 135 | { 136 | exit(0); 137 | } 138 | 139 | if(data_advise_size<200||data_advise_size>8000) 140 | { 141 | exit(0); 142 | } 143 | puts("\nwelcome to House of lemon"); 144 | puts("This is a lemon store.\n"); 145 | puts("Here is our lemon types list:"); 146 | puts("1.Meyer lemon"); 147 | puts("2.Ponderosa lemon"); 148 | puts("3.Leave advise"); 149 | puts("4.Submit"); 150 | printf("\nNow you have %d$\n",data_money); 151 | puts("Pls input your choice:"); 152 | 153 | } 154 | 155 | int CheckMoney(int price) 156 | { 157 | int money=0; 158 | if(data_money<0||data_money>10) 159 | { 160 | exit(0); 161 | } 162 | money=data_money-price; 163 | if(money>=0&&money<=10) 164 | { 165 | printf("You have pay %d$\n",price); 166 | data_money=money; 167 | return 1; 168 | } 169 | else 170 | { 171 | puts("You don't have enough money"); 172 | return 0; 173 | } 174 | 175 | } 176 | 177 | void Remove(void) 178 | { 179 | LEMON *ul=0; 180 | LEMON *bck=0; 181 | 182 | ul=data_start.bk; 183 | bck=ul->bk; 184 | data_start.bk=bck; 185 | bck->fd=&data_start; 186 | puts("Remove successed"); 187 | } 188 | 189 | void Meyer_lemon(void) //1 190 | { 191 | int choice=0; 192 | LEMON *ptr=0; 193 | LEMON *bck=0; 194 | LEMON *ul=0; 195 | while(1) 196 | { 197 | puts("\nYou choice the Meyer lemon!"); 198 | puts("1.Information about Meyer lemon"); 199 | puts("2.Add to my cart"); 200 | puts("3.Remove from my cart"); 201 | puts("4.Leave Message"); 202 | puts("5.back.."); 203 | puts("Pls Input your choice:"); 204 | choice=GetNumber(); 205 | if(choice==1) 206 | { 207 | puts("Meyer lemon is 6$"); 208 | } 209 | else if(choice==2) 210 | { 211 | if(!CheckMoney(6)) 212 | { 213 | return; 214 | } 215 | ptr=malloc(sizeof(LEMON)); 216 | ptr->fd=0; 217 | ptr->bk=0; 218 | 219 | bck=data_start.bk; 220 | data_start.bk=ptr; 221 | ptr->fd=&data_start; 222 | ptr->bk=bck; 223 | bck->fd=ptr; 224 | puts("successed!"); 225 | } 226 | else if(choice==3) 227 | { 228 | Remove(); 229 | } 230 | else if(choice==4) 231 | { 232 | ul=data_start.bk; 233 | puts("Get Input:"); 234 | GetContent(ul->text,32); 235 | } 236 | else if(choice==5) 237 | { 238 | return; 239 | } 240 | } 241 | } 242 | 243 | void Ponderosa_lemon(void) //2 244 | { 245 | int choice=0; 246 | LEMON *ptr=0; 247 | LEMON *bck=0; 248 | LEMON *ul=0; 249 | while(1) 250 | { 251 | puts("\nYou choice the Ponderosa_lemon"); 252 | puts("1.Information about Ponderosa_lemon"); 253 | puts("2.Add to my cart"); 254 | puts("3.Remove from my cart"); 255 | puts("4.Leave Message"); 256 | puts("5.back.."); 257 | puts("Pls Input your choice:"); 258 | choice=GetNumber(); 259 | if(choice==1) 260 | { 261 | puts("Meyer lemon is 4$"); 262 | } 263 | else if(choice==2) 264 | { 265 | if(!CheckMoney(4)) 266 | { 267 | return; 268 | } 269 | ptr=malloc(sizeof(LEMON)); 270 | ptr->fd=0; 271 | ptr->bk=0; 272 | 273 | bck=data_start.bk; 274 | data_start.bk=ptr; 275 | ptr->fd=&data_start; 276 | ptr->bk=bck; 277 | bck->fd=ptr; 278 | puts("successed!"); 279 | } 280 | else if(choice==3) 281 | { 282 | Remove(); 283 | } 284 | else if(choice==4) 285 | { 286 | ul=data_start.bk; 287 | puts("Get Input:"); 288 | GetContent(ul->text,32); 289 | } 290 | else if(choice==5) 291 | { 292 | return; 293 | } 294 | } 295 | } 296 | 297 | 298 | void Submit(void) 299 | { 300 | if(sub_flag) 301 | { 302 | return; 303 | } 304 | char phone[15]; 305 | char buf[100]; 306 | int vip=1056; 307 | printf("Hello Vip"); 308 | puts("Leave your information"); 309 | puts("Pls input your phone number first:"); 310 | GetContent_leak(phone,15); 311 | puts("Ok,Pls input your home address"); 312 | GetContent_leak(buf,95); 313 | printf("OK,your input is:%s",buf); 314 | sub_flag=1; 315 | return; 316 | } 317 | 318 | 319 | void Advise(void) 320 | { 321 | 322 | int choice=0; 323 | while(1) 324 | { 325 | puts("1.leave advise"); 326 | puts("2.edit advise"); 327 | puts("3.delete advise"); 328 | puts("4.return"); 329 | choice=GetNumber(); 330 | switch(choice) 331 | { 332 | case 1: 333 | if(leave_flag) 334 | { 335 | return; 336 | } 337 | puts("Input size(200~8000):"); 338 | data_advise_size=GetNumber(); 339 | if(data_advise_size<200||data_advise_size>8000) 340 | { 341 | puts("wrong size"); 342 | return; 343 | } 344 | data_advise_ptr=malloc(data_advise_size); 345 | if(!data_advise_ptr) 346 | { 347 | exit(0); 348 | } 349 | puts("OK"); 350 | leave_flag=1; 351 | break; 352 | case 2: 353 | if(edit_flag) 354 | { 355 | return; 356 | } 357 | if(data_advise_size<200||data_advise_size>8000) 358 | { 359 | exit(0); 360 | } 361 | if(!data_advise_ptr) 362 | { 363 | return; 364 | } 365 | puts("Input your advise"); 366 | GetContent(data_advise_ptr,data_advise_size); 367 | edit_flag=1; 368 | break; 369 | case 3: 370 | if(delete_flag) 371 | { 372 | return; 373 | } 374 | if(!data_advise_ptr) 375 | { 376 | puts("nothing to delete"); 377 | continue; 378 | } 379 | free(data_advise_ptr); 380 | delete_flag=1; 381 | break; 382 | case 4: 383 | return; 384 | default: 385 | puts("You input is wrong"); 386 | break; 387 | } 388 | } 389 | } 390 | 391 | int main() 392 | { 393 | int choice=0; 394 | init(); 395 | while(1) 396 | { 397 | welcome(); 398 | choice=GetNumber(); 399 | if(choice==1) 400 | { 401 | Meyer_lemon(); 402 | continue; 403 | } 404 | else if(choice==2) 405 | { 406 | Ponderosa_lemon(); 407 | continue; 408 | } 409 | else if(choice==3) 410 | { 411 | Advise(); 412 | continue; 413 | } 414 | else if(choice==4) 415 | { 416 | Submit(); 417 | continue; 418 | } 419 | else 420 | { 421 | puts("Error!please input 1~5"); 422 | continue; 423 | } 424 | } 425 | } 426 | 427 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ctf 2 | --------------------------------------------------------------------------------