![](https://img-blog.csdnimg.cn/20210810094038614.png?x-oss-process=image/resize,m_fixed,h_224,w_224)
Pwn-BUUCTF
文章平均质量分 63
Pwn-BUUCTF-record
P1umH0
这个作者很懒,什么都没留下…
展开
-
PWN-PRACTICE-BUUCTF-30
PWN-PRACTICE-BUUCTF-30suctf_2018_stackwdb_2018_3rd_soEasy[BSidesCF 2019]Runitqctf2018_stack2suctf_2018_stack栈溢出,ret2text,返回地址不能直接是next_door的起始地址设置返回地址为0x40067A,开始设置系统调用的参数以及系统调用号from pwn import *#context.log_level='debug'#io=process('./SUCTF_2018_sta原创 2021-09-13 11:02:33 · 145 阅读 · 0 评论 -
PWN-PRACTICE-BUUCTF-29
PWN-PRACTICE-BUUCTF-29actf_2019_babyheapwustctf2020_easyfast强网杯2019 拟态 STKOFhitcon_2018_children_tcacheactf_2019_babyheapUAF,创建两个非0x10大小的chunk,比如两个0x20程序会创建四个chunk,大小依次为0x10,0x20,0x10,0x20按序free掉创建的chunk,两个0x10大小的chunk形成一条链,两个0x20大小的chunk形成一条链再创建一个0x1原创 2021-09-12 17:58:32 · 235 阅读 · 0 评论 -
PWN-PRACTICE-BUUCTF-28
PWN-PRACTICE-BUUCTF-28wustctf2020_name_your_dogjudgement_mna_2016gyctf_2020_some_thing_interestingxman_2019_formatwustctf2020_name_your_dogPartial RELRO,可修改got表scanf_got距离Dogs56个字节,当index为-7时,即可改写scanf_got为shell的地址from pwn import *#io = process("./wus原创 2021-09-12 11:38:36 · 166 阅读 · 0 评论 -
PWN-PRACTICE-BUUCTF-27
PWN-PRACTICE-BUUCTF-27starctf_2019_babyshellpicoctf_2018_buffer overflow 0gyctf_2020_signinbjdctf_2020_YDSneedGrirlfriendstarctf_2019_babyshell用\x00绕过shellcode检测,call rdx 跳转过去执行汇编代码,一个\x00必执行失败于是需要找一条机器码以\x00开始的汇编指令,参考:x86汇编语言杂记from pwn import *contex原创 2021-09-11 16:20:29 · 131 阅读 · 0 评论 -
PWN-PRACTICE-BUUCTF-26
PWN-PRACTICE-BUUCTF-26护网杯_2018_gettingstartwustctf2020_number_gamepicoctf_2018_are you rootciscn_2019_en_3护网杯_2018_gettingstartread到buf的时候有溢出,覆写v5为0x7FFFFFFFFFFFFFFF,v6为0x3FB999999999999Afrom pwn import *io=remote("node4.buuoj.cn",29057)io.recvuntil("原创 2021-09-11 12:02:32 · 156 阅读 · 0 评论 -
PWN-PRACTICE-BUUCTF-25
PWN-PRACTICE-BUUCTF-25wustctf2020_name_your_catciscn_2019_final_2mrctf2020_shellcode_revengezctf2016_note2wustctf2020_name_your_cat通过数组越界写返回地址为后门shell的地址from pwn import *#io=process('./wustctf2020_name_your_cat')io=remote('node4.buuoj.cn',28864)elf=E原创 2021-09-10 17:44:36 · 719 阅读 · 0 评论 -
PWN-PRACTICE-BUUCTF-24
PWN-PRACTICE-BUUCTF-24原创 2021-09-09 18:28:37 · 215 阅读 · 0 评论 -
PWN-PRACTICE-BUUCTF-23
PWN-PRACTICE-BUUCTF-23gyctf_2020_some_thing_excetingaxb_2019_heap[极客大挑战 2019]Not Badinndy_echogyctf_2020_some_thing_exceting程序读取了flag到bss段上的0x6020A8地址处存在uaf漏洞,利用fastbins的LIFO原则,create大小合适的chunk并free再次create,将0x6020A8覆写到之前create并free掉的chunk里,最后show即可打印出原创 2021-09-09 14:30:24 · 590 阅读 · 0 评论 -
PWN-PRACTICE-BUUCTF-22
PWN-PRACTICE-BUUCTF-22hitcontraining_unlinkpicoctf_2018_leak_mesuctf_2018_basic pwnaxb_2019_brop64hitcontraining_unlinkunlink,参考:[BUUCTF]PWN——hitcontraining_unlink# -*- coding:utf-8 -*-from pwn import *#io=process("./bamboobox")io=remote("node4.buuoj原创 2021-09-08 16:20:26 · 417 阅读 · 0 评论 -
PWN-PRACTICE-BUUCTF-21
PWN-PRACTICE-BUUCTF-21wdb_2018_2nd_easyfmtciscn_2019_es_1axb_2019_fmt64x_ctf_b0verfl0wwdb_2018_2nd_easyfmt格式化字符串漏洞第一次printf通过printf_got将printf的实际地址打印出来,计算libc基地址,得到system的实际地址第二次printf通过printf_got将printf的实际地址改写为system的实际地址,这样之后的printf实际上是执行的system第三次输原创 2021-09-08 15:22:46 · 208 阅读 · 0 评论 -
PWN-PRACTICE-BUUCTF-20
PWN-PRACTICE-BUUCTF-20actf_2019_babystackpicoctf_2018_can_you_gets_mepicoctf_2018_got_shellmrctf2020_easy_equationactf_2019_babystack两次栈迁移# -*- coding:utf-8 -*-from pwn import *#context.log_level="debug"#io=process("./ACTF_2019_babystack")io=remote(原创 2021-09-07 19:24:34 · 169 阅读 · 0 评论 -
PWN-PRACTICE-BUUCTF-19
PWN-PRACTICE-BUUCTF-19hitcontraining_bambooboxpicoctf_2018_shellcodenpuctf_2020_easyheapcmcc_pwnme2hitcontraining_bambooboxunlink,参考:hitcontraining_bamboobox 堆技巧 unlink# -*- coding:utf-8 -*-from pwn import *#io=process("./bamboobox")io=remote("node4.原创 2021-09-07 15:56:28 · 130 阅读 · 0 评论 -
PWN-PRACTICE-BUUCTF-18
PWN-PRACTICE-BUUCTF-18ciscn_2019_final_3ciscn_2019_s_9jarvisoj_level5pwnable_hacknoteciscn_2019_final_3tcache dup参考:[V&N2020 公开赛]easyTHeap + ciscn_2019_final_3 ——heap中tcache的一些简单利用方法# -*- coding:utf-8 -*-from pwn import *context.log_level="debug原创 2021-09-06 20:04:35 · 117 阅读 · 0 评论 -
PWN-PRACTICE-BUUCTF-17
PWN-PRACTICE-BUUCTF-17hitcontraining_heapcreatorwustctf2020_closedciscn_2019_es_7hitcon2014_stkofhitcontraining_heapcreator单字节溢出,修改下一个chunk的size,造成chunk overlap,实现任意地址读写参考:buuctf hitcontraining_heapcreator HITCON Trainging lab13# -*- coding:UTF-8 -*-原创 2021-09-05 17:54:40 · 159 阅读 · 1 评论 -
PWN-PRACTICE-BUUCTF-16
PWN-PRACTICE-BUUCTF-16mrctf2020_easyoverflowhitcontraining_magicheapciscn_2019_s_40ctf_2017_babyheapmrctf2020_easyoverflow覆盖main函数中的v5,使之为"n0t_r3@11y_f1@g"from pwn import *r=remote("node4.buuoj.cn",29521)payload='a'*0x30+"n0t_r3@11y_f1@g"r.sendline(p原创 2021-08-09 18:16:23 · 111 阅读 · 0 评论 -
PWN-PRACTICE-BUUCTF-15
PWN-PRACTICE-BUUCTF-15axb_2019_fmt32wustctf2020_getshell_2others_babystackpwnable_startaxb_2019_fmt32格式化字符串漏洞第一次打印出printf的真实地址,进而计算libc基地址,得到system真实地址第二次修改got表,使printf的got指向system的真实地址,后面执行printf时实际上是执行systemfrom pwn import *#p=process('./axb_2019_f原创 2021-08-09 16:42:17 · 130 阅读 · 0 评论 -
PWN-PRACTICE-BUUCTF-14
PWN-PRACTICE-BUUCTF-14bbys_tu_2016ciscn_2019_n_3roarctf_2019_easy_pwngyctf_2020_borrowstackbbys_tu_2016栈溢出,覆盖eip到printFlag函数from pwn import *#io=process('./bbys_tu_2016')io=remote('node4.buuoj.cn',27817)elf=ELF('./bbys_tu_2016')#io.recvuntil('feed i原创 2021-08-09 16:04:28 · 138 阅读 · 0 评论 -
PWN-PRACTICE-BUUCTF-13
PWN-PRACTICE-BUUCTF-13[ZJCTF 2019]Logininndy_ropmrctf2020_shellcodejarvisoj_level1[ZJCTF 2019]Logininndy_ropmrctf2020_shellcodejarvisoj_level1原创 2021-08-08 18:14:28 · 146 阅读 · 0 评论 -
PWN-PRACTICE-BUUCTF-12
PWN-PRACTICE-BUUCTF-12cmcc_simpleroppicoctf_2018_buffer overflow 2babyfengshui_33c3_2016xdctf2015_pwn200cmcc_simplerop静态编译的32位elf,找一个"int 80h"执行系统调用前提是利用栈溢出读入字符串"/bin/sh\x00",然后找pop给寄存器赋值,最后"int 80h"from pwn import *io = remote('node4.buuoj.cn',27587)原创 2021-08-08 17:34:23 · 127 阅读 · 0 评论 -
PWN-PRACTICE-BUUCTF-11
PWN-PRACTICE-BUUCTF-11bjdctf_2020_routerpicoctf_2018_buffer overflow 1pwnable_orwwustctf2020_getshellbjdctf_2020_routerLinux 系统可以在一个命令行上执行多个命令: ; --如果命令被分号(;)所分隔,那么命令会连续的执行下去,就算是错误的命令也会继续执行后面的命令 && --如果命令被 && 所分隔,那么命令也会一直执行下去,但是中间有错误的命令原创 2021-08-08 16:04:32 · 113 阅读 · 0 评论 -
PWN-PRACTICE-BUUCTF-10
PWN-PRACTICE-BUUCTF-10jarvisoj_level3_x64bjdctf_2020_babyrop2hitcontraining_uafjarvisoj_test_your_memoryjarvisoj_level3_x6464位elf的栈溢出,ret2csufrom pwn import *#context.log_level='debug'#io=process('./jarvisoj_level3_x64')io=remote('node4.buuoj.cn',294原创 2021-08-08 15:38:18 · 108 阅读 · 0 评论 -
PWN-PRACTICE-BUUCTF-9
PWN-PRACTICE-BUUCTF-9[Black Watch 入群题]PWNjarvisoj_level4picoctf_2018_rop chain[ZJCTF 2019]EasyHeap[Black Watch 入群题]PWNvul_function可以向.bss段上写数据,还可以构成栈溢出,但只能溢出8字节,覆盖ebp和eip利用两次栈迁移第一次栈迁移利用write函数打印出write函数的真实地址,由偏移计算libc基址,进而得到system和"/bin/sh"地址第二次栈迁移执行s原创 2021-08-08 11:40:32 · 116 阅读 · 0 评论 -
PWN-PRACTICE-BUUCTF-8
PWN-PRACTICE-BUUCTF-8ciscn_2019_es_2jarvisoj_level3ez_pz_hackover_2016jarvisoj_tell_me_somethingciscn_2019_es_2jarvisoj_level3ez_pz_hackover_2016jarvisoj_tell_me_something原创 2021-08-07 18:22:32 · 157 阅读 · 0 评论 -
PWN-PRACTICE-BUUCTF-7
PWN-PRACTICE-BUUCTF-7jarvisoj_fmciscn_2019_s_3bjdctf_2020_babystack2[HarekazeCTF2019]baby_rop2jarvisoj_fmciscn_2019_s_3bjdctf_2020_babystack2[HarekazeCTF2019]baby_rop2原创 2021-08-07 16:18:28 · 178 阅读 · 0 评论 -
PWN-PRACTICE-BUUCTF-6
PWN-PRACTICE-BUUCTF-6铁人三项(第五赛区)_2018_ropbjdctf_2020_babyropbabyheap_0ctf_2017pwn2_sctf_2016铁人三项(第五赛区)_2018_ropbjdctf_2020_babyropbabyheap_0ctf_2017pwn2_sctf_2016原创 2021-08-07 16:16:28 · 118 阅读 · 0 评论 -
PWN-PRACTICE-BUUCTF-5
PWN-PRACTICE-BUUCTF-5jarvisoj_level2_x64ciscn_2019_n_5others_shellcodeciscn_2019_ne_5jarvisoj_level2_x64ciscn_2019_n_5others_shellcodeciscn_2019_ne_5原创 2021-08-05 16:54:32 · 150 阅读 · 0 评论 -
PWN-PRACTICE-BUUCTF-4
PWN-PRACTICE-BUUCTF-4原创 2021-08-05 15:50:40 · 103 阅读 · 0 评论 -
PWN-PRACTICE-BUUCTF-3
PWN-PRACTICE-BUUCTF-3原创 2021-07-24 12:08:24 · 133 阅读 · 0 评论 -
PWN-PRACTICE-BUUCTF-2
PWN-PRACTICE-BUUCTF-2pwn1_sctf_2016jarvisoj_level0ciscn_2019_c_1[第五空间2019 决赛]PWN5pwn1_sctf_2016main函数中执行vuln函数fgets限制了输入的长度,不足以构成栈溢出通过将输入中的字符"I"替换成"you",增加长度,使满足栈溢出同时可执行文件存在后门函数get_flag构造payload,覆盖eip到get_flag即可得到flagfrom pwn import *#io=process(原创 2021-07-23 17:12:24 · 185 阅读 · 0 评论 -
PWN-PRACTICE-BUUCTF-1
PWN-PRACTICE-BUUCTF-1原创 2021-07-04 18:14:33 · 174 阅读 · 0 评论