![](https://img-blog.csdnimg.cn/8f810941a133488db3e485cb01959310.png?x-oss-process=image/resize,m_fixed,h_224,w_224)
Pwn-Competition
文章平均质量分 71
Pwn-Competition-record
P1umH0
这个作者很懒,什么都没留下…
展开
-
PWN-COMPETITION-HGAME2022-Week4
PWN-COMPETITION-HGAME2022-Week4vectorvectorc++写的pwn,实现了vector,没有edit功能,新增了move功能add或move时,如果输入的下标大于vector的size,vector会进行resize扩容旧vector占用的chunk自动被free掉进入相应的bin,数据转移到新vector中利用add时的vector扩容,free掉size大于0x410的chunk,使其进入unsorted bin,泄露libc利用move时的vector扩原创 2022-02-18 20:36:34 · 396 阅读 · 0 评论 -
PWN-COMPETITION-HGAME2022-Week3
PWN-COMPETITION-HGAME2022-Week3changeable_noteelder_notechangeable_noteelder_notedelete_note中存在UAF漏洞首先利用unsorted bin泄露libc然后通过double free覆盖__realloc_hook为one-gadget,__malloc_hook为realloc真实地址(调整栈帧)# -*- coding:utf-8 -*-from pwn import *from pwnlib.u原创 2022-02-13 14:42:57 · 2673 阅读 · 0 评论 -
PWN-COMPETITION-HGAME2022-Week2
PWN-COMPETITION-HGAME2022-Week2blind(unsolved)echo_severoldfashion_noteblind(unsolved)echo_sever堆上的格式化字符串漏洞当输入的v0为0时,realloc(ptr,0)相当于free(ptr)于是考虑将free_hook写为one-gadget# -*- coding:utf-8 -*-from pwn import *context.log_level="debug"io=process(".原创 2022-02-04 22:32:37 · 1789 阅读 · 0 评论 -
PWN-COMPETITION-HGAME2022-Week1
PWN-COMPETITION-HGAME2022Week1enter_the_pwn_landenter_the_evil_pwn_landoldfashion_orw(unsolved)ser_per_fa(unsol)test_your_nctest_your_gdbWeek1enter_the_pwn_land栈溢出,需要注意的是下标 i 的地址比输入s的地址更高s溢出会覆盖 i ,于是需要小心地覆写 i 的值,让循环顺利执行下去然后就是常规的ret2libc# -*- coding:原创 2022-01-28 20:36:36 · 1247 阅读 · 0 评论 -
PWN-COMPETITION-GeekChallenge2021
PWN-COMPETITION-GeekChallenge2021原创 2021-11-15 12:26:38 · 667 阅读 · 0 评论 -
PWN-COMPETITION-0xGame2021
PWN-COMPETITION-0xGame2021Pwn?!ret2textWTF?Shellcode!No BackDoor!ret2libc pro maxWhere is my stack?!N1k0la's_lovestupid repeaterezpwn?leak mecanary eats pieN1k0la's love 2.0Pwn?!ret2textWTF?Shellcode!No BackDoor!ret2libc pro maxWhere is my stack?!N1原创 2021-11-04 18:06:27 · 1119 阅读 · 0 评论