攻防世界-新手区-PWN部分-WriteUP
source link: https://iamywang.github.io/2020/adworld-pwn-1/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
0x01 guess_num
checksec
栈可执行,有Canary、有PIE
ida分析
猜数字,连续猜对10个随机数得到flag。
输入字符串地址是rsp+10h,seed地址是rsp+30h
先将20h长度填充,然后覆盖随机数种子
payload构造
payload = ‘A’ * 0x20 + p64(1)
随机数种子为1
这样得到的结果是:2 5 4 2 6 2 5 1 4 2
python脚本
from pwn import * |
cyberpeace{cdece09e67aec66f2211ee4176f1f555} |
0x02 int_overflow
checksec
栈可执行、无Canary、无PIE
有一个what_is_this函数,直接cat flag,地址是0x804868B
看看login函数,利用一下溢出
此外,dest的长度是0x14
让return返回到cat flag函数的那个地址
payload && flag
from pwn import * |
0x03 hello_pwn
No canary found NX enabled No PIE
ida分析
bss段的缓冲区溢出
unk_601068是4个字节、覆盖后面的dword_60106C
read(0, &unk_601068, 0x10uLL); |
payload
from pwn import * |
0x04 when_did_you_born
from pwn import * |
0x05 cgpwn2
基本思想:把/bin/sh放在bss段,然后让返回地址覆盖为system,参数为name地址,这样执行sh。
from pwn import * |
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK