nyyyddddn

nyyyddddn

奇奇怪怪格式化字符串漏洞的利用1
题目附件https://github.com/nyyyddddn/ctf/tree/main/%E5%A5%87%E5%A5%87%E6%80%AA%E6%80%AA%E6%A0%BC%E5%BC%8F%E5%8C%96%E5%AD%97%E7%AC%A6%E4%B8%B2%E5%88%A9%E7%94%A81 非栈上格式化字符串套orwhznuctf_ezpwn 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849int __cdecl main(int arg...
2024/08/22
misc
tfcctf2024
题目附件https://github.com/nyyyddddn/ctf/tree/main/tfcctf2024 pwnGUARD-THE-BYPASS程序的逻辑如下 这里GUARD也就是指canary 1234567891011121314151617181920212223242526272829303132int __cdecl main(int argc, const char **argv, const char **envp){ int v5; // [rsp+Ch] [rbp-14h] BYREF pthread_t newthread; // [rsp+1...
2024/08/08
ctf writeup
ImaginaryCTF
pwnimgstore123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657unsigned __int64 sell_book(){ char v1; // [rsp+7h] [rbp-59h] BYREF int buf; // [rsp+8h] [rbp-58h] BYREF int fd; // [rsp+Ch] [rbp-54h] char s[72]; // [rsp+10h] [rbp-50h] BYR...
2024/08/01
ctf writeup
dasctf2024_summer_challenge
题目附件https://github.com/nyyyddddn/ctf/tree/main/dasctf2024_summer_challenge pwnspring_board123456789101112131415161718192021222324int __cdecl main(int argc, const char **argv, const char **envp){ int i; // [rsp+Ch] [rbp-4h] myinit(argc, argv, envp); puts("Life is not boring, dreams ar...
2024/07/22
ctf writeup
wkctf_pwn
题目附件https://github.com/nyyyddddn/ctf/tree/main/wkctf_pwn pwnbaby_stack在guess number逻辑这里用格式化字符串泄露 libc地址后 123456789101112131415__int64 wait(){ unsigned int v0; // eax char s[5]; // [rsp+Bh] [rbp-85h] BYREF char format[120]; // [rsp+10h] [rbp-80h] BYREF puts("Press enter to continue&q...
2024/07/15
ctf writeup
d3ctf_pwnshell复现
pwnshell 复现 (php pwn)如何调试?php pwn该如何调试?在docker中装一个gdbserver,用gdbserver起一个程序,在exp中用能触发io中断的php函数打”断点”,之后用gdb连上去后在vuln.so里打个断点就好了 能触发io中断的函数,比如说fgetc 1234<?php$char = fgetc(STDIN);echo "You entered: $char\n";?> 在pwnshell这个题目中php配置文件里禁用了fgetc这个函数,修改php.ini中的disable_functions,把fgetc删...
2024/06/30
ctf writeup
xctf_ggbord复现
ggbond可以发现主函数是main_main,同时存在大量grpc字段,可以判断出程序使用了grpc框架。和grpc框架开发的程序进行交互,需要提取protobuf,protobuf谷歌开发的数据序列化格式,它通常用于网络通信和数据存储的应用程序之间的结构化数据交换。这个工具让你能够定义交互时消息的数据结构。 程序套了grpc,与程序的交互不再直接通过标准输入,而需要通过定义的 gRPC 服务接口来进行,然后grpc 使用一个叫protobuf的结构去描述怎么和程序交互的,首先需要提取出程序中的protobuf,然后python中有一个叫grpc_tools的库可以通过 protobu...
2024/06/25
ctf writeup
vsctf_pwn
题目附件https://github.com/nyyyddddn/ctf/tree/main/vsctf_pwn pwncosmic-ray-v3程序的逻辑 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950int __cdecl main(int argc, const char **argv, const char **envp){ signed __int64 v3; // rax setbuf(stdout, 0LL); setbuf...
2024/06/19
ctf writeup
litctf2024_pwn
pwnheap-2.23程序逻辑 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291...
2024/06/04
ctf writeup
xctf_BuggyAllocator复现
xctf_BuggyAllocator复现程序有 alloc 和dealloc两个选项 123456789101112131415161718192021222324252627282930313233343536373839404142__int64 menu(){ __int64 v0; // rax __int64 v1; // rax __int64 v2; // rax v0 = std::operator<<<std::char_traits<char>>(&std::cout, "*** Buggy ...
2024/05/30
ctf writeup
avatar
nyyyddddn
快来和我贴贴qaq
FRIENDS
yuro shin k0rain TokameinE LilRan
ABOUT ME
Total : 61
2025
2024
2023
Invalid date
2023
ctf writeup misc