鹏城杯2024 PWNbabyheap-pcb20241234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495 2024-11-09 pwn #pwn #鹏城杯
强网杯2024 PWNexpect_number (复现)做这道题的时候已经快结束了, 没有注意到展示历史记录的地址可以进行对程序基地址的泄露, 残念 我们可以通过对最后 0x5520 处修改一个自己来实现对存在溢出的函数的执行 考点是 c++ 的异常处理将返回地址覆盖为存在后门的的handler就好了覆盖的 rbp 需要可写 123456789101112131415161718192021222324 2024-11-03 pwn #pwn #qwb
御网杯2024 writehere1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677#!/usr/bin/env python3from pwncli import *from 2024-10-30 pwn #pwn
网鼎杯2024 - 青龙 PWN02123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657#!/usr/bin/env python3from pwncli import *from ctypes import *from time import timefrom st 2024-10-30 pwn #pwn #re #crypto
强网拟态2024 PWN signin signin_revenge ezcode guest book QWEN (复现) ker (复现) signin在add功能中存在栈溢出, 打栈溢出就好了对随机数由于是srand(0),进行模拟就好 12345678910111213141516171819202122232425262728293031323334353637383940414243444 2024-10-20 pwn #pwn
DASCTF 2024金秋十月|秋意浓,战火燃,码上见真章 PWN sixbytes usersys (复现) ChromeLogger (复现) sixbytes6个字节的shellcode 最开始爆3不出来, 后面调试了下可以发现是因为idx为和不为0的时候跳转的循环地址不同, 直接跳过flag头开爆 123456789101112131415161718192021222324252627282930313233343536373839404 2024-10-20 pwn #pwn #buu
SCTF2024 factory123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384#!/usr/bin/env python3from pwncli 2024-10-08 pwn #pwn #xctf
羊城杯2024 pstack12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970#!/usr/bin/env python3from pwncli import *from ctypes import *f 2024-09-03 pwn #pwn
DASCTF 2024暑期挑战赛 (没打,结束了才去看了题) springboard非栈上的格式化字符串 格式 1%Yc%X$n 将Y写入栈上第X个位置指针指向的位置 12345678910111213141516171819202122230x50a47 posix_spawn(rsp+0x1c, "/bin/sh", 0, rbp, rsp+0x60, environ)constraints: rsp 2024-07-21 pwn #pwn #buu #das
DASCTF X GFCTF 2024|四月开启第一局 PWNdynamic_but_static12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667#!/usr/bin/env python3from pwncli import *cli_script() 2024-05-03 pwn #pwn #buu