PWNbabyheap-pcb20241234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495

PWNexpect_number (复现)做这道题的时候已经快结束了, 没有注意到展示历史记录的地址可以进行对程序基地址的泄露, 残念 我们可以通过对最后 0x5520 处修改一个自己来实现对存在溢出的函数的执行 考点是 c++ 的异常处理将返回地址覆盖为存在后门的的handler就好了覆盖的 rbp 需要可写 123456789101112131415161718192021222324

writehere1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677#!/usr/bin/env python3from pwncli import *from

PWN02123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657#!/usr/bin/env python3from pwncli import *from ctypes import *from time import timefrom st

PWN signin signin_revenge ezcode guest book QWEN (复现) ker (复现) signin在add功能中存在栈溢出, 打栈溢出就好了对随机数由于是srand(0),进行模拟就好 12345678910111213141516171819202122232425262728293031323334353637383940414243444

PWN sixbytes usersys (复现) ChromeLogger (复现) sixbytes6个字节的shellcode 最开始爆3不出来, 后面调试了下可以发现是因为idx为和不为0的时候跳转的循环地址不同, 直接跳过flag头开爆 123456789101112131415161718192021222324252627282930313233343536373839404

factory123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384#!/usr/bin/env python3from pwncli

pstack12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970#!/usr/bin/env python3from pwncli import *from ctypes import *f

(没打,结束了才去看了题) springboard非栈上的格式化字符串 格式 1%Yc%X$n 将Y写入栈上第X个位置指针指向的位置 12345678910111213141516171819202122230x50a47 posix_spawn(rsp+0x1c, "/bin/sh", 0, rbp, rsp+0x60, environ)constraints: rsp

PWNdynamic_but_static12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667#!/usr/bin/env python3from pwncli import *cli_script()