皮卡の blog

Some interesting exercises

in pwn

excited UAF from pwn import * p = process("./excited") elf = ELF("./excited") #context.log_level='debug' libc = elf.libc def so(): gdb.attach(p) pause() def new(balength,bacontent,nalength,n...

Posted by pic4xiu on February 25, 2020

Some strange questions

in heap

本文首发先知本人在做堆题时经常遇到一些特别怪的套路,自己不看 exp 基本永远想不到,看完后先是一脸蒙,经过调试就恍然大悟.奥~~ 还能这么玩,所以通过这个系列记录一下在 fastbin 中,大多数时候修改成可利用的 fd 很考验堆的构造能力,下边就以该题作为模板,因为这题实在有点合适漏洞简要分析 unsigned __int64 take_note() { int v1;...

Posted by pic4xiu on November 11, 2019

sixth week

with pwn

本周是第六周了，继续佛系刷题，上周的红帽杯 pwn 题就 3 道，但是我第一道就不会，最后还是通过各种姿势了解到了怎么搞，神他妈爆破 pwn from pwn import* elf = ELF("./pwn") context.log_level = "debug" tmp='' for j in range(0,32): for i in range(33,127): io = ...

Posted by pic4xiu on November 11, 2019

fifth week

with pwn

本周脱离 wp 生存的第一周,困难重重铁三的 bookstore 这题是自写函数的溢出,看似很简单,其实利用起来很难,我的思路是一个堆块复用实现各种泄漏,但是泄漏出来发现用不了,这个有一个很恶心的就是 if ( (unsigned int)size > 0x50 ) return puts("Too big!"); size 的限制,让我头皮发麻,我尝试了几种方...

Posted by pic4xiu on November 4, 2019

forth week

with pwn

这周佛系做题~~~ 2017湖湘杯pwn100 这道题学了个知识点, fork ,感觉还好吧,这题很快就看到了栈溢出,但是想了一会逻辑有点蒙逼,看了看 wp ,就是简单的泄漏 Canary 和 libc ,发现自己真是莫名其妙不敢做题,怎么搞得~~~ __Auther__ = 'niexinming' from pwn import * import base64 one = 0x...

Posted by pic4xiu on October 28, 2019

third week

with pwn

感觉上周跑得太快了,好多知识没完全消化,这周就总结吧~~~(不是偷懒啊 off by one 这种 off by one 的洞有好多方法,如堆块重叠和 unlink ,这里先记录一下 unlink from pwn import * p = process('./pwn') elf = ELF("./pwn", checksec=False) libc = ELF('/lib/x86_...

Posted by pic4xiu on October 21, 2019

One_gadget

Seckill

本文首发先知问题来源在有 one_gadget 之前,我们一般都是通过常规 rop 的方式 getshell .有了它之后,知道 libc 偏移就能够通过它的地址一步 getshell .详细介绍参见此处,我们就可以把更多精力花在利用漏洞上边.但是在做栈溢出时经常遇到 one_gadget 的佛系 bug ,究其原因还是 constraints 的锅,每次执行都是一次execve("...

Posted by pic4xiu on October 20, 2019

second week

with pwn

10.14 ~ 10.20 这是今年信息安全竞赛华南赛区半决赛的 pwn 题, wp 基本来自大佬 day1 pwn1 off by one from pwn import * p = process('./pwn') elf = ELF("./pwn", checksec=False) libc = ELF('/lib/x86_64-linux-gnu/libc-2...

Posted by pic4xiu on October 11, 2019

first week

with pwn

10.8 ~ 10.13 This four exercises contain Triathlon Finals last year and one exercise in CISCN littlenote UAF from pwn import * io=process('./littlenote') def add(content): io.sendlin...

Posted by pic4xiu on October 11, 2019

Some interesting exercises

in pwn

第五空间线下赛壹業这个和 0ctf 的 babyheap 挺像的,很简单,但是本地的 so 文件的 one_gadegt 不太好用,本地调不通,很难受,感觉远程可以,应该不用调堆栈吧~~ [8:56:33] pic:壹業 $ one_gadget libc.so.6 0x45216 execve("/bin/sh", rsp+0x30, environ) constraints...

Posted by pic4xiu on October 5, 2019

Domain knowledge

Some interesting exercises

in pwn

Some strange questions

in heap

sixth week

with pwn

fifth week

with pwn

forth week

with pwn

third week

with pwn

One_gadget

Seckill

second week

with pwn

first week

with pwn

Some interesting exercises

in pwn

FEATURED TAGS

ABOUT ME

FRIENDS