Ret2plt 這題跟上題就差在這題是dynamic linking,所以我們需要leak libc位置後使用libc中的東西call shell。 print的got塞入rdi後call print@plt這樣我們就知道print function在這次程式執行時是在alsr的哪個位置 然後再用 readelf -s 找出並剪掉printf在libc中的offset,這樣我們就得到li...
Stack Pivoting 前言:在控制rip後沒有足夠的stack空間讓我們推rop chain這時就需要stack pivoting技術 蓋到buf結束後,塞入leave;ret;gadget,讓rbp跳到我們指定的stack位置,然後就會出現超大空間 圖片來自LYS投影片 Ais3-lys-rop1123456789101112131415161718192021222324252...
Ais3-lys-rop1 當有NX保護機制時,ROP可以幫助我們繞過他 找gadget把rop chain推成shellcode的形狀 12345678910111213141516171819202122232425262728293031323334from pwn import *context.arch = 'amd64'r = remote("35...
How to use gdb 因為我寫到srop的lab才發現我不會用gdb,所以這邊趕快補一下🤧 open gdb attach <pid> pwntools open gdb 1234567from pwn import *context.terminal = ['tmux', 'splitw', '+h'...
AnsibleDocs $ansible-navigator doc -l ansible-navigator doc <ansible.builtin.dnf> Official YamlRe Basic名詞解釋 inventory host group playbook play task modules RequirementLinux , macos ...
Ansible SELinux DNS serverIntro (2023.09.20) SELinux review ls -lZ semanage setenforce chcon firewalld 名詞解釋 DNS : Domain name service FQDN : Fully Qualified Domain Name Domain Subdomain Zone ...
bofHijack ret addrrip to run call_me() objdump -d ./bof sub rsp,0x30 <- 48 bits in stack rbp-ox30 for gets() input 塞a到 0x38 <- 0x30 buf + 0x8 saved rbp 然後加上 p64(call_me()的address) <...
ROP Return Oriented ProgrammingFrom yuawn NTU-Computer-Security week1 week2 week3 PicoCTF.com pwn.college Pwnable.tw pwntools interact with gdb tmux pause() , gdb attach pid ROP Gadgets ...
From yuawn NTU-Computer-Security Dkoctro week1 week2 week3 PicoCTF.com pwn.college Pwnable.tw BasicELF (Executable and Linkable Format)INTRO ELF-workflow (static) ELF-workflo...
