小雨亦喧

发表于2025-10-11|pwnable.tw

1 程序分析64 位，没开 PIE，Full RELRO 不能改 GOT 表了，libc 版本 2.27 12345678910(pwn) secreu@Vanilla:~/code/pwnable/tcache_tear$ strings libc-18292bd12d37bfaf58e8dded9db7f1f5da1192cb.so | grep "Ubuntu GLIBC"GNU C Library (Ubuntu GLIBC 2.27-3ubuntu1) stable release version 2.27.(pwn) secreu@Vanilla:~/code/pwnable/tcache_tear$ checksec --file=tcache_tear[*] '/home/secreu/code/pwnable/tcache_tear/tcache_tear' Arch: amd64-64-little RELRO: Full RELRO Stack: Canary fou...

[pwnable.tw] Re-alloc

发表于2025-09-30|pwnable.tw

1 程序分析64 位，没开 PIE，libc 版本为 2.29 1234567891011(pwn) secreu@Vanilla:~/code/pwnable/re-alloc$ checksec --file=re-alloc[*] '/home/secreu/code/pwnable/re-alloc/re-alloc' Arch: amd64-64-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: No PIE (0x400000) FORTIFY: Enabled Stripped: No(pwn) secreu@Vanilla:~/code/pwnable/re-alloc$ strings libc-9bb401974abeef59efcdd0ae35c5fc0ce63d3e7b.so | grep "Ubuntu GLIBC"G...

[pwnable.tw] applestore

发表于2025-09-23|pwnable.tw

1 程序分析32 位程序，没开 PIE，部分写保护，libc 版本为 2.23 12345678910(pwn) secreu@Vanilla:~/code/pwnable/applestore$ checksec --file=applestore[*] '/home/secreu/code/pwnable/applestore/applestore' Arch: i386-32-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: No PIE (0x8048000) Stripped: No(pwn) secreu@Vanilla:~/code/pwnable/applestore$ strings libc_32.so.6 | grep "Ubuntu GLIBC"GNU C Library (Ubuntu GLIBC 2.23-0ubuntu5) s...

[pwnable.tw] Silver Bullet

发表于2025-09-23|pwnable.tw

1 程序分析32 位程序，没 Canary，没开 PIE，libc 版本依旧是 2.23 12345678910(pwn) secreu@Vanilla:~/code/pwnable/silver_bullet$ checksec --file=silver_bullet[*] '/home/secreu/code/pwnable/silver_bullet/silver_bullet' Arch: i386-32-little RELRO: Full RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x8047000) Stripped: No(pwn) secreu@Vanilla:~/code/pwnable/silver_bullet$ strings libc_32.so.6 | grep "Ubuntu GLIBC"GNU C Library (Ubuntu GL...

[pwnable.tw] hacknote

发表于2025-09-22|pwnable.tw

1 程序分析32位，没开 PIE，给的 libc 版本为 2.23 123456789(pwn) secreu@Vanilla:~/code/pwnable/hacknote$ checksec --file=hacknote[*] '/home/secreu/code/pwnable/hacknote/hacknote' Arch: i386-32-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: No PIE (0x8046000)(pwn) secreu@Vanilla:~/code/pwnable/hacknote$ strings libc_32.so.6 | grep "Ubuntu GLIBC"GNU C Library (Ubuntu GLIBC 2.23-0ubuntu5) stable release version 2.23, by Rolan...

[pwnable.tw] dubblesort

发表于2025-09-19|pwnable.tw

1 程序分析32位，保护全开 123456789(pwn) secreu@Vanilla:~/code/pwnable/dubblesort$ checksec --file=dubblesort[*] '/home/secreu/code/pwnable/dubblesort/dubblesort' Arch: i386-32-little RELRO: Full RELRO Stack: Canary found NX: NX enabled PIE: PIE enabled RUNPATH: b'/home/secreu/code/pwnable/dubblesort' FORTIFY: Enabled 题目提供的 libc 是 32 位 2.23 版本，要用 patchelf 替换同样版本解释器 123456(pwn) secreu@Vanilla:~/code/pwnable/dubblesort$ strings...

[pwnable.tw] 3x17

发表于2025-09-17|pwnable.tw

1 程序分析只开了 NX，但是其实也开了 Canary 1234567(pwn) secreu@Vanilla:~/code/pwnable/3x17$ checksec --file=3x17[*] '/home/secreu/code/pwnable/3x17/3x17' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) 初步运行一下是让我们输入一个 addr，再输入 data 123(pwn) secreu@Vanilla:~/code/pwnable/3x17$ ./3x17 addr:123data:123 IDA 进去是 start 函数，因为去除了符号表，读起来不太方便，但是主要流程就是调用 __libc_start_main 执行 main 123456789101112131415161718...

[pwnable.tw] calc

发表于2025-09-11|pwnable.tw

1 程序分析i386 架构，开了 Canary 和 NX 12345678(pwn) secreu@Vanilla:~/code/pwnable/calc$ checksec --file=calc[*] '/home/secreu/code/pwnable/calc/calc' Arch: i386-32-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: No PIE (0x8048000) Stripped: No 1.1 程序流程main 函数做了一些设置，关键内容应该在 calc 里面 123456789int __cdecl main(int argc, const char **argv, const char **envp){ ssignal(14, timeout); alarm(60); puts("=== Welcome to ...

[pwnable.tw] CVE-2018-1160

发表于2025-09-06|pwnable.tw

1 基本信息1.1 题目信息根据题目可知这是 CVE-2018-1160 的漏洞复现及利用，提供了 binary、配置文件以及 2 个库 12345678(base) secreu@Vanilla:~/netatalk$ tree.├── afp.conf├── afpd├── libatalk.so.18└── libc-2.27.so0 directories, 4 files libc 版本是 2.27 12345678910(pwn) secreu@Vanilla:~/netatalk$ ./libc-2.27.soGNU C Library (Ubuntu GLIBC 2.27-3ubuntu1) stable release version 2.27.Copyright (C) 2018 Free Software Foundation, Inc.This is free software; see the source for copying conditions.There is NO warranty; not even for MERCHANTABILITY...

[pwnable.tw] orw

发表于2025-08-14|pwnable.tw

1 程序分析i386 架构，开了 Canary，但是无关紧要，程序逻辑非常简单，就是读一段 shellcode 并运行 12345678int __cdecl main(int argc, const char **argv, const char **envp){ orw_seccomp(); printf("Give my your shellcode:"); read(0, &shellcode, 0xC8u); ((void (*)(void))shellcode)(); return 0;} 但是设置了 seccomp 沙箱，限制了系统调用 123456789101112131415unsigned int orw_seccomp(){ __int16 v1; // [esp+4h] [ebp-84h] BYREF _BYTE *v2; // [esp+8h] [ebp-80h] _BYTE v3[96]; // [esp+Ch] [ebp-7Ch] BYREF unsigned int v4...