From 2b9628e400bdbdc7ac8524f83aeae59fefaa08ea Mon Sep 17 00:00:00 2001 From: RocketDev Date: Wed, 11 Sep 2024 23:35:55 +0800 Subject: [PATCH] complete some excerpt --- source/_posts/ciscn2024/gostack.md | 7 +++++-- source/_posts/dasxmarek2024/alphacode.md | 1 + source/_posts/dasxmarek2024/clock.md | 2 ++ 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/source/_posts/ciscn2024/gostack.md b/source/_posts/ciscn2024/gostack.md index 981a88c..97bb6bc 100644 --- a/source/_posts/ciscn2024/gostack.md +++ b/source/_posts/ciscn2024/gostack.md @@ -1,7 +1,7 @@ --- title: ciscn2024 - gostack date: 2024/5/23 00:47:00 -updated: 2024/7/25 12:34:56 +updated: 2024/9/11 23:35:00 tags: - go - rop @@ -38,7 +38,6 @@ excerpt: 通过栈溢出控制返回地址,利用Go程序的漏洞成功执行 网上很多wp写rop的链子,很怪,程序不是提供了后门吗。。直接把返回地址修改成`&main.main.func2`, 就可以任意执行一个shell命令,输入`cat flag`就可以获得flag -![success](/assets/ciscn2024/success.png) ## EXPLOIT ```python @@ -62,3 +61,7 @@ def payload(lo:int): sh.interactive() ``` + +{% note default fa-flag %} +![success](/assets/ciscn2024/success.png) +{% endnote %} diff --git a/source/_posts/dasxmarek2024/alphacode.md b/source/_posts/dasxmarek2024/alphacode.md index f552c41..5975457 100644 --- a/source/_posts/dasxmarek2024/alphacode.md +++ b/source/_posts/dasxmarek2024/alphacode.md @@ -2,6 +2,7 @@ title: DASCTF2024八月开学季 - alphacode date: 2024/09/05 00:12:00 updated: 2024/09/11 23:05:00 +excerpt: 使用`sendfile`系统调用,通过异或解码与`imul`绕过 shellcode 字符限制,逐字节输出flag。 tags: - shellcode --- diff --git a/source/_posts/dasxmarek2024/clock.md b/source/_posts/dasxmarek2024/clock.md index 2d972c1..317959f 100644 --- a/source/_posts/dasxmarek2024/clock.md +++ b/source/_posts/dasxmarek2024/clock.md @@ -2,8 +2,10 @@ title: DASCTF2024八月开学季 - clock date: 2024/09/05 00:15:00 updated: 2024/09/13 19:49:00 +excerpt: 通过`vsnprintf`格式化漏洞,利用`%*c%6$lln`覆盖`puts@got`为堆地址,执行自定义shellcode。 tags: - fmt-string + - tricks --- {% note green fa-heart %}