1000levevls
| ID: | 9152 |
|---|---|
| 标题: | 1000levevls |
| 描述: | None |
| 类型: | Pwn |
| 网站: | XCTF |
| 题目链接: | https://adworld.xctf.org.cn/challenges/list |
| 赛事: | XCTF |
| 年度: | None |
| Flag值: | 1000levevls的解题核心是利用vsyscall固定地址滑过栈并触发one-gadget,关键步骤包括:1)通过hint函数将system地址写入栈;2)构造0x38字节填充+p64(vsyscall)*3的payload覆盖返回地址;3)通过99次正确计算后发送payload触发漏洞 2 3 |
| writeup: |
https://blog.csdn.net/seaaseesa/article/details/102984101 https://blog.csdn.net/weixin_52640415/article/details/123344276 |