当前位置:网站首页>[BMZCTF-pwn] 12-csaw-ctf-2016-quals hungman
[BMZCTF-pwn] 12-csaw-ctf-2016-quals hungman
2022-07-06 10:43:00 【Shi Shi Shi Shi Shi Shi Shi Shi Shi Shi Shi Shi Shi Shi Shi Shi】
Guess this question or 2.23 ( I'm not going to do it , None of the above questions has a remote environment , And these seem to have been done )
This is a silly word game. The data structure is like this :
- chunk0 Write the largest name you enter 0xf8( It can be small )
- Program record :4 Byte record ,4 Byte name length ,8 Byte name chunk0 The pointer to
- A random number as long as its name
Enter your name first , Then line it into random numbers , Then wait for characters , If there is the same score , altogether 26 How can it be the same if you lose all , When the maximum record is exceeded, the name can be modified ( There is an overflow )
puts("High score! change name?");
__isoc99_scanf(" %c", &v3);
if ( v3 == 121 )
{
s = malloc(0xF8uLL);
memset(s, 0, 0xF8uLL);
v8 = read(0, s, 0xF8uLL);
*(_DWORD *)(a1 + 4) = v8;
v14 = strchr((const char *)s, 10);
if ( v14 )
*v14 = 0;
memcpy(*(void **)(a1 + 8), s, v8); // Name length is less than F8 when , You can enter F8 Overflow to record
free(s);
It's easy to control the overflow to the pointer
Overflow first, write the pointer as got An address of the table , The following output will output the value , So you get libc Address .
The question is which to write , According to the later function call, you can use snprintf and strchr, After looking at the original one, I used libc_start_main
strchr Just use it here once , Let's start with the leak libc Change it to system, Enter next time /bin/sh
Write libc_start_main Then there is gmon_start and memcpy Write here /bin/sh\0,0,system In fact, it uses system cover memcpy In execution memcpy The inner parameter is exactly /bin/sh( This is a coincidence )
If you use snprintf You can also restore the whole got Watch then turn /bin/sh writes 602100
printf Words , Didn't try to write one_gadget Maybe it's ok
边栏推荐
- Global and Chinese market for intravenous catheter sets and accessories 2022-2028: Research Report on technology, participants, trends, market size and share
- Unicode decodeerror: 'UTF-8' codec can't decode byte 0xd0 in position 0 successfully resolved
- Time in TCP state_ The role of wait?
- Google login prompt error code 12501
- [paper reading notes] - cryptographic analysis of short RSA secret exponents
- Super detailed steps to implement Wechat public number H5 Message push
- How to find the number of daffodils with simple and rough methods in C language
- Moteur de stockage mysql23
- MySQL29-数据库其它调优策略
- MySQL23-存储引擎
猜你喜欢
使用OVF Tool工具从Esxi 6.7中导出虚拟机
[Li Kou 387] the first unique character in the string
Ueeditor internationalization configuration, supporting Chinese and English switching
MySQL22-逻辑架构
Mysql27 - Optimisation des index et des requêtes
Mysql32 lock
ByteTrack: Multi-Object Tracking by Associating Every Detection Box 论文阅读笔记()
Win10: how to modify the priority of dual network cards?
Mysql35 master slave replication
MySQL32-锁
随机推荐
Mysql21 - gestion des utilisateurs et des droits
UnicodeDecodeError: ‘utf-8‘ codec can‘t decode byte 0xd0 in position 0成功解决
MySQL26-性能分析工具的使用
MySQL33-多版本并发控制
Unicode decodeerror: 'UTF-8' codec can't decode byte 0xd0 in position 0 successfully resolved
Bytetrack: multi object tracking by associating every detection box paper reading notes ()
用于实时端到端文本识别的自适应Bezier曲线网络
【C语言】深度剖析数据存储的底层原理
Mysql27 - Optimisation des index et des requêtes
[Li Kou 387] the first unique character in the string
导入 SQL 时出现 Invalid default value for ‘create_time‘ 报错解决方法
Not registered via @EnableConfigurationProperties, marked(@ConfigurationProperties的使用)
MySQL21-用戶與權限管理
[untitled]
Solve the problem that XML, YML and properties file configurations cannot be scanned
Use xtrabackup for MySQL database physical backup
Set shell script execution error to exit automatically
Isn't there anyone who doesn't know how to write mine sweeping games in C language
CSDN问答模块标题推荐任务(二) —— 效果优化
Security design verification of API interface: ticket, signature, timestamp