PWN系列 每日一更
Getting Started
首先启动机器 下载文件以后就这样的:
栈可写 这也是个基础题
直接./gs执行 会看到如下信息
Stack frame layout
| . | <- Higher addresses
| . |
|_____________|
| | <- 64 bytes
| Return addr |
|_____________|
| | <- 56 bytes
| RBP |
|_____________|
| | <- 48 bytes
| target |
|_____________|
| | <- 40 bytes
| alignment |
|_____________|
| | <- 32 bytes
| Buffer[31] |
|_____________|
| . |
| . |
|_____________|
| |
| Buffer[0] |
|_____________| <- Lower addresses
[Addr] | [Value]
-------------------+-------------------
0x00007ffc5a6249d0 | 0x0000000000000000 <- Start of buffer
0x00007ffc5a6249d8 | 0x0000000000000000
0x00007ffc5a6249e0 | 0x0000000000000000
0x00007ffc5a6249e8 | 0x0000000000000000
0x00007ffc5a6249f0 | 0x6969696969696969 <- Dummy value for alignment
0x00007ffc5a6249f8 | 0x00000000deadbeef <- Target to change
0x00007ffc5a624a00 | 0x00005581340cb800 <- Saved rbp
0x00007ffc5a624a08 | 0x00007fc490ffdc87 <- Saved return address
0x00007ffc5a624a10 | 0x0000000000000001
0x00007ffc5a624a18 | 0x00007ffc5a624ae8
After we insert 4 "A"s, (the hex representation of A is 0x41), the stack layout like this:
[Addr] | [Value]
-------------------+-------------------
0x00007ffc5a6249d0 | 0x0000000041414141 <- Start of buffer
0x00007ffc5a6249d8 | 0x0000000000000000
0x00007ffc5a6249e0 | 0x0000000000000000
0x00007ffc5a6249e8 | 0x0000000000000000
0x00007ffc5a6249f0 | 0x6969696969696969 <- Dummy value for alignment
0x00007ffc5a6249f8 | 0x00000000deadbeef <- Target to change
0x00007ffc5a624a00 | 0x00005581340cb800 <- Saved rbp
0x00007ffc5a624a08 | 0x00007fc490ffdc87 <- Saved return address
0x00007ffc5a624a10 | 0x0000000000000001
0x00007ffc5a624a18 | 0x00007ffc5a624ae8
After we insert 4 "B"s, (the hex representation of B is 0x42), the stack layout looks like this:
[Addr] | [Value]
-------------------+-------------------
0x00007ffc5a6249d0 | 0x4242424241414141 <- Start of buffer
0x00007ffc5a6249d8 | 0x0000000000000000
0x00007ffc5a6249e0 | 0x0000000000000000
0x00007ffc5a6249e8 | 0x0000000000000000
0x00007ffc5a6249f0 | 0x6969696969696969 <- Dummy value for alignment
0x00007ffc5a6249f8 | 0x00000000deadbeef <- Target to change
0x00007ffc5a624a00 | 0x00005581340cb800 <- Saved rbp
0x00007ffc5a624a08 | 0x00007fc490ffdc87 <- Saved return address
0x00007ffc5a624a10 | 0x0000000000000001
0x00007ffc5a624a18 | 0x00007ffc5a624ae8
???????????????????????????????????????????????????????????????????????????????????????????????????
? ?
? Fill the 32-byte buffer, overwrite the alginment address and the "target's" 0xdeadbeef value. ?
? ?
???????????????????????????????????????????????????????????????????????????????????????????????????
截图不全 我已经粘贴在上面了
大概就是说输入4个A 栈的开始就会是0x41414141 输入 4个B就会是 0x42424242 这样
要求让起始地址和目标地址一样 也就是我们需要输入一些东西让这两个地方地址一致
看看目标地址
0xdeadbeef 常规思路就是把这玩意转换成字符串输入就行了 但是很显然 这肯定不对
deadbeef 去转换字符串是乱码
结合之前看到栈可写 那肯定就是栈溢出了 也就是说我们疯狂写入 然后改变目标地址 让他和我们的起始地址一样就可以了 那么这个程序是 32位的程序 一行栈就是8个字符 只要输入48 个相同字符就能看到做出来了
正常输入失败:
栈溢出成功过后:
但是这个是本地的 我们需要去链接他给的服务器地址来做 直接nc连接就行 输入payload就行
或者直接用他给的python脚本 直接 改一下地址 和payload就OK了