pwn4fun on pwnable.tw

content

  1. start (Finished on 10/26/2017)

start

overview

just run it,i got:

Obviously,it receives a string and then exit.
here are its assamble:

the function write() is locating at 0x8048087

check the defense method:

So my idea is:input a string to leak the stack addr,then arrange shellcode,when it return run at 0x804809c its next instruction will point to the shellcode.

step

the layout of stack:

as we could see,when i can create a 24bytes-size string as input,the last 4bytes could cover its return addr(at 0xff9e61a8),if i make 0x8048087 cover it,then the function write() can print 20bytes contents from 0xff9e61ac,as the stack show,one of the stack addr(0xff9e61b0) locates at 0xff9e61ac.

exp:

run the exp:

1 thought on “pwn4fun on pwnable.tw

  1. 看 blog 这么流畅,还以为是改成了 Typcho 。。。

    原来只是上了 CDN……

Leave a Comment

电子邮件地址不会被公开。 必填项已用*标注