程序代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
| unsigned int stackoverflow()
{
char v0; // ST04_1
char s; // [esp+Ch] [ebp-4Ch]
int v3; // [esp+2Ch] [ebp-2Ch]
unsigned int v4; // [esp+4Ch] [ebp-Ch]
v4 = __readgsdword(0x14u);
memset(&s, 0, 0x40u);
((void (__cdecl *)(const char *, char))printf)("What's your name?", v0);
get_line(&v3);
printf("%s,let's make stackoverflow great again!\n", (unsigned int)&v3);
get_line(&s);
return __readgsdword(0x14u) ^ v4;
}
unsigned int __cdecl get_line(int a1)
{
char v2; // [esp+17h] [ebp-11h]
int v3; // [esp+18h] [ebp-10h]
unsigned int v4; // [esp+1Ch] [ebp-Ch]
v4 = __readgsdword(0x14u);
v3 = 0;
while ( read(0, (int)&v2, 1) > 0 && v2 != 0xA )
*(_BYTE *)(a1 + v3++) = v2;
return __readgsdword(0x14u) ^ v4;
}
|
思路:get_line肯定是有溢出的,通过第一次溢出来读取到canary,用第二次来ROP。
