Hacking Book | Free Online Hacking Learning


stack overflow learning notes

Posted by agaran at 2020-02-27

The title links are as follows:

Https://pan.baidu.com/s/1mhvvany password: bwsn

One is to make a summary, the other is to make a backup. I'm ashamed to say that master 7o8v gave me all the ideas. Thank you very much for the help of master 7o8v.

Problem: failed to reproduce master steamed rice's "learn ROP step by step". Guess it's the problem of stack. I call start to restore stack.

This is a more detailed analysis that I see

http://www.purpleroc.com/md/[email protected]

0x01 pwn1

This question was left to me by master 7o8v. In particular, this topic is static link. So, it's GG. Because there is a source code, check the SEC directly, and the stack can be executed.

I just want to ret to JMP ESP, and then put shellcode after ret. As a result, it's not long enough, GG

ret jmp esp ret

The 7o8v master told me the idea (frame faking), RET to the JMP ESP instruction, so I jump to the stack, and then arrange the appropriate sub ESP on the stack, and then JMP ESP

ret jmp esp sub esp jmp esp

My idea of failure is to find appropriate or similar data on the register, and then modify the register to use JMP register. Then there's no proper gadget.

jmp gadget

Later, I want to disclose the stack address through RET to printf, and then RET to Mian. In this way, the stack address can be calculated.

ret printf ret mian

Because of the input length limit, kneel down, exp is as follows:

0x02 pwn2

This question was left to me by master 7o8v. First, open it with IDA, and there are two holes


The Convention is to check sec. It is found that only NX is enabled. In fact, canary is manually set in the function function function

checksec NX function canary

Format string to do

The address of read + 35 is reserved on the stack. We only need% P to get the address of read function and then calculate the address of system.

read+35 %p read system

The format string for this topic is not on the stack but in the. BSS section.


The boss told me to use a springboard. There is a pointer on the stack which points to the stack. The first thing I thought of was EBP. Anyway, it was not a remote machine.


In fact, it is better to write two bytes. Well, it's because of laziness. Then I modify main's EBP to point to the got table of the puts function. Use% n to modify the got table to point to the system function. In this way, the next time you use push ("/ bin / sh") it becomes system ("/ bin / sh").

main ebp puts got %n got system puts("/bin/sh") system("/bin/sh")

Exp is as follows:

Stack overflow

This is what master 7o8v told me. It really refreshes my view on stack overflow.

First, we blow up the value of canary. Then use '\ X00' to make login success.


Then enter leavemsg and enter a 'a', which just covers the '\ X00' at the beginning of the above payload, to realize any length of strcpy.

leavemsg 'a' 'a' '\x00' strcpy

Override return address of function. Finally, sendline ('0 ') detonates the bomb.

function sendline('0')

Exp is as follows:

0x03 summary

1. The understanding of knowledge points is not deep enough. It took a month to try to overflow scanf (""% d ""), and try to modify EIP using format string vulnerability [laughing and crying] "

scanf("%d") eip

2. From the 7o8v master's exp, we know that stack overflow does not only occur in the input

3. One minute on stage, ten years off stage

0x04 references