Integer Overflow 解题讨论 #22
Replies: 3 comments 5 replies
-
|
有人对2.1的dword shoot有想法吗,我已经完成了覆盖flink和blink的步骤,目前在向内存中的某个位置写入read_flag的地址(覆盖flink)这个地方遇到了问题。 |
Beta Was this translation helpful? Give feedback.
-
|
这题手动输入可能确实有点问题,用pwntools在一个payload里面模拟两个输入还是可以过的,看了源码也没弄明白咋回事
…---原始邮件---
发件人: ***@***.***>
发送时间: 2023年11月24日(周五) 中午12:50
收件人: ***@***.***>;
抄送: ***@***.***>;
主题: Re: [HUSTSeclab/software-security-dojo] Integer Overflow 解题讨论 (Discussion #22)
2.0有一个问题,这一题的溢出上限是ffffffffffffffff(16位16进制即64位),但当输入一个16位的16进制数时,下一个输入直接被覆盖了(输入一个数后无法输入下一个),经过摸索后发现,输入一个特定的18位的16进制数可以让i+j的和满足溢出条件(尽管此时只有一个输入)直接得到flag。我认为理想解法应该是溢出到17位的16进制数,但是这样2个输入中至少要有一个16位的16进制数,然而输入16位数时就只能输入一个数,似乎是缓冲区溢出导致的。
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
|
应该就是回车的问题 |
Beta Was this translation helpful? Give feedback.
-
|
有没有同学可以讲下3.0的数是怎么输进去的,尝试了好多种都不对:( |
Beta Was this translation helpful? Give feedback.
-
|
用pwntools |
Beta Was this translation helpful? Give feedback.
-
|
然后注意整数溢出问题 |
Beta Was this translation helpful? Give feedback.
-
|
尝试无果,有无更具体一点的提示:) |
Beta Was this translation helpful? Give feedback.
-
|
看我github |
Beta Was this translation helpful? Give feedback.
-
我们在这里讨论 Integer Overflow 模块中遇到的问题
Beta Was this translation helpful? Give feedback.
All reactions