Writeup1.EasyOverrideVariable1

Question1:

NJUPT-CGCTF-Whendidyouborn?


Analysis1.0:

Glancing over the source code given , we shall find that the logic of this program seems wrong .

But how can we get the flag in a wrong logic?

The key is not logic but the function 'gets' .

As is known to many of us , function 'gets' may lead to Buffer Overflow. 

Hidden danger from 'gets'

What is Buffer Overflow?

So what we should do is exploit the vulneribility of 'gets' to tamper the value of student.birth.


Analysis1.1:

With the help of decompiler ,  the general situation of internal storage can be detected.

As we can see , on the stack , the address of 'year' is -0x18 while that of 'name' is -0x20. Consequently we could cover the address between 'year' and 'name' ,finally override the value of 'year'. 

//p32 or p64 can pack the integer.


Exploit1:


Thanks

C0ss4ck

2018/1/19/22:39

最后编辑于
©著作权归作者所有,转载或内容合作请联系作者
平台声明:文章内容(如有图片或视频亦包括在内)由作者上传并发布,文章内容仅代表作者本人观点,简书系信息发布平台,仅提供信息存储服务。