Skip to content

Commit

Permalink
add some illustration about exploit
Browse files Browse the repository at this point in the history
  • Loading branch information
@RocketMaDev
RocketMaDev committed Feb 28, 2024
1 parent 9bb7391 commit dba1988
Show file tree
Hide file tree
Showing 2 changed files with 28 additions and 0 deletions.
28 changes: 28 additions & 0 deletions Readme.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,34 @@
32位汇编后长20B
64位汇编后长22B

## 关于exp

除了最开始的几个新手赛的exp以外,其他的exp全都是按以下方式运行:

1. 运行`ipython`
2. 使用`%load xxx.py`加载exp
3. 运行`payload(lo)`来运行exp

关于`lo`有这样一些约定俗成的规律:

1. `lo == 0`: 打远程
2. `lo != 0`: 打本地的样本
3. `lo & 0b10`: 启动gdb附加调试器
4. `lo & 0b100`: 输入需要爆破的地址(一般是直接从gdb中拿,避免打本地时还需要反复爆破)

例子: `payload(1)`是不开gdb,直接打本地;`payload(2)`是启动gdb打本地;`payload(6)`是启动gdb打本地并输入本地偏移
(如果有相关代码);使用`while payload(0): pass`可以一直打远程直到爆破成功

实操如下:

![example](./assets/expnote.png)

这种方法的优点是适合命令行熟练并且使用tmux + vim套件的人高效运行代码,而且遇到什么错误时,往往tube还没关闭,
可以很方便地使用`sh.recv()`来知晓剩下的错误信息(如果有),还可以跑一些python运算,如`hex(0x37 ^ 0x69)`

缺点就是调试过程中出错需要自己close对象,如果忘记,那么推出ipython的时候就会有一堆的进程结束,此外,
门槛相较双击运行也稍高一番

## Copyright

Distributed under CC BY-NC 4.0
Expand Down
Binary file added assets/expnote.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.

0 comments on commit dba1988

Please sign in to comment.