Writeup1.EasyOverrideVariable1
2018-01-18 本文已影响0人
C0ss4ck
Question1:
Analysis1.0:
Glancing over the source code given , we shall find that the logic of this program seems wrong .
![](https://img.haomeiwen.com/i9987017/dda592deec4c9f91.png)
But how can we get the flag in a wrong logic?
The key is not logic but the function 'gets' .
As is known to many of us , function 'gets' may lead to Buffer Overflow.
So what we should do is exploit the vulneribility of 'gets' to tamper the value of student.birth.
Analysis1.1:
With the help of decompiler , the general situation of internal storage can be detected.
![](https://img.haomeiwen.com/i9987017/4f15df0e52891919.png)
As we can see , on the stack , the address of 'year' is -0x18 while that of 'name' is -0x20. Consequently we could cover the address between 'year' and 'name' ,finally override the value of 'year'.
//p32 or p64 can pack the integer.
Exploit1:
![](https://img.haomeiwen.com/i9987017/7dea5dbb1624eeb2.png)
Thanks
C0ss4ck
2018/1/19/22:39