记一道有趣的VM PWN
题目亮点在于无需泄露 libc 地址,操控程序内部计算即可进行精准覆盖。 radish ➜ nice checksec pwn [*] '/root/nice/pwn' Arch: amd64-64-little RELRO: Full RELRO Stack: No canary found NX: NX enabled PIE: PIE enabled radish ➜ nice strings pwn | grep "GCC" GCC: (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0 radish ➜ nice ./libc-2.27.so GNU C Library (Ubuntu GLIBC 2.27-3ubuntu1.4) stable release version 2.27.
https://www.anquanke.com/post/id/252550
