题目信息
nc pwn2.jarvisoj.com 9881
只开了NX
![](https://raw.githubusercontent.com/zjicmDarkWing/images/master/2019051501.jpg)
静态分析
IDA F5,明显的溢出
![](https://raw.githubusercontent.com/zjicmDarkWing/images/master/2019051502.jpg)
![](https://raw.githubusercontent.com/zjicmDarkWing/images/master/2019051503.jpg)
在import中发现system,text中vuln上面发现内置的callsystem
![](https://raw.githubusercontent.com/zjicmDarkWing/images/master/2019051504.jpg)
![](https://raw.githubusercontent.com/zjicmDarkWing/images/master/2019051505.jpg)
那就很简单了,修改返回地址为callsystm直接getshell
exploit
offset = 136 = 0x80 + 8
![](https://raw.githubusercontent.com/zjicmDarkWing/images/master/2019051506.jpg)
构造exp
1 | from pwn import * |
getflag
![](https://raw.githubusercontent.com/zjicmDarkWing/images/master/2019051507.jpg)
nc pwn2.jarvisoj.com 9881
只开了NX
IDA F5,明显的溢出
在import中发现system,text中vuln上面发现内置的callsystem
那就很简单了,修改返回地址为callsystm直接getshell
offset = 136 = 0x80 + 8
1 | from pwn import * |
最后更新时间:
水平不济整日被虐这也不会那也得学,脑子太蠢天天垫底这看不懂那学不会