题目信息
nc pwn2.jarvisoj.com 9878
开了NX和Partial RELRO
![](https://raw.githubusercontent.com/zjicmDarkWing/images/master/2019051508.jpg)
静态分析
IDA F5,可以看到明显的溢出,但可利用区域有限:
![](https://raw.githubusercontent.com/zjicmDarkWing/images/master/2019051509.jpg)
![](https://raw.githubusercontent.com/zjicmDarkWing/images/master/2019051510.jpg)
存在system函数及’/bin/sh’字符串,那么就可以修改返回地址为调用system(‘/bin/sh’))来getshell
![](https://raw.githubusercontent.com/zjicmDarkWing/images/master/2019051511.jpg)
流程大概如图,图源自网络
![](https://raw.githubusercontent.com/zjicmDarkWing/images/master/2019051512.png)
exploit
构造exp
1 | from pwn import * |
getflag
![](https://raw.githubusercontent.com/zjicmDarkWing/images/master/2019051513.jpg)
nc pwn2.jarvisoj.com 9878
开了NX和Partial RELRO
IDA F5,可以看到明显的溢出,但可利用区域有限:
存在system函数及’/bin/sh’字符串,那么就可以修改返回地址为调用system(‘/bin/sh’))来getshell
流程大概如图,图源自网络
1 | from pwn import * |
最后更新时间:
水平不济整日被虐这也不会那也得学,脑子太蠢天天垫底这看不懂那学不会