pwn — ret2shellcode
2019-03-31 本文已影响202人
YeeZi_
Ret2shellcode:
按惯例检查保护,发现啥都没开
![](https://img.haomeiwen.com/i16737923/a43d9830c52383e7.png)
用ida打开看main函数
![](https://img.haomeiwen.com/i16737923/b07019b47ae83b34.png)
发现了gets和strncpy函数,将gets里的s的值存入了buf2
![](https://img.haomeiwen.com/i16737923/f3ea102223f804ad.png)
题文中无system,无shellcode(据说是长成system(‘/bin/sh’)这样的东西),所以要自己写一个咯(写进栈里)
那就让它在脚本里生成一个shellcode(指令为:shellcode = asm(shellcraft.sh()))
得知偏移量为112
![](https://img.haomeiwen.com/i16737923/a6b37adaaa373418.png)
若生成的shellcode长度若不够112个,则用垃圾字符填充(指令:sh.sendline(shellcode.ljust(112,’a’) + bss段shellcode的地址))
还要检查bss段是否有权限写入shellcode,用vmmap
![](https://img.haomeiwen.com/i16737923/116c43145c747fc8.png)
发现buf2地址所在区间的权限是rwxp,可读可写
然后就可以安心地写exp了
![](https://img.haomeiwen.com/i16737923/0773fcb93758f68c.png)