-
-
[原创] pwnable.kr -- rest-of-toddler
-
发表于: 2018-1-9 17:18
-
先来一道简单的题目热下身
Here we have a stack address, a heap address and an input
now the code
嘛,这可以算做一个 unlink 的入门练习吧,模仿unlink 的操作
you have three chunk, heap1, which you can overwrite. Heap2, av chunk which will be unlink.
So, 我们的目标就是通过改写 heap2 的 fd以及 bk 来控制执行流
shell is given
所以所需要做的就是控制执行流跳到 shell 函数即可
pwn step is as below
It seems that we need to send a x64 shellcode to read the flag file with the seccomp sandbox
We can only use read, write, and open syscall
and the code
Okay, it is clear now.
You know the file name in /home/asm, the real file is in /home/asm_pwn which need to use the binary to reach.
Now, the exp using pwntools
Well, you need to know the shellshock Vulnerability first.
http://www.freebuf.com/articles/system/45390.html
https://baike.baidu.com/item/Shellshock/15862860?fr=aladdin
You have two file
shellshock
shellshock 会调用 bash binary
嘛,总之就是一个命令执行
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
|
|
|
|
|
|
Okay, I will only do local records.
|
|
|
|
